netero1010/TrustedPath-UACBypass-BOF netero1010/TrustedPath-UACBypass-BOF

  • Stars
    star
    112
  • Rank 302,222 (Top 7 %)
  • Language
    C
  • Created almost 3 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
netero1010/TrustedPath-UACBypass-BOF
github

netero1010

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

BOF - Trusted Path UAC Bypass

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Technical details:

https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows

Usage

Example: bof-trustedpath-uacbypass ComputerDefaults.exe /root/edputil.dll

Compile

make

Execution

beacon> help bof-trustedpath-uacbypass
Version: 1.0
Author: Chris Au
Twitter: @netero_1010
Github: @netero1010

====================Trusted Path UAC Bypass BOF Workflow=======================
Step 1: Upload the DLL payload to "C:\Windows\Tasks"
Step 2: Create a new folder called "C:\Windows \System32"
Step 3: Copy desired executable to "C:\Windows \System32"
Step 4: Copy the DLL payload to "C:\Windows \System32"
Step 5: Use DCOM to execute "C:\Windows \System32\<desired executable>"
Step 6: Delete the DLL payload on "C:\Windows\Tasks"
================================================================================

Example: bof-trustedpath-uacbypass ComputerDefaults.exe /root/edputil.dll

HowTo

Credit @David Wells and @Wietze for excellent research
https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows

@Yas_o_h for the awesome DCOM BOF implementation
https://github.com/Yaxser/CobaltStrike-BOF/tree/master/DCOM%20Lateral%20Movement

More Repositories

1

EDRSilencer

A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.
C
824
star
2

GhostTask

A tool employs direct registry manipulation to create scheduled tasks without triggering the usual event logs.
C
412
star
3

ScheduleRunner

A C# tool with more flexibility to customize scheduled task for both persistence and lateral movement in red team operation
C#
314
star
4

ServiceMove-BOF

New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.
C
277
star
5

RDPHijack-BOF

Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking.
C
264
star
6

Quser-BOF

Cobalt Strike BOF for quser.exe implementation using Windows API
C
85
star
7

ClipboardHistoryThief

POC tool to extract all persistent clipboard history data from clipboard service process memory
C
36
star
8

Vulnerability-Disclosure

3
star