UACME – Defeating Windows User Account Control

Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.System Requirementsx86-32/x64 Windows 7/8/8.1/10 (client, some methods however works on server version too).Admin account with UAC set on default settings required.UsageRun executable from command line: akagi32 [Key] [Param] or akagi64 [Key] [Param]. See “Run examples" below for more info.First param is number of method to use, second is optional command (executable file name including full path) to run. Second param can be empty – in this case program will execute elevated cmd.exe from system32 folder.Keys (watch debug output with dbgview or similar for more info):Author: Leo Davidson Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): cryptbase.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifest elementsAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): ShCore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 8.1 (9600)Fixed in: Windows 10 TP (> 9600) How: Side effect of ShCore.dll moving to \KnownDllsAuthor: Leo Davidson derivative by WinNT/Pitou Type: Dll HijackMethod: IFileOperationTarget(s): \system32\oobe\setupsqm.exeComponent(s): WdsCore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10558) How: Side effect of OOBE redesignAuthor: Jon Ericson, WinNT/Gootkit, mzH Type: AppCompatMethod: RedirectEXE ShimTarget(s): \system32\cliconfg.exeComponent(s): -Implementation: ucmShimRedirectEXEWorks from: Windows 7 (7600)Fixed in: Windows 10 TP (> 9600) How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versionsAuthor: WinNT/Simda Type: Elevated COM interfaceMethod: ISecurityEditorTarget(s): HKLM registry keysComponent(s): -Implementation: ucmSimdaTurnOffUacWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: ISecurityEditor interface method changedAuthor: Win32/Carberp Type: Dll HijackMethod: WUSATarget(s): \ehome\mcx2prov.exe, \system32\migwiz\migwiz.exeComponent(s): WdsCore.dll, CryptBase.dll, CryptSP.dllImplementation: ucmWusaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removedAuthor: Win32/Carberp derivative Type: Dll HijackMethod: WUSATarget(s): \system32\cliconfg.exeComponent(s): ntwdblib.dllImplementation: ucmWusaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removedAuthor: Leo Davidson derivative by Win32/Tilon Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): Actionqueue.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifestAuthor: Leo Davidson, WinNT/Simda, Win32/Carberp derivative Type: Dll HijackMethod: IFileOperation, ISecurityEditor, WUSATarget(s): IFEO registry keys, \system32\cliconfg.exeComponent(s): Attacker defined Application Verifier DllImplementation: ucmAvrfMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removed, ISecurityEditor interface method changedAuthor: WinNT/Pitou, Win32/Carberp derivative Type: Dll HijackMethod: IFileOperation, WUSATarget(s): \system32\{New}or{Existing}\{autoelevated}.exe, e.g. winsat.exeComponent(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dllImplementation: ucmWinSATMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10548) How: AppInfo elevated application path control hardeningAuthor: Jon Ericson, WinNT/Gootkit, mzH Type: AppCompatMethod: Shim Memory PatchTarget(s): \system32\iscsicli.exeComponent(s): Attacker prepared shellcodeImplementation: ucmShimPatchWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versionsAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): dbgcore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 TH2 (10565) How: sysprep.exe manifest updatedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\mmc.exe EventVwr.mscComponent(s): elsext.dllImplementation: ucmMMCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: Missing dependency removedAuthor: Leo Davidson, WinNT/Sirefef derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system\credwiz.exe, \system32\wbem\oobe.exeComponent(s): netutils.dllImplementation: ucmSirefefMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10548) How: AppInfo elevated application path control hardeningAuthor: Leo Davidson, Win32/Addrop, Metasploit derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\cliconfg.exeComponent(s): ntwdblib.dllImplementation: ucmGenericAutoelevationWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: Cliconfg.exe autoelevation removedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\GWX\GWXUXWorker.exe, \system32\inetsrv\inetmgr.exeComponent(s): SLC.dllImplementation: ucmGWXWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: AppInfo elevated application path control and inetmgr executable hardeningAuthor: Leo Davidson derivative Type: Dll Hijack (Import