# UAC Bypasses User Account Control (UAC) is a technology that exists in Windows which forces applications to prompt for consent when requesting an administrative access token. Bob is a local administrator on Workstation 2 - but if we open a Command Prompt and attempt to add a new local user, we get an access denied. This instance of cmd.exe is running in "medium integrity". ``` C:\Users\bfarmer>net user hacker Passw0rd! /add System error 5 has occurred. Access is denied. C:\Users\bfarmer>whoami /groups Mandatory Label\Medium Mandatory Level ``` \\ Instead, what we must do is right-click and select "Run as administrator", which will cause a UAC prompt to appear. \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/306/c51/3e3/prompt.png) \\ Only after clicking *Yes* will the Command Prompt have sufficient privileges to make system configuration changes, as it will now be running in "high integrity". ``` C:\Windows\system32>whoami /groups Mandatory Label\High Mandatory Level ``` \\ A UAC "bypass" is a technique that allows a medium integrity process to elevate itself or spawn a new process in high integrity, without prompting the user for consent. Being in high integrity is important for attackers because it's required for various post-exploitation actions such as dumping credentials. Beacon has a few built-in UAC bypasses and a few more which are provided via the [Elevate Kit](https://github.com/cobalt-strike/ElevateKit) (this has already been pre-loaded into Cobalt Strike for your convenience). These are exposed via the `elevate` command. \\ ``` beacon> elevate uac-schtasks tcp-local [*] Tasked Beacon to run windows/beacon_bind_tcp (127.0.0.1:4444) in a high integrity context [+] established link to child beacon: 10.10.123.102 ``` \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/a23/8b1/74f/uac-bypass.png) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/host-privilege-escalation/uac-bypasses.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.