eventvwr.exe

  • File Path: C:\Windows\system32\eventvwr.exe
  • Description: Event Viewer Snapin Launcher

Screenshot

eventvwr.exe

Hashes

Type Hash
MD5 43129C3BFC9746CE9FFE8E45D10FE050
SHA1 1AF3BB8D63A0ED48DF1F1706B791404DEE28524F
SHA256 BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70
SHA384 4F268286A2CB8D2D911AE4B15AF7C96D2A2695525CBE25B1146F0F1F84E6FAE9372CA7C7513F0B6B9C98E443B9CF86AF
SHA512 09113DBB676B7F169A19842B2EF87C1EE206AB7C0C0947A302D04F8C3832B88BA4D5AD13215D4C007FC3F21FAA78CF0F4294121C50EDA5CB57CC01D32A462D5C
SSDEEP 1536:vpq3DFB5IMfoJUhSU6nPlTggJ2oj71BgR/Vp8dY1k:x6V3lhzslTZJ9j7Heb8C1k
IMP 5843AE9886BB500E05E07EE59BB5AD42
PESHA1 6663EA2A20FA8FD9A70D60D2486635FED9E3196B
PE256 CBD31726B6AE4B8E545F7CD0111A49135DFC3FDAE61852B74465B9F5399A29A2

Runtime Data

Child Processes:

mmc.exe

Window Title:

Event Viewer

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\eventvwr.exe.mui File
(RW-) C:\Users\user File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\System32\advapi32.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\system32\eventvwr.exe
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\shlwapi.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\windows.storage.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: eventvwr.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/bc87e4f462f00b826ec09ac16b625d0f70439c48fc04a52a41b4cd9e78401f70/detection/

File Similarity (ssdeep match)

File Score
C:\windows\system32\eventvwr.exe 85
C:\Windows\system32\eventvwr.exe 83
C:\Windows\system32\eventvwr.exe 83
C:\WINDOWS\system32\eventvwr.exe 80
C:\WINDOWS\system32\eventvwr.exe 90
C:\Windows\system32\miguiresource.dll 52
C:\Windows\SysWOW64\eventvwr.exe 86
C:\WINDOWS\SysWOW64\eventvwr.exe 86
C:\windows\SysWOW64\eventvwr.exe 90
C:\Windows\SysWOW64\eventvwr.exe 86
C:\Windows\SysWOW64\eventvwr.exe 91
C:\WINDOWS\SysWOW64\eventvwr.exe 83
C:\Windows\SysWOW64\miguiresource.dll 52

Possible Misuse

The following table contains possible examples of eventvwr.exe being misused. While eventvwr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_sysmon_uac_bypass_eventvwr.yml - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ DRL 1.0
sigma proc_creation_win_sysmon_uac_bypass_eventvwr.yml ParentImage\|endswith: '\eventvwr.exe' DRL 1.0
sigma proc_creation_win_task_folder_evasion.yml description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr DRL 1.0
sigma proc_creation_win_uac_bypass_wmp.yml ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' DRL 1.0
sigma registry_event_bypass_uac_using_eventviewer.yml - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ DRL 1.0
sigma registry_event_uac_bypass_eventvwr.yml - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ DRL 1.0
LOLBAS Eventvwr.yml Name: Eventvwr.exe  
LOLBAS Eventvwr.yml - Command: eventvwr.exe  
LOLBAS Eventvwr.yml Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.  
LOLBAS Eventvwr.yml - Path: C:\Windows\System32\eventvwr.exe  
LOLBAS Eventvwr.yml - Path: C:\Windows\SysWOW64\eventvwr.exe  
LOLBAS Eventvwr.yml - IOC: eventvwr.exe launching child process other than mmc.exe  
LOLBAS Eventvwr.yml - Link: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/  
malware-ioc misp_invisimole.json "description": "Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. (Citation: Davidson Windows) Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected.\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of methods (Citation: Github UACMe) that have been discovered and implemented within UACMe, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* <code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script. (Citation: enigma0x3 Fileless UAC Bypass) (Citation: Fortinet Fareit)\n\nAnother bypass is possible through some Lateral Movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on lateral systems and default to high integrity. (Citation: SANS UAC Bypass)", © ESET 2014-2018
malware-ioc misp_invisimole.json "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", © ESET 2014-2018
atomic-red-team T1548.002.md * eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md cmd.exe /c eventvwr.msc MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Start-Process “C:\Windows\System32\eventvwr.msc” MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md Write-Host “executing eventvwr.msc” -ForegroundColor Cyan MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md START MMC.EXE EVENTVWR.MSC MIT License. © 2018 Red Canary
signature-base gen_cn_hacktools.yar $s12 = “eventvwr” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.