Registry Preparation of Event Viewer UAC Bypass

Identifies preparation for User Account Control (UAC) bypass via Event Viewer registry hijacking. Attackers bypass UAC to stealthily execute code with elevated permissions.

id:f90dd84d-6aa1-4ffd-8f0e-933f51c20fbe
categories:detect
confidence:low
os:windows
created:11/30/2018
updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Privilege Escalation
techniques:T1088 Bypass User Account Control

Query

registry where
  key_path == "*\\MSCFile\\shell\\open\\command\\" and

  // Ignore cases where the original avalue is restored
  bytes_written_string != '*\\system32\\mmc.exe \"%1\"*'

  // SYSTEM will never need to bypass uac
  and not user_sid in ("S-1-5-18", "S-1-5-19", "S-1-5-20")

Contributors