Windows Event Viewer Used for Malicious Code Execution

Security researchers Matt Graeber and Matt Nelson have managed to bypass Microsoft”s User Access Control (UAC) and run malicious code in a high integrity process, by leveraging Windows”s legitimate Event Viewer tool.

While previous UAC bypassing methods involved dropping malicious files or tampering with local DLLs on the targeted machine, this new attack method involves replacing a registry key value and using it to run “powershell.exe”. Because Event Viewer is auto-elevated and queries a couple of registry keys, the described method would allow the attacker to execute any scripts and commands on the affected machine.

By tampering with values from HKCR and HKCU registry hives, an attacker could exploit the interaction between the two hives to run an elevated PowerShell to execute arbitrary scrips.

“Since this relationship exists between these 2 hives, any elevated process that interacts with both HKCU and HKCR in succession are particularly interesting since you are able to tamper with values in HKCU,” reads the blog post from security researcher Matt Nelson. “As a normal user, you have write access to keys in HKCU; if an elevated process interacts with keys you are able to manipulate, you can potentially interfere with actions a high-integrity process is attempting to perform.”

Because no files or DLLs are dropped on the victim”s machine, the attack could go unnoticed by security solutions or HIDS/HIPS software, claim researchers.

The proof of concept that tampers with the HKCU registry key to execute the PowerShell has been successfully tested on Windows 7 and Windows 10 operating systems, with experts stressing that all Microsoft Windows versions with UAC could be affected.

As the attack requires the victim to be logged in with administrative privileges, users can also protect themselves by configuring the UAC to “Always Notify,” prompting confirmation for the execution of any application.