📖
Building a Windows AD lab
  • Building a Windows AD lab
  • Lab-setup
    • Lab overview
    • Building the lab
      • Prerequisite
      • Creating images
        • Optional: Install software & Settings
      • Network setup
      • Cloning & Creating VM's
      • Creating bank.local
        • Creating Domain Controller - DC01
          • Enable RDP
        • Creating amsterdam.bank.local
          • Creating Domain Controller - DC02
            • Creating a AD structure
            • Create a CA
            • Configure LDAPS
          • Creating Fileserver - FILE01
            • File services
          • Creating W10 client - WS01
            • PSRemoting
          • Creating Webserver - WEB01
            • Web Services
            • SQL Server
              • Create database
      • Creating secure.local
        • Creating Domain Controller - DC03
        • Creating File/SQL Server - DATA01
          • SQL Server
            • Create database
    • Attack Paths
      • Attack path 1 (hard)
        • Configuring
        • Tasks
        • Manual
      • Attack path 2
        • Configuring
        • Task
        • Manual
    • Troubleshooting
    • To-Do
  • Vulnerabilities & Misconfigurations & Attacks
    • Initial Access Attacks
      • Username Enumeration
        • Password Spraying
        • AS-REP Roasting
        • Empty Password
      • SMB Relaying
      • SMB Null-Session (To-Do)
      • SQL Server default login
    • Active Directory Attacks
      • Password spraying
      • AS-REP Roasting
      • Empty password
      • Password in description
      • Kerberoasting
      • Delegation Attacks
        • Unconstrained Delegation
          • Printerbug
        • Constrained Delegation
        • Resource Based Constrained Delegation
          • Computeraccount Takeover
          • Change-LockScreen
          • Webclient Attack (todo)
      • DACL-Abuses
        • Write Owner
        • Owns
        • WriteDacl
        • GenericAll
        • GenericWrite (todo)
        • ForceChangePassword
        • Add user to group (todo)
        • Targeted Kerberoast (todo)
        • Get-Changes
      • Reused local administrator (todo)
      • SQL Server Attacks (todo)
        • Initial Access
          • SQL Server default login
          • Normal domain user access
        • Privilege Escalation
          • Impersonation
          • DB-Owner
          • Enumerate Logins
            • Weak passwords
        • Executing Commands
        • Database-Links
        • Capturing hashes & Relaying
      • Reading LAPS passwords (todo)
      • Priviliged Groups (todo)
        • DNS-Admins (todo)
        • Account Operators (todo)
        • Backup Operators
        • Server Operators (todo)
      • Hopping domains and forests
        • Child to parent domain
          • Krbtgt hash
          • Trust key
        • Cross forest Attacks (todo)
          • Foreign user
    • Misc
      • Reverse shell trick
      • Lateral Movement
        • PSRemoting
        • PsExec (todo)
      • Misconfigured Service (todo)
        • Unqouted Service Path
      • Discovering Shares
      • Password on shares
      • Different methods of dumping credentials
        • LSASS (todo)
        • Dumping DPAPI
          • Browser passwords
        • Scheduled tasks (todo)
        • Services (todo)
        • Vssadmin Shadow Copy
      • ms-ds-machineaccountquota (todo)
      • add DNS Records (todo)
      • Bypassing UAC
    • Template page
  • Defence
    • Detection
    • Hardening
      • LDAP
        • LDAP Signing
        • LDAPS Binding
      • Strong Password Policy
      • Change who can join computers to the domain
      • Protected users group
      • Account is sensitive and cannot be delegated
      • Powershell Execution Policy
      • Template page
Powered by GitBook
On this page
  • Attacking
  • How it works
  • Tools
  • Building UACME
  • Executing the attack
  • Defending
  • Recommendations
  • Detection
  • References
Edit on GitHub
  1. Vulnerabilities & Misconfigurations & Attacks
  2. Misc

Bypassing UAC

Previousadd DNS Records (todo)NextTemplate page

Last updated 2 years ago

Attacking

How it works

Bypassing UAC is required if you got a shell as an user which has local administrator privileges but isn't running with high privileges. This is a low privileged shell. You want to run in a high privileged shell to migrate processes and dump the LSASS process or SAM. This can be achieved by a UAC bypass and spawning an high integrity shell.

For more information about UAC refer to the documentation from Microsoft:

Tools

Building UACME

  1. Download Visual Studio 2019 on a local W10 machine from .

  2. Clone the UACME project.

git clone https://github.com/hfiref0x/UACME

3. Open the UACME project by clicking on uacme.sln.

4. In the "Solution Explorer" right click on "Akagi" and click on "Properties". Make sure the "Platform Toolset" is set to V142 and click on "Apply" and "OK".

5. At the top select the "Release" version and "X64" bit.

6. In the "Solution Explorer" right click on "solution aucme" and click on "Build".

7. The "Output" pane should show that 5 builds are succeeded.

8. Go to C:\Tools\Evasion\UACME\Source\Akagi\output\x64\Release and copy Akagi64.exe to the desktop.

Executing the attack

1. The syntax for the executable is ./Akagi64.exe <METHOD> <EXECUTABLE>. If we run the following command we will abuse the fodhelper method:

.\Akagi64.exe 34 cmd.exe

2. And an elevatged prompt started.

Defending

Recommendations

  • Change the UAC level to always prompt for passwords.

  • Keep the Windows version up-to-date, although a lot of UAC bypasses will still work! They get patched from time to time.

Detection

References

https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
UACME
here
LogoHow User Account Control works (Windows) - Windows securitydocsmsft