Bypass UAC Using Event Viewer

Severity: high
Author: frack113
Source: upstream

Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1547.010` Boot or Logon Autostart Execution: Port Monitors
Privilege Escalation	`T1547.010` Boot or Logon Autostart Execution: Port Monitors

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `selection`

TargetObject|endswith: '_Classes\mscfile\shell\open\command\(Default)'

Stage 2: `not filter`

Details|startswith: '%SystemRoot%\system32\mmc.exe "%1" %'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	starts_with	`%SystemRoot%\system32\mmc.exe "%1" %`
`TargetObject`	ends_with	`_Classes\mscfile\shell\open\command\(Default)`