forwarding)Method: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): unbcl.dllImplementation: ucmStandardAutoElevation2Works from: Windows 8.1 (9600)Fixed in: Windows 10 RS1 (14371) How: sysprep.exe manifest updatedAuthor: Leo Davidson derivative Type: Dll Hijack (Manifest)Method: IFileOperationTarget(s): \system32\taskhost.exe, \system32\tzsync.exe (any ms exe without manifest)Component(s): Attacker definedImplementation: ucmAutoElevateManifestWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14371) How: Manifest parsing logic reviewedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\inetsrv\inetmgr.exeComponent(s): MsCoree.dllImplementation: ucmInetMgrMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14376) How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32ImagesAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\mmc.exe, Rsop.mscComponent(s): WbemComn.dllImplementation: ucmMMCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16232) How: Target requires wbemcomn.dll to be signed by MSAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperation, SxS DotLocalTarget(s): \system32\sysprep\sysprep.exeComponent(s): comctl32.dllImplementation: ucmSXSMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16232) How: MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32ImagesAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperation, SxS DotLocalTarget(s): \system32\consent.exeComponent(s): comctl32.dllImplementation: ucmSXSMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\pkgmgr.exeComponent(s): DismCore.dllImplementation: ucmDismMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: BreakingMalware Type: Shell APIMethod: Environment variables expansionTarget(s): \system32\CompMgmtLauncher.exeComponent(s): Attacker definedImplementation: ucmCometMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS2 (15031) How: CompMgmtLauncher.exe autoelevation removedAuthor: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\EventVwr.exe, \system32\CompMgmtLauncher.exeComponent(s): Attacker definedImplementation: ucmHijackShellCommandMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS2 (15031) How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removedAuthor: Enigma0x3 Type: Race ConditionMethod: File overwriteTarget(s): %temp%\GUID\dismhost.exeComponent(s): LogProvider.dllImplementation: ucmDiskCleanupRaceConditionWorks from: Windows 10 TH1 (10240)AlwaysNotify compatibleFixed in: Windows 10 RS2 (15031) How: File security permissions alteredAuthor: ExpLife Type: Elevated COM interfaceMethod: IARPUninstallStringLauncherTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmUninstallLauncherMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16199) How: UninstallStringLauncher interface removed from COMAutoApprovalListAuthor: Exploit/Sandworm Type: Whitelisted componentMethod: InfDefaultInstallTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmSandwormMethodWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: InfDefaultInstall.exe removed from g_lpAutoApproveEXEList (MS14-060)Author: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmAppPathMethodWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 RS3 (16215) How: Shell API updateAuthor: Leo Davidson derivative, lhc645 Type: Dll HijackMethod: WOW64 loggerTarget(s): \syswow64\{any elevated exe, e.g wusa.exe}Component(s): wow64log.dllImplementation: ucmWow64LoggerMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmSdcltIsolatedCommandMethodWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 RS4 (17025) How: Shell API / Windows components updateAuthor: xi-tauw Type: Dll HijackMethod: UIPI bypass with uiAccess applicationTarget(s): \Program Files\Windows Media Player\osk.exe, \system32\EventVwr.exe, \system32\mmc.exeComponent(s): duser.dll, osksupport.dllImplementation: ucmUiAccessMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: winscripting.blog Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\fodhelper.exe, \system32\computerdefaults.exeComponent(s): Attacker definedImplementation: ucmMsSettingsDelegateExecuteMethodWorks from: Windows 10 TH1 (10240)Fixed in: unfixed , How: -Author: James Forshaw Type: Shell APIMethod: Environment variables expansionTarget(s): \system32\svchost.exe via \system32\schtasks.exeComponent(s): Attacker definedImplementation: ucmDiskCleanupEnvironmentVariableWorks from: Windows 8.1 (9600)AlwaysNotify compatibleFixed in: unfixed , How: -Author: CIA & James Forshaw Type: ImpersonationMethod: Token ManipulationsTarget(s): Autoelevated applicationsComponent(s): Attacker definedImplementation: ucmTokenModificationWorks from: Windows 7 (7600)AlwaysNotify