UAC Bypasses

User Account Control (UAC) is a technology that exists in Windows which forces applications to prompt for consent when requesting an administrative access token. Bob is a local administrator on Workstation 2 - but if we open a Command Prompt and attempt to add a new local user, we get an access denied. This instance of cmd.exe is running in "medium integrity".

C:\Users\bfarmer>net user hacker Passw0rd! /add
System error 5 has occurred.

Access is denied.

C:\Users\bfarmer>whoami /groups

Mandatory Label\Medium Mandatory Level

\

Instead, what we must do is right-click and select "Run as administrator", which will cause a UAC prompt to appear.

\

\

Only after clicking Yes will the Command Prompt have sufficient privileges to make system configuration changes, as it will now be running in "high integrity".

C:\Windows\system32>whoami /groups

Mandatory Label\High Mandatory Level

\

A UAC "bypass" is a technique that allows a medium integrity process to elevate itself or spawn a new process in high integrity, without prompting the user for consent. Being in high integrity is important for attackers because it's required for various post-exploitation actions such as dumping credentials.

Beacon has a few built-in UAC bypasses and a few more which are provided via the Elevate Kit (this has already been pre-loaded into Cobalt Strike for your convenience). These are exposed via the elevate command.

\

beacon> elevate uac-schtasks tcp-local
[*] Tasked Beacon to run windows/beacon_bind_tcp (127.0.0.1:4444) in a high integrity context
[+] established link to child beacon: 10.10.123.102

\