1 min read

Windows Event Viewer Used for Malicious Code Execution

Liviu ARSENE

August 17, 2016

Windows Event Viewer Used for Malicious Code Execution

Security researchers Matt Graeber and Matt Nelson have managed to bypass Microsoft”s User Access Control (UAC) and run malicious code in a high integrity process, by leveraging Windows”s legitimate Event Viewer tool.

While previous UAC bypassing methods involved dropping malicious files or tampering with local DLLs on the targeted machine, this new attack method involves replacing a registry key value and using it to run “powershell.exe”. Because Event Viewer is auto-elevated and queries a couple of registry keys, the described method would allow the attacker to execute any scripts and commands on the affected machine.

By tampering with values from HKCR and HKCU registry hives, an attacker could exploit the interaction between the two hives to run an elevated PowerShell to execute arbitrary scrips.

“Since this relationship exists between these 2 hives, any elevated process that interacts with both HKCU and HKCR in succession are particularly interesting since you are able to tamper with values in HKCU,” reads the blog post from security researcher Matt Nelson. “As a normal user, you have write access to keys in HKCU; if an elevated process interacts with keys you are able to manipulate, you can potentially interfere with actions a high-integrity process is attempting to perform.”

Because no files or DLLs are dropped on the victim”s machine, the attack could go unnoticed by security solutions or HIDS/HIPS software, claim researchers.

The proof of concept that tampers with the HKCU registry key to execute the PowerShell has been successfully tested on Windows 7 and Windows 10 operating systems, with experts stressing that all Microsoft Windows versions with UAC could be affected.

As the attack requires the victim to be logged in with administrative privileges, users can also protect themselves by configuring the UAC to “Always Notify,” prompting confirmation for the execution of any application.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read