kevross33
commented
7 years ago Will update later to show eventvwer as IOC
Open kevross33 opened 7 years ago
kevross33
commented
7 years ago Will update later to show eventvwer as IOC
Seen in wild 1144eeaebb15044fa64f4d9bb5670349 (with this doc you have to scroll down so it shows you this text to activate the malicious activity).
Technique discussed here https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/