compatible, see noteFixed in: Windows 10 RS5 (17686) How: ntoskrnl.exe->SeTokenCanImpersonate additional access token check addedAuthor: Thomas Vanhoutte aka SandboxEscaper Type: Race conditionMethod: NTFS reparse point & Dll HijackTarget(s): wusa.exeComponent(s): dcomcnfg.exe, mmc.exe, ole32.dll, MsCoree.dllImplementation: ucmJunctionMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Ernesto Fernandez, Thomas Vanhoutte Type: Dll HijackMethod: SxS DotLocal, NTFS reparse pointTarget(s): \system32\dccw.exeComponent(s): GdiPlus.dllImplementation: ucmSXSDccwMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Clement Rouault Type: Whitelisted componentMethod: APPINFO command line spoofingTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmHakrilMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Stefan Kanthak Type: Dll HijackMethod: .NET Code ProfilerTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmCorProfilerMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Ruben Boonen Type: COM Handler HijackMethod: Registry key manipulationTarget(s): \system32\mmc.exe, \System32\recdisc.exeComponent(s): Attacker definedImplementation: ucmCOMHandlersMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 19H1 (18362) How: Side effect of Windows changesAuthor: Oddvar Moe Type: Elevated COM interfaceMethod: ICMLuaUtilTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmCMLuaUtilShellExecMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: BreakingMalware and Enigma0x3 Type: Elevated COM interfaceMethod: IFwCplLuaTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmFwCplLuaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (17134) How: Shell API updateAuthor: Oddvar Moe derivative Type: Elevated COM interfaceMethod: IColorDataProxy, ICMLuaUtilTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmDccwCOMMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: bytecode77 Type: Shell APIMethod: Environment variables expansionTarget(s): Multiple auto-elevated processesComponent(s): Various per targetImplementation: ucmVolatileEnvMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16299) How: Current user system directory variables ignored during process creationAuthor: bytecode77 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\slui.exeComponent(s): Attacker definedImplementation: ucmSluiHijackMethodWorks from: Windows 8.1 (9600)Fixed in: unfixed , How: -Author: Anonymous Type: Race ConditionMethod: Registry key manipulationTarget(s): \system32\BitlockerWizardElev.exeComponent(s): Attacker definedImplementation: ucmBitlockerRCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (>16299) How: Shell API updateAuthor: clavoillotte & 3gstudent Type: COM Handler HijackMethod: Registry key manipulationTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmCOMHandlersMethod2Works from: Windows 7 (7600)Fixed in: Windows 10 19H1 (18362) How: Side effect of Windows changesAuthor: deroko Type: Elevated COM interfaceMethod: ISPPLUAObjectTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmSPPLUAObjectMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS5 (17763) How: ISPPLUAObject interface method changedAuthor: RinN Type: Elevated COM interfaceMethod: ICreateNewLinkTarget(s): \system32\TpmInit.exeComponent(s): WbemComn.dllImplementation: ucmCreateNewLinkMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14393) How: Side effect of consent.exe COMAutoApprovalList introductionAuthor: Anonymous Type: Elevated COM interfaceMethod: IDateTimeStateWrite, ISPPLUAObjectTarget(s): w32time serviceComponent(s): w32time.dllImplementation: ucmDateTimeStateWriterMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS5 (17763) How: Side effect of ISPPLUAObject interface changeAuthor: bytecode77 derivative Type: Elevated COM interfaceMethod: IAccessibilityCplAdminTarget(s): \system32\rstrui.exeComponent(s): Attacker definedImplementation: ucmAcCplAdminMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (17134) How: Shell API updateAuthor: David Wells Type: Whitelisted componentMethod: AipNormalizePath parsing abuseTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmDirectoryMockMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Emeric Nasi Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmShellDelegateExecuteCommandMethodWorks from: Windows 10 (14393)Fixed in: unfixed , How: -Author: egre55 Type: Dll HijackMethod: Dll path search abuseTarget(s): \syswow64\SystemPropertiesAdvanced.exe and other SystemProperties*.exeComponent(s): \AppData\Local\Microsoft\WindowsApps\srrstr.dllImplementation: ucmEgre55MethodWorks from: Windows 10 (14393)Fixed in: unfixed , How: -Author: James Forshaw Type: GUI HackMethod: UIPI bypass with token modificationTarget(s): \system32\osk.exe, \system32\msconfig.exeComponent(s): Attacker definedImplementation: ucmTokenModUIAccessMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Hashim Jawad Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\WSReset.exeComponent(s): Attacker definedImplementation: ucmShellDelegateExecuteCommandMethodWorks from: Windows 10 (17134)Fixed in: unfixed , How: -Author: Leo Davidson derivative by Win32/Gapz Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): unattend.