Registry Preparation of Event Viewer UAC Bypass¶
Identifies preparation for User Account Control (UAC) bypass via Event Viewer registry hijacking. Attackers bypass UAC to stealthily execute code with elevated permissions.
id: | f90dd84d-6aa1-4ffd-8f0e-933f51c20fbe |
---|---|
categories: | detect |
confidence: | low |
os: | windows |
created: | 11/30/2018 |
updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
tactics: | Privilege Escalation |
---|---|
techniques: | T1088 Bypass User Account Control |
Query¶
registry where
registry_path == "*\\MSCFile\\shell\\open\\command\\" and
// Ignore cases where the original avalue is restored
registry_data != '*\\system32\\mmc.exe \"%1\"*'
// SYSTEM will never need to bypass uac
and not user_sid in ("S-1-5-18", "S-1-5-19", "S-1-5-20")