Industry News

Windows Event Viewer Used for Malicious Code Execution

Security researchers Matt Graeber and Matt Nelson have managed to bypass Microsoft’s User Access Control (UAC) and run malicious code in a high integrity process, by leveraging Windows’s legitimate Event Viewer tool.

While previous UAC bypassing methods involved dropping malicious files or tampering with local DLLs on the targeted machine, this new attack method involves replacing a registry key value and using it to run “powershell.exe”. Because Event Viewer is auto-elevated and queries a couple of registry keys, the described method would allow the attacker to execute any scripts and commands on the affected machine.

By tampering with values from HKCR and HKCU registry hives, an attacker could exploit the interaction between the two hives to run an elevated PowerShell to execute arbitrary scrips.

“Since this relationship exists between these 2 hives, any elevated process that interacts with both HKCU and HKCR in succession are particularly interesting since you are able to tamper with values in HKCU,” reads the blog post from security researcher Matt Nelson. “As a normal user, you have write access to keys in HKCU; if an elevated process interacts with keys you are able to manipulate, you can potentially interfere with actions a high-integrity process is attempting to perform.”

Because no files or DLLs are dropped on the victim’s machine, the attack could go unnoticed by security solutions or HIDS/HIPS software, claim researchers.

The proof of concept that tampers with the HKCU registry key to execute the PowerShell has been successfully tested on Windows 7 and Windows 10 operating systems, with experts stressing that all Microsoft Windows versions with UAC could be affected.

As the attack requires the victim to be logged in with administrative privileges, users can also protect themselves by configuring the UAC to “Always Notify,” prompting confirmation for the execution of any application.

About the author

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.