Bypass UAC Attempts using Metasploit
exploit/windows/local/bypassuac module (FAILED)exploit/windows/local/bypassuac_fodhelper (FAILED)exploit/windows/local/bypassuac_eventvwr (FAILED)exploit/windows/local/bypassuac_windows_store_reg) (FAILED)exploit/windows/local/bypassuac_comhijack (FAILED)exploit/windows/local/bypassuac_injection (SUCCESSFUL)References
UACMe
GitHub Link: https://github.com/hfiref0x/UACME
What is UACMe
UACme is a compiled, C-based tool used to bypass Windows User Account Control and get local administrative privileges. It does this by abusing built-in Windows AutoElevate backdoor.
System Requirements
- x86-32/x64 Windows 7/8/8.1/10
- Admin account with UAC set on default settings required.
*Note that the account needs to be part of Administrators group e.g. Local Admin account to work. Tested using a standard user account and was unable to bypass UAC.
Automate UACMe
Python script codes
Description
Automate the execution of all 68 keys in UACMe
How the script works
- Spawn cmd.exe using subprocess popen command.
- Pass command to cmd i.e. run Akagi.exe from key 1 to key 68 to bypass UAC and spawn admin cmd.exe
- Run the command that was passed. The script will print a message once all 68 keys have been executed.
Problems that I encountered + how I fixed it:
- Script hangs after it executes key 42, meaning that key 43 onwards does not get executed. To fix it, I set a timeout timer to cmd. If cmd hangs for 10 seconds, the process will be terminated. A new cmd will be spawned using subprocess popen and it will continue executing the keys until all keys have been executed.
- Execution of the commands is very fast and it can be hard to tell which key was able to spawn admin cmd. Some keys also take longer than others to spawn the admin cmd. Hence, I added a buffer time by setting a 5 second timer after each key has been executed.
Here is a snippet of the script output:
Note that all the commands are executed on the same cmd where you initially ran the script.
Results
Only 8 out of the available 68 keys worked. The following are the keys that was able to bypass UAC to spawn an admin cmd:
- Key 33
- Key 34
- Key 41
Same lineage sequence and graph structure as what was observed in key 34. Only difference is the CommandLine field.
- Key 43
Same lineage sequence and graph structure as what was observed in key 34. Only difference is the CommandLine field.
- Key 53
Same lineage sequence and graph structure as what was observed in key 34. Only difference is the CommandLine field.
- Key 59
- Key 61
- Key 62
References
Jym's Comments
This entry can be better if OpenEDR was used to analyze the Sequence of UAC bypass. In the interest of time, we are skipping since already has the know-how to do it. Key points related to Privilege Escalation:
- Like Code-Execution, there's local & remote
- Local PE requires some form of C2 (presuming low privilege), deliver into THE SAME endpoint through the C2 channel & then escalate to return a higher privilege session
- Remote PE differs slightly, for instance the attacker may be clear that the current endpoint has little chance of escalating, but through network recon, found a better next target. Like the case that is going to go through, he finds a solo vulnerable Win7 amongst a Win10 crowd, the foreign implant (that Kali that is within 10.10.10.x segment) will then deliver & C2 that Win7. That is an example of NON-UAC type of PE.
Why bother to differentiate Local vs Remote PE?
- From a visualisation perspective, we can see the difference.
- Let's say an attacker got lucky by getting a local or even a Domain admin at first infiltration, then we are likely to expect a Remote Code-Execution that may escalate on the new target.
- All these matters to what we want in monitoring ops: Early Warning Signals. That we can see clearly some process execution anomalies in the form of Sequence &/or CommandLine, followed by External C2, then Lateral Network Activities. This is the reason why the investigation board is designed the way it is.
- A properly hardened AD environment, may mitigate even local admin breaches. Meaning, even as local admin, one can still get stuck with at initial endpoint.
- But when you start to see remote PE, it means we already have Lateral Movement.
Timing of Consent.Exe
https://medium.com/@jym/uac-bypass-analysis-7a1379d21d36 Written long ago. Was using Carbon Black EDR.
TL;DR. Consent.exe should NOT be terminating very quickly, as in less than or a second type of quick.