UAC Bypass – Event Viewer
Tags
| cmtmf-attack-pattern: | Process Injection |
| attack-pattern: | Mmc - T1218.014 Powershell - T1059.001 Process Injection - T1631 Software - T1592.002 Windows Service - T1543.003 Powershell - T1086 Process Injection - T1055 |
Common Information
| Type | Value |
|---|---|
| UUID | 72535e4c-6e08-431a-98f4-7682cb70f236 |
| Fingerprint | b63e8b87742625dd |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | May 2, 2017, 8:16 a.m. |
| Added to db | Jan. 18, 2023, 10:08 p.m. |
| Last updated | Nov. 17, 2024, 11:40 p.m. |
| Headline | UAC Bypass – Event Viewer |
| Title | UAC Bypass – Event Viewer |
| Detected Hints/Tags/Attributes | 22/2/13 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://pentestlab.blog/2017/05/02/uac-bypass-event-viewer/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 4128 | github.com |
|
| Details | Domain | 63 | www.rapid7.com |
|
| Details | File | 34 | eventvwr.exe |
|
| Details | File | 54 | mmc.exe |
|
| Details | File | 2 | pentestlab3.exe |
|
| Details | File | 2 | invoke-eventvwrbypass.ps1 |
|
| Details | Github username | 5 | enigma0x3 |
|
| Details | Github username | 2 | mdsecresearch |
|
| Details | Url | 2 | https://github.com/enigma0x3/misc-powershell-stuff/blob/master/invoke-eventvwrbypass.ps1 |
|
| Details | Url | 1 | https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_eventvwr |
|
| Details | Url | 1 | https://github.com/mdsecresearch/publications/blob/master/tools/redteam/cna/eventvwr.cna |
|
| Details | Windows Registry Key | 16 | HKCU\Software\Classes\mscfile\shell\open\command |
|
| Details | Windows Registry Key | 3 | HKCR\mscfile\shell\open\command |