Merge pull request #22 from eSentire/master

Eventvwr.exe UAC bypass
This commit is contained in:
Oddvar Moe 2018-12-12 12:45:35 +01:00 committed by GitHub
commit d827dfba1f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -0,0 +1,30 @@
---
Name: Eventvwr.exe
Description: Displays Windows Event Logs in a GUI window.
Author: 'Jacob Gajek'
Created: '2018-11-01'
Commands:
- Command: eventvwr.exe
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
Category: UAC bypass
Privileges: User
MitreID: T1088
MitreLink: https://attack.mitre.org/wiki/Technique/T1088
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- Path: C:\Windows\System32\eventvwr.exe
- Path: C:\Windows\SysWOW64\eventvwr.exe
Code Sample:
- Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
Detection:
- IOC: eventvwr.exe launching child process other than mmc.exe
- IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command
Resources:
- Link: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
Acknowledgement:
- Person: Matt Nelson
Handle: '@enigma0x3'
- Person: Matt Graeber
Handle: '@mattifestation'
---