Bypassing UAC

Attacking

How it works

Bypassing UAC is required if you got a shell as an user which has local administrator privileges but isn't running with high privileges. This is a low privileged shell. You want to run in a high privileged shell to migrate processes and dump the LSASS process or SAM. This can be achieved by a UAC bypass and spawning an high integrity shell.

For more information about UAC refer to the documentation from Microsoft: https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works

Tools

UACME

Building UACME

Download Visual Studio 2019 on a local W10 machine from here.
Clone the UACME project.

git clone https://github.com/hfiref0x/UACME

3. Open the UACME project by clicking on uacme.sln.

4. In the "Solution Explorer" right click on "Akagi" and click on "Properties". Make sure the "Platform Toolset" is set to V142 and click on "Apply" and "OK".

5. At the top select the "Release" version and "X64" bit.

6. In the "Solution Explorer" right click on "solution aucme" and click on "Build".

7. The "Output" pane should show that 5 builds are succeeded.

8. Go to C:\Tools\Evasion\UACME\Source\Akagi\output\x64\Release and copy Akagi64.exe to the desktop.

Executing the attack

1. The syntax for the executable is ./Akagi64.exe <METHOD> <EXECUTABLE>. If we run the following command we will abuse the fodhelper method:

.\Akagi64.exe 34 cmd.exe

2. And an elevatged prompt started.

Defending

Recommendations

Change the UAC level to always prompt for passwords.
Keep the Windows version up-to-date, although a lot of UAC bypasses will still work! They get patched from time to time.

Detection

References

How User Account Control worksMicrosoftLearn

Previousadd DNS Records (todo)NextTemplate page

Last updated 3 years ago

hashtagAttacking

hashtagHow it works

hashtagTools

hashtagBuilding UACME

hashtagExecuting the attack

hashtagDefending

hashtagRecommendations

hashtagDetection

hashtagReferences