The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.

« Base64 Encoding/Decoding Activity Clearing Windows Event Logs »

› › ›

Bypass UAC via Event Viewer

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Bypass UAC via Event Viewer

edit

Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.

Rule type: query

Rule indices:

winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

Elastic
Windows

Version: 1

Added (Elastic Stack release): 7.7.0

Rule query

edit

process.parent.name:eventvwr.exe and event.action:"Process Create
(rule: ProcessCreate)" and not
process.executable:("C:\Windows\SysWOW64\mmc.exe" or
"C:\Windows\System32\mmc.exe")

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Bypass User Account Control
- ID: T1088
- Reference URL: https://attack.mitre.org/techniques/T1088/

« Base64 Encoding/Decoding Activity Clearing Windows Event Logs »