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifest elementsNote:Method (6) unavailable in wow64 environment starting from Windows 8;Method (11) (54) implemented only in x86-32 version;Method (13) (19) (30) (38) (50) implemented only in x64 version;Method (14) require process injection, wow64 unsupported, use x64 version of this tool;Method (26) is still working, however it main advantage was UAC bypass on AlwaysNotify level. Since 15031 it is gone;Method (30) require x64 because it abuses WOW64 subsystem feature;Method (35) AlwaysNotify compatible as there always will be running autoelevated apps or user will have to launch them anyway;Method (38) require internet connection as it executes remote script located at github.com/hfiref0x/Beacon/blob/master/uac/exec.html;Method (55) is not really reliable (as any GUI hacks) and included just for fun.Run examples:akagi32.exe 1akagi64.exe 3akagi32 1 c:\windows\system32\calc.exeakagi64 3 c:\windows\system32\charmap.exeWarningThis tool shows ONLY popular UAC bypass method used by malware, and reimplement some of them in a different way improving original concepts. There are exists different, not yet known to general public methods, be aware of this;Using (5) method will permanently turn off UAC (after reboot), make sure to do this in test environment or don’t forget to re-enable UAC after tool usage;Using (5), (9) methods will permanently compromise security of target keys (UAC Settings key for (5) and IFEO for (9)), if you do tests on your real machine – restore keys security manually after you complete this tool usage;This tool is not intended for AV tests and not tested to work in aggressive AV environment, if you still plan to use it with installed bloatware AV soft – you use it at your own risk;Some AV may flag this tool as HackTool, MSE/WinDefender constantly marks it as malware, nope;If you run this program on real computer remember to remove all program leftovers after usage, for more info about files it drops to system folders see source code;Most of methods created for x64, with no x86-32 support in mind. I don’t see any sense in supporting 32 bit versions of Windows or wow64, however with small tweaks most of them will run under wow64 as well.If you wondering why this still exist and work here is the explanation, an official Microsoft WHITEFLAG (including totally incompetent statements as bonus) https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105Windows 10 support and testing policyEOL’ed versions of Windows 10 are not supported and therefore not tested (at moment of writing EOL’ed Windows 10 versions are: TH1 (10240), TH2 (10586));Insider builds are not supported as methods may be fixed there.ProtectionAccount without administrative privileges.Malware usageIt is currently known that UACMe used by Adware/Multiplug (9), by Win32/Dyre (3), by Win32/Empercrypt (10 & 13), by IcedID downloader (35 & 41). We do not take any responsibility for this tool usage in the malicious purposes. It is free, open-source and provided AS-IS for everyone.Other usageCurrently used as "signature" by "THOR APT" scanner (handmade pattern matching fraudware from Germany). We do not take any responsibility for this tool usage in the fraudware;The scamware project called "uacguard" has references to UACMe from their platform. We do not take any responsibility for this tool usage in the scamware. The repository https://github.com/hfiref0x/UACME and it contents are the only genuine source for UACMe code. We have nothing to do with external links to this project, mentions anywhere as well as modifications (forks);In July 2016 so-called "security company" Cymmetria released report about script-kiddie malware bundle called "Patchwork" and false flagged it as APT. They stated it was using "UACME method", which in fact is just slightly and unprofessionally modified injector dll from UACMe v1.9 and was using Carberp/Pitou hybrid method in malware self-implemented way. We do not take any responsibility for UACMe usage in the dubious advertising campaigns from third party "security companies".BuildUACMe comes