.. /Eventvwr.exe

Star

Displays Windows Event Logs in a GUI window.

• https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
• https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
• https://twitter.com/orange_8361/status/1518970259868626944

UAC bypass

1. During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.

   eventvwr.exe

   Use case

   Execute a binary or script as a high-integrity process without a UAC prompt.

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

   ATT&CK® technique

   T1548.002

   Tags

   Application: GUI

   This LOLBAS will cause a graphical user interface (GUI) to be displayed.

2. During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net

   ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe

   Use case

   Execute a command to bypass security restrictions that limit the use of command-line interpreters.

   Privileges required

   Administrator

   Operating systems

   Windows 7, Windows 8, Windows 8.1, Windows 10

   ATT&CK® technique

   T1548.002

   Tags

   Application: GUI

   This LOLBAS will cause a graphical user interface (GUI) to be displayed.