Windows Event Viewer Used for Malicious Code Execution
Security researchers Matt Graeber and Matt Nelson have managed to bypass Microsoft”s User Access Control (UAC) and run malicious code in a high integrity process, by leveraging Windows”s legitimate Event Viewer tool.
While previous UAC bypassing methods involved dropping malicious files or tampering with local DLLs on the targeted machine, this new attack method involves replacing a registry key value and using it to run “powershell.exe”. Because Event Viewer is auto-elevated and queries a couple of registry keys, the described method would allow the attacker to execute any scripts and commands on the affected machine.
By tampering with values from HKCR and HKCU registry hives, an attacker could exploit the interaction between the two hives to run an elevated PowerShell to execute arbitrary scrips.
“Since this relationship exists between these 2 hives, any elevated process that interacts with both HKCU and HKCR in succession are particularly interesting since you are able to tamper with values in HKCU,” reads the blog post from security researcher Matt Nelson. “As a normal user, you have write access to keys in HKCU; if an elevated process interacts with keys you are able to manipulate, you can potentially interfere with actions a high-integrity process is attempting to perform.”
Because no files or DLLs are dropped on the victim”s machine, the attack could go unnoticed by security solutions or HIDS/HIPS software, claim researchers.
The proof of concept that tampers with the HKCU registry key to execute the PowerShell has been successfully tested on Windows 7 and Windows 10 operating systems, with experts stressing that all Microsoft Windows versions with UAC could be affected.
As the attack requires the victim to be logged in with administrative privileges, users can also protect themselves by configuring the UAC to “Always Notify,” prompting confirmation for the execution of any application.
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US
July 16, 2021
How to protect yourself against cyberstalking
July 06, 2021
The Top Five Security Risks Smartphone Users Face Today
July 02, 2021
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials
July 02, 2021
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger
June 30, 2021
Mobile security threats: reality or myth?
June 13, 2021
FOLLOW US ON
You might also like
July 23, 2021
July 22, 2021
July 20, 2021