{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-event-viewer/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Defender XDR","Elastic Defend","Elastic Endgame","Windows Event Viewer"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","uac-bypass","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eUser Account Control (UAC) is a security feature in Windows designed to prevent unauthorized changes to the operating system. Attackers often attempt to bypass UAC to execute code with elevated privileges without triggering a UAC prompt. This detection identifies a specific UAC bypass technique that leverages the \u003ccode\u003eeventvwr.exe\u003c/code\u003e (Event Viewer) process. The technique involves launching a child process from \u003ccode\u003eeventvwr.exe\u003c/code\u003e that is not the standard Microsoft Management Console (\u003ccode\u003emmc.exe\u003c/code\u003e) or Windows Error Reporting (\u003ccode\u003eWerFault.exe\u003c/code\u003e). This behavior is indicative of an attacker attempting to exploit the elevated privileges of the \u003ccode\u003eeventvwr.exe\u003c/code\u003e process to execute arbitrary code with elevated permissions. The rule is designed to detect this specific bypass across various environments, including those monitored by Elastic Defend, Microsoft Defender XDR, SentinelOne, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through a separate vector (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eeventvwr.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eeventvwr.exe\u003c/code\u003e is manipulated to spawn a child process.\u003c/li\u003e\n\u003cli\u003eThe child process is an executable or script interpreter (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code is executed within the context of the child process, inheriting the elevated privileges of \u003ccode\u003eeventvwr.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as installing malware, modifying system settings, or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence on the system using elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful UAC bypass allows an attacker to execute code with elevated privileges without the user\u0026rsquo;s explicit consent. This can lead to complete system compromise, including the installation of malware, modification of system settings, data exfiltration, and other malicious activities. Since UAC is a critical security control in Windows, bypassing it significantly increases the attacker\u0026rsquo;s ability to perform unauthorized actions on the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect UAC Bypass via Event Viewer\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture process creation events for accurate detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the parent-child process relationship and the command-line arguments used.\u003c/li\u003e\n\u003cli\u003eReview and restrict local administrator memberships to reduce the attack surface for UAC bypass techniques.\u003c/li\u003e\n\u003cli\u003eEnforce the highest feasible UAC prompt level to increase the difficulty of UAC bypass attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T19:10:20Z","date_published":"2026-05-12T19:10:20Z","id":"https://feed.craftedsignal.io/briefs/2026-05-uac-bypass-eventvwr/","summary":"Detects User Account Control (UAC) bypass attempts using eventvwr.exe to execute code with elevated permissions by identifying child processes of eventvwr.exe, excluding mmc.exe and WerFault.exe, which may indicate unauthorized privilege escalation.","title":"UAC Bypass via Event Viewer","url":"https://feed.craftedsignal.io/briefs/2026-05-uac-bypass-eventvwr/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Event Viewer","version":"https://jsonfeed.org/version/1.1"}