with full source code, written in C with some parts written in C#;In order to build from source you need Microsoft Visual Studio 2013/2015 U2 and later versions.Instructions Select Platform ToolSet first for project in solution you want to build (Project->Properties->General): v120 for Visual Studio 2013;v140 for Visual Studio 2015;v141 for Visual Studio 2017. For v140 and above set Target Platform Version (Project->Properties->General): If v140 then select 8.1 (Note that Windows 8.1 SDK must be installed);If v141 then select 10.0.17134.0 (Note that Windows 10.0.17134 SDK must be installed). Note that Fujinami module built with .NET Framework 3.0 (this is requirement for it work), so .NET Framework 3.0 must be installed if you want to build this module. Can be built with SDK 8.1/10.17134/10.17763. ReferencesWindows 7 UAC whitelist, http://www.pretentiousname.com/misc/win7_uac_whitelist2.htmlMalicious Application Compatibility Shims, https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdfJunfeng Zhang from WinSxS dev team blog, https://blogs.msdn.microsoft.com/junfeng/Beyond good ol’ Run key, series of articles, http://www.hexacorn.com/blogKernelMode.Info UACMe thread, http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643Command Injection/Elevation – Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited"Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking, https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/Bypassing UAC on Windows 10 using Disk Cleanup, https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/Using IARPUninstallStringLauncher COM interface to bypass UAC, http://www.freebuf.com/articles/system/116611.htmlBypassing UAC using App Paths, https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/"Fileless" UAC Bypass using sdclt.exe, https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/UAC Bypass or story about three escalations, https://habrahabr.ru/company/pm/blog/328008/Exploiting Environment Variables in Scheduled Tasks for UAC Bypass, https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.htmlFirst entry: Welcome and fileless UAC bypass, https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/Reading Your Way Around UAC in 3 parts: https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.htmlhttps://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.htmlhttps://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.htmlResearch on CMSTP.exe, https://msitpros.com/?p=3960UAC bypass via elevated .NET applications, https://offsec.provadys.com/UAC-bypass-dotnet.htmlUAC Bypass by Mocking Trusted Directories, https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6eYet another sdclt UAC bypass, http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypassUAC Bypass via SystemPropertiesAdvanced.exe and DLL Hijacking, https://egre55.github.io/system-properties-uac-bypass/Accessing Access Tokens for UIAccess, https://tyranidslair.blogspot.com/2019/02/accessing-access-tokens-for-uiaccess.htmlFileless UAC Bypass in Windows Store Binary, https://www.activecyber.us/1/post/2019/03/windows-uac-bypass.htmlAuthors(c) 2014 – 2019 UACMe ProjectDownload UACME

Link: http://feedproxy.google.com/~r/PentestTools/~3/SVc2u0HEg4k/uacme-defeating-windows-user-account.html

Passpie – Multiplatform Command-Line Password Manager

Passpie is a command line tool to manage passwords from the terminal with a colorful and configurable interface. Use a master passphrase to decrypt login credentials, copy passwords to clipboard, syncronize with a git repository, check the state of your passwords, and more.Password files are encrypted using GnuPG and saved into yaml text files. Passpie supports Linux, OSX and Windows.What does it look like? Here is an example of a simple Passpie usage:passpie initpasspie add foo@example.com –randompasspie add bar@example.com –pattern “[0-9]{5}[a-z]{5}"passpie update foo@example –comment "Hello"passpiepasspie copy foo@example.comOutputs:=========== ======= ========== =========Name Login Password Comment=========== ======= ========== =========example.com bar ********example.com foo ******** Hello=========== ======= ========== =========Password copied to clipboardCheck example remote passpie database: https://github.com/marcwebbie/passpiedb. Installpip install passpieOr if you are on a mac, install via Homebrew:brew install passpie DependenciesPasspie depends on GnuPG for encryption CommandsUsage: passpie [OPTIONS] COMMAND [ARGS]…Options: -D, –database TEXT Database path or url to remote repository –autopull TEXT Autopull changes from remote pository –autopush TEXT Autopush changes to remote pository –config PATH Path to