9. Privilege Escalation

9. Privilege Escalation

Yang Jun

Bypass UAC Attempts using Metasploit

exploit/windows/local/bypassuac module (FAILED)
exploit/windows/local/bypassuac_fodhelper (FAILED)
exploit/windows/local/bypassuac_eventvwr (FAILED)
exploit/windows/local/bypassuac_windows_store_reg) (FAILED)
exploit/windows/local/bypassuac_comhijack (FAILED)
exploit/windows/local/bypassuac_injection (SUCCESSFUL)



What is UACMe

UACme is a compiled, C-based tool used to bypass Windows User Account Control and get local administrative privileges. It does this by abusing built-in Windows AutoElevate backdoor.

System Requirements

  • x86-32/x64 Windows 7/8/8.1/10
  • Admin account with UAC set on default settings required.
*Note that the account needs to be part of Administrators group e.g. Local Admin account to work. Tested using a standard user account and was unable to bypass UAC.

Automate UACMe

Python script codes


Automate the execution of all 68 keys in UACMe

How the script works

  1. Spawn cmd.exe using subprocess popen command.
    1. notion image
  1. Pass command to cmd i.e. run Akagi.exe from key 1 to key 68 to bypass UAC and spawn admin cmd.exe
    1. notion image
  1. Run the command that was passed. The script will print a message once all 68 keys have been executed.
Problems that I encountered + how I fixed it:
  • Script hangs after it executes key 42, meaning that key 43 onwards does not get executed. To fix it, I set a timeout timer to cmd. If cmd hangs for 10 seconds, the process will be terminated. A new cmd will be spawned using subprocess popen and it will continue executing the keys until all keys have been executed.
  • Execution of the commands is very fast and it can be hard to tell which key was able to spawn admin cmd. Some keys also take longer than others to spawn the admin cmd. Hence, I added a buffer time by setting a 5 second timer after each key has been executed.
Here is a snippet of the script output:
notion image
Note that all the commands are executed on the same cmd where you initially ran the script.


Only 8 out of the available 68 keys worked. The following are the keys that was able to bypass UAC to spawn an admin cmd:
  • Key 41
    • notion image
      Same lineage sequence and graph structure as what was observed in key 34. Only difference is the CommandLine field.
  • Key 43
    • notion image
      Same lineage sequence and graph structure as what was observed in key 34. Only difference is the CommandLine field.
  • Key 53
    • notion image
      Same lineage sequence and graph structure as what was observed in key 34. Only difference is the CommandLine field.


Jym's Comments

This entry can be better if OpenEDR was used to analyze the Sequence of UAC bypass. In the interest of time, we are skipping since Yang Jun already has the know-how to do it. Key points related to Privilege Escalation:
  • Like Code-Execution, there's local & remote
  • Local PE requires some form of C2 (presuming low privilege), deliver into THE SAME endpoint through the C2 channel & then escalate to return a higher privilege session
  • Remote PE differs slightly, for instance the attacker may be clear that the current endpoint has little chance of escalating, but through network recon, found a better next target. Like the case that Yang Jun is going to go through, he finds a solo vulnerable Win7 amongst a Win10 crowd, the foreign implant (that Kali that is within 10.10.10.x segment) will then deliver & C2 that Win7. That is an example of NON-UAC type of PE.

Why bother to differentiate Local vs Remote PE?

  • From a visualisation perspective, we can see the difference.
  • Let's say an attacker got lucky by getting a local or even a Domain admin at first infiltration, then we are likely to expect a Remote Code-Execution that may escalate on the new target.
  • All these matters to what we want in monitoring ops: Early Warning Signals. That we can see clearly some process execution anomalies in the form of Sequence &/or CommandLine, followed by External C2, then Lateral Network Activities. This is the reason why the investigation board is designed the way it is.
  • A properly hardened AD environment, may mitigate even local admin breaches. Meaning, even as local admin, one can still get stuck with at initial endpoint.
  • But when you start to see remote PE, it means we already have Lateral Movement.

Timing of Consent.Exe

https://medium.com/@jym/uac-bypass-analysis-7a1379d21d36 Written long ago. Was using Carbon Black EDR.
TL;DR. Consent.exe should NOT be terminating very quickly, as in less than or a second type of quick.