2018-11-01 20:20:09 +01:00
---
Name : Eventvwr.exe
Description : Displays Windows Event Logs in a GUI window.
Author : 'Jacob Gajek'
2021-01-10 16:04:52 +01:00
Created : 2018-11-01
2018-11-01 20:20:09 +01:00
Commands :
- Command : eventvwr.exe
Description : During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
2021-01-10 16:04:52 +01:00
Usecase : Execute a binary or script as a high-integrity process without a UAC prompt.
2022-09-11 04:58:06 +02:00
Category : UAC Bypass
2018-11-01 20:20:09 +01:00
Privileges : User
2021-11-05 19:58:26 +01:00
MitreID : T1548.002
2018-11-01 20:20:09 +01:00
OperatingSystem : Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
2022-11-13 20:56:32 +01:00
- Command : ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
Description : During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
Usecase : Execute a command to bypass security restrictions that limit the use of command-line interpreters.
2023-02-25 19:47:44 +01:00
Category : UAC Bypass
2022-11-13 20:56:32 +01:00
Privileges : Administrator
2023-02-25 19:47:44 +01:00
MitreID : T1548.002
2022-11-13 20:56:32 +01:00
OperatingSystem : Windows 7, Windows 8, Windows 8.1, Windows 10
2018-12-12 12:50:27 +01:00
Full_Path :
2018-11-01 20:20:09 +01:00
- Path : C:\Windows\System32\eventvwr.exe
- Path : C:\Windows\SysWOW64\eventvwr.exe
2021-01-10 16:49:30 +01:00
Code_Sample :
2018-11-01 20:20:09 +01:00
- Code : https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
Detection :
2023-10-18 17:30:34 +02:00
- Sigma : https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml
- Sigma : https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml
2022-12-29 15:51:15 +01:00
- Sigma : https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml
2021-11-15 14:19:03 +01:00
- Elastic : https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
- Splunk : https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml
- IOC : eventvwr.exe launching child process other than mmc.exe
- IOC : Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command
2018-11-01 20:20:09 +01:00
Resources :
- Link : https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
2018-12-12 12:50:27 +01:00
- Link : https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
2022-11-13 20:56:32 +01:00
- Link : https://twitter.com/orange_8361/status/1518970259868626944
2018-11-01 20:20:09 +01:00
Acknowledgement :
- Person : Matt Nelson
Handle : '@enigma0x3'
- Person : Matt Graeber
Handle : '@mattifestation'
2022-11-13 20:56:32 +01:00
- Person : Orange Tsai
Handle : '@orange_8361'