
Summary
This detection rule is designed to identify UAC (User Account Control) bypass attempts that leverage the Event Viewer’s RecentViews. Attackers often use this method to escalate privileges by executing malicious code with elevated permissions. The detection mechanism focuses on analyzing process creation events where the command line contains specific references to the Event Viewer ‘RecentViews’ location, indicating potential misuse of this feature. The rule looks for any command lines that include these paths along with a redirection operator indicating an attempt to execute a process. As such, it checks for all conditions being met to confirm suspicious activity. This type of behavior is representative of common tactics used in privilege escalation attacks, making it imperative to monitor closely.
Categories
- Windows
- Endpoint
Data Sources
- Process
Created: 2022-11-22