configuration file -v, –verbose Activate verbose output –version Show the version and exit. –help Show this message and exit.Commands: add Add new credential to database complete Generate completion scripts for shells config Show current configuration for shell copy Copy credential password to clipboard/stdout export Export credentials in plain text import Import credentials from path init Initialize new passpie database list Print credential as a table log Shows passpie database changes history purge Remove all credentials from database remove Remove credential reset Renew passpie database and re-encrypt… search Search credentials by regular expressions status Diagnose database for improvements update Update credential Learn moreGitter: https://gitter.im/marcwebbie/passpieDocumentation: http://passpie.readthedocs.orgFAQ: http://passpie.readthedocs.org/en/latest/faq.html Download Passpie

Link: http://feedproxy.google.com/~r/PentestTools/~3/2SEdl8ow5w8/passpie-multiplatform-command-line.html

FFM (Freedom Fighting Mode) – Open Source Hacking Harness

FFM is a hacking harness that you can use during the post-exploitation phase of a red-teaming engagement. The idea of the tool was derived from a 2007 conference from @thegrugq.It was presented at SSTIC 2018 and the accompanying slide deck is available at this url. If you’re not familiar with this class of tools, it is strongly advised to have a look at them to understand what a hacking harness’ purpose is. All the comments are included in the slides.UsageThe goal of a hacking harness is to act as a helper that automates common tasks during the post-exploitation phase, but also safeguards the user against mistakes they may make.It is an instrumentation of the shell. Run ./ffm.py to activate it and you can start working immediately. There are two commands you need to know about:Type !list to display the commands provided by the harness.Type SHIFT+TAB to perform tab completion on the local machine. This may be useful if you’re ssh’d into a remote computer but need to reference a file that’s located on your box.List of featuresThis hacking harness provides a few features that are described below. As they are described, the design philosophy behind the tool will also be introduced. It is not expected that all the commands implemented in FFM will suit you. Everyone has their own way of doing things, and tuning the harness to your specific need is likely to require you to modify some of the code and/or write a few plugins. A lot of effort went into making sure this is a painless task.Commands!os is an extremely simple command that just runs cat /etc/*release* to show what OS the current machine is running. It is probably most valuable as a demonstration that in the context of a hacking harness, you can define aliases that work across machine boundaries. SSH into any computer, type !os and the command will be run. This plugin is located in commands/replacement_commands.py and is a good place to start when you want to learn about writing plugins.!download [remote file] [local path] gets a file from the remote machine and copies it locally through the terminal. This command is a little more complex because more stringent error checking is required but it’s another plugin you can easily read to get started. You can find it in commands/download_file.py. Note that it requires xxd or od on the remote machine to function properly.!upload [local file] [remote path] works exactly the same as the previous command, except that a local file is put on the remote machine.!pty spawns a TTY, which is something you don’t want in most cases because it tends to leave forensics evidence. However, some commands (sudo) or exploits require a TTY to run in so this is provided as a convenience. UNSET HISTFILE is passed to it as soon as it spawns.!py [local script] executes a local Python script on the remote machine, and does so entirely in memory. Check out my other repository for scripts you might want to use. This commands uses a multiline syntax with <<, which means that pseudo-shells that don't support it (Weevely is a good example of that) will break this command quite badly.Plugins can be further configured by editing ffm.conf.ProcessorsConceptually, commands (as described above) are used to generate some bash which is forwarded to the shell. They can perform more complex operations by capturing the shell's output and generating additional instructions based on what is returned. Processors are a little different as they are rather used to rewrite data circulating between the user and the underlying bash process. While it is true that any processor could be rewritten as a command, it seemed a little cleaner to separate the two. Input processors work on whatever is typed by the user once they press the ENTER key, and output processors can modify anything returned by the shell.A good processor example can be found in processors/ssh_command_line.py. All it does is add the -T option to any SSH command it sees if it is missing. Be sure to check out its simple code if you are interested in writing a processor.Another input processor present in the framework, processors/assert_torify.py, contains a blacklist of networking commands (ssh, nc) and blocks them if they don't seem to be proxied through a tool such as torify. The harness does its best to only bother the user if it seems like the command is being run on the local machine. Obviously this should not be your only safeguard against leaking your home IP address.Finally, processors/sample_output_processor.py is a very simple output processor that highlights in red any occurrence of the word "password". As it's quite useless, it's not enabled in the framework but you can still use it as a starting point if you want to do something more sophisticated.Known issuesCTRL+R is not implemented yet and we all miss it dearly.There is currently no way to run ELFs in memory on a remote machine. This is high on the ToDo list.More problematic is the fact that the framework hangs from time to time. In 99% of the cases, this happens when it fails to detect that a command it launched has finished running. Usually, this means that the command prompt of the machine you're logged into could not be recognized as such. In that case, you can try improving the regular expression located at the very beginning of the file ffm.py, or log into that same machine with ssh -T as there won't be any problematic prompt anymore. By default, FFM will give up on trying to read the output of a command after 5 minutes (some plugins may implement different timeouts); so if the framework hangs, you'll need to wait until you see an error message (though if the underlying process is still running, you may still not be able to type in commands).Closing statementI think I've covered everything about this tool. Again, it's a little different from what I usually release as most people will probably need to modify it before it can be valuable to them.Many plugins have yet to be written, so be sure to share back any improvements you make to FFM. Feel free to open issues not only for bugs, but also if you're trying to do something and can't figure out how; this way I'll be able to improve the documentation for everyone.Download FFM

Link: http://www.kitploit.com/2019/03/ffm-freedom-fighting-mode-open-source.html

AutoRDPwn v4.8 – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 4.0 or higherChangesVersion 4.8• Compatibility with Powershell 4.0• Automatic copy of the content to the clipboard (passwords, hashes, dumps, etc.)• Automatic exclusion in Windows Defender (4 different methods)• Remote execution without password for PSexec, WMI and Invoke-Command• New available attack: DCOM Passwordless Execution• New available module: Remote Access / Metasploit Web Delivery• New module available: Remote VNC Server (designed for legacy environments)• Autocomplete the host, user and password fields by pressing Enter• It is now possible to run the tool without administrator privileges with the -noadmin parameter*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords, obtain a remote shell, upload and download files or even recover the history of RDP connections or passwords of wireless networks.One line execution:powershell -ep bypass “cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz• Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0mContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://www.kitploit.com/2019/03/autordpwn-v48-shadow-attack-framework.html

AutoSploit v3.0 – Automated Mass Exploiter

As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets can be collected automatically through Shodan, Censys or Zoomeye. But options to add your custom targets and host lists have been included as well. The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured by filling out the dialog that comes up before the exploit component is startedOperational Security ConsiderationReceiving back connections on your local machine might not be the best idea from an OPSEC standpoint. Instead consider running this tool from a VPS that has all the dependencies required, available.The new version of AutoSploit has a feature that allows you to set a proxy before you connect and a custom user-agent.InstallationInstalling AutoSploit is very simple, you