.. / Eventvwr.exe
Star

Displays Windows Event Logs in a GUI window.


Paths:


Resources:
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1

Acknowledgement:
Matt Nelson - @enigma0x3
Matt Graeber - @mattifestation


Detection:
eventvwr.exe launching child process other than mmc.exe
Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command



UAC bypass

During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
eventvwr.exe
Usecase:Execute a binary or script as a high-integrity process without a UAC prompt.
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1088