Registry Preparation of Event Viewer UAC Bypass

Identifies preparation for User Account Control (UAC) bypass via Event Viewer registry hijacking. Attackers bypass UAC to stealthily execute code with elevated permissions.

id:f90dd84d-6aa1-4ffd-8f0e-933f51c20fbe categories:detect confidence:low os:windows created:11/30/2018 updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Privilege Escalation techniques:T1088 Bypass User Account Control

Query

registry where
  registry_path == "*\\MSCFile\\shell\\open\\command\\" and

  // Ignore cases where the original avalue is restored
  registry_data != '*\\system32\\mmc.exe \"%1\"*'

  // SYSTEM will never need to bypass uac
  and not user_sid in ("S-1-5-18", "S-1-5-19", "S-1-5-20")

Detonation

Atomic Red Team: T1088

Contributors

• Endgame