Matt Nelson recently released a very useful, file-less UAC bypass using Event Viewer which was quickly implemented in to a Metasploit module by @TheColonial. Following this, we decided to release our own implementation in the form of a Cobalt Strike CNA script. The current default UAC bypass in Cobalt Strike requires DLL hijacking and drops a temporary DLL artefact to disk, as shown in the following:
Bypassuac-eventvwr was created as a way to easily utilise the EventVwr UAC bypass technique and maintain good opsec practices by not touching disk. This method does not require writing to disk and therefore should be AV friendly.
The CNA script currently performs the following:
Write registry path hijack
Execute eventvwr.exe
When eventvwr.exe executes, the hijack will be called
If SMB is used, linking is performed to the new beacon
Delete registry path hijack
Enjoy elevated beacon
An example usage is shown below:
