UAC Bypass via Event Viewer

User Account Control (UAC) is a security feature in Windows designed to prevent unauthorized changes to the operating system. Attackers often attempt to bypass UAC to execute code with elevated privileges without triggering a UAC prompt. This detection identifies a specific UAC bypass technique that leverages the eventvwr.exe (Event Viewer) process. The technique involves launching a child process from eventvwr.exe that is not the standard Microsoft Management Console (mmc.exe) or Windows Error Reporting (WerFault.exe). This behavior is indicative of an attacker attempting to exploit the elevated privileges of the eventvwr.exe process to execute arbitrary code with elevated permissions. The rule is designed to detect this specific bypass across various environments, including those monitored by Elastic Defend, Microsoft Defender XDR, SentinelOne, and Crowdstrike.

Attack Chain

1. An attacker gains initial access to the system through a separate vector (e.g., phishing, exploit).
2. The attacker executes eventvwr.exe.
3. eventvwr.exe is manipulated to spawn a child process.
4. The child process is an executable or script interpreter (e.g., cmd.exe, powershell.exe, mshta.exe).
5. The attacker’s code is executed within the context of the child process, inheriting the elevated privileges of eventvwr.exe.
6. The attacker performs malicious actions, such as installing malware, modifying system settings, or accessing sensitive data.
7. The attacker attempts to maintain persistence on the system using elevated privileges.
8. The attacker achieves their objective, such as data exfiltration or system compromise.

Impact

A successful UAC bypass allows an attacker to execute code with elevated privileges without the user’s explicit consent. This can lead to complete system compromise, including the installation of malware, modification of system settings, data exfiltration, and other malicious activities. Since UAC is a critical security control in Windows, bypassing it significantly increases the attacker’s ability to perform unauthorized actions on the system.

Recommendation

• Deploy the Sigma rule “Detect UAC Bypass via Event Viewer” to your SIEM and tune for your environment.
• Enable Sysmon process creation logging (Event ID 1) to capture process creation events for accurate detection.
• Investigate any alerts generated by this rule, focusing on the parent-child process relationship and the command-line arguments used.
• Review and restrict local administrator memberships to reduce the attack surface for UAC bypass techniques.
• Enforce the highest feasible UAC prompt level to increase the difficulty of UAC bypass attempts.