can find the latest stable release here. You can also download the master branch as a zip or tarball or follow one of the below methods;Cloningsudo -s << EOFgit clone https://github.com/NullArray/Autosploit.gitcd AutoSploitchmod +x install.sh./install.shpython2 autosploit.pyEOFDockersudo -s << EOFgit clone https://github.com/NullArray/AutoSploit.gitcd AutoSploitchmod +x install.sh./install.shcd AutoSploit/Dockerdocker network create -d bridge haknetdocker run --network haknet --name msfdb -e POSTGRES_PASSWORD=s3cr3t -d postgresdocker build -t autosploit .docker run -it --network haknet -p 80:80 -p 443:443 -p 4444:4444 autosploitEOFOn any Linux system the following should work;git clone https://github.com/NullArray/AutoSploitcd AutoSploitchmod +x install.sh./install.shAutoSploit is compatible with macOS, however, you have to be inside a virtual environment for it to run successfully. In order to accomplish this employ/perform the below operations via the terminal or in the form of a shell script.sudo -s << '_EOF'pip2 install virtualenv --usergit clone https://github.com/NullArray/AutoSploit.gitvirtualenv <PATH-TO-YOUR-ENV>source <PATH-TO-YOUR-ENV>/bin/activatecd <PATH-TO-AUTOSPLOIT>pip2 install -r requirements.txtchmod +x install.sh./install.shpython autosploit.py_EOFMore information on running Docker can be found hereUsageStarting the program with python autosploit.py will open an AutoSploit terminal session. The options for which are as follows.1. Usage And Legal2. Gather Hosts3. Custom Hosts4. Add Single Host5. View Gathered Hosts6. Exploit Gathered Hosts99. QuitChoosing option 2 will prompt you for a platform specific search query. Enter IIS or Apache in example and choose a search engine. After doing so the collected hosts will be saved to be used in the Exploit component.As of version 2.0 AutoSploit can be started with a number of command line arguments/flags as well. Type python autosploit.py -h to display all the options available to you. I’ve posted the options below as well for reference.usage: python autosploit.py -[c|z|s|a] -[q] QUERY [-C] WORKSPACE LHOST LPORT [-e] [–whitewash] PATH [–ruby-exec] [–msf-path] PATH [-E] EXPLOIT-FILE-PATH [–rand-agent] [–proxy] PROTO://IP:PORT [-P] AGENToptional arguments: -h, –help show this help message and exitsearch engines: possible search engines to use -c, –censys use censys.io as the search engine to gather hosts -z, –zoomeye use zoomeye.org as the search engine to gather hosts -s, –shodan use shodan.io as the search engine to gather hosts -a, –all search all available search engines to gather hostsrequests: arguments to edit your requests –proxy PROTO://IP:PORT run behind a proxy while performing the searches –random-agent use a random HTTP User-Agent header -P USER-AGENT, –personal-agent USER-AGENT pass a personal User-Agent to use for HTTP requests -q QUERY, –query QUERY pass your search queryexploits: arguments to edit your exploits -E PATH, –exploit-file PATH provide a text file to convert into JSON and save for later use -C WORKSPACE LHOST LPORT, –config WORKSPACE LHOST LPORT set the configuration for MSF (IE -C default 127.0.0.1 8080) -e, –exploit start exploiting the already gathered hostsmisc arguments: arguments that don’t fit anywhere else –ruby-exec if you need to run the Ruby executable with MSF use this –msf-path MSF-PATH pass the path to your framework if it is not in your ENV PATH –whitelist PATH only exploit hosts listed in the whitelist fileDependenciesNote: All dependencies should be installed using the above installation method, however, if you find they are not:AutoSploit depends on the following Python2.7 modules.requestspsutilShould you find you do not have these installed get them with pip like so.pip install requests psutilorpip install -r requirements.txtSince the program invokes functionality from the Metasploit Framework you need to have this installed also. Get it from Rapid7 by clicking here.Download AutoSploit

Link: http://www.kitploit.com/2019/01/autosploit-v30-automated-mass-exploiter.html

JSShell – An Interactive Multi-User Web JS Shell

An interactive multi-user web based javascript shell. It was initially created in order to debug remote esoteric browsers during experiments and research. This tool can be easily attached to XSS (Cross Site Scripting) payload to achieve browser remote code execution (similar to the BeeF framework).Version 2.0 is created entirely from scratch, introducing new exciting features, stability and maintainability.AuthorDaniel Abeles.Shell VideoFeaturesMulti client supportCyclic DOM objects supportPre flight scriptsCommand Queue & ContextExtensible with PluginsInjectable via