From 8fdae703072e4f166712e8b2230f73ba073f87be Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 27 Apr 2022 10:54:36 +0200
Subject: [PATCH] Create file_event_win_uac_bypass_eventvwr.yml

---
 .../file_event_win_uac_bypass_eventvwr.yml    | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/windows/file_event/file_event_win_uac_bypass_eventvwr.yml

diff --git a/rules/windows/file_event/file_event_win_uac_bypass_eventvwr.yml b/rules/windows/file_event/file_event_win_uac_bypass_eventvwr.yml
new file mode 100644
index 000000000..5ae786a90
--- /dev/null
+++ b/rules/windows/file_event/file_event_win_uac_bypass_eventvwr.yml
@@ -0,0 +1,24 @@
+title: UAC Bypass Using EventVwr
+id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
+description: Detects the pattern of a UAC bypass using Windows Event Viewer
+author: Antonio Cocomazzi (idea), Florian Roth (rule)
+date: 2022/04/27
+status: experimental
+references:
+    - https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw
+    - https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|contains: '\AppData\Local\Microsoft\Event Viewer\RecentViews'
+    filter:
+        Level: 4
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high