Description
Runs a PowerShell cradle to load a Specter into a high integrity process from an medium integrity process without triggering a UAC prompt.
Overview
Spawns a high integrity process from an medium integrity process without having to use the GUI. There are currently five techniques that are provided out-of-the-box. The table below outlines key information about each technique. There is a minimum and maximum supported Windows version for each technique. By default, the Invoke-UacBypass cmdlet will throw an exception if the current Windows version is not within the ranges below, but this can be overriden with the -Force parameter.
The success of these techniques is dependent upon the OS version being vulnerable and an AV that doesn’t have this behavior signaturized. Windows Defender has done a pretty good job of creating behavioral based signatures quickly after discovery.
| Name | Detected | MinVer | MaxVer | Description |
|---|---|---|---|---|
| EventVwr | True | 6.1.7600 | 10.0.1503 | Modifies registry to start a child process of EventVwr which auto-elevates to a high integrity process. |
| Sdclt | True | 10.0.14393 | 11.0.0 | Modifies the registry to start a child process of Sdclt which auto-elevates to a high integrity process. |
| Slui | True | 6.3.9600 | 10.0.1904 | Modifies the registry to start a child process of Slui which auto-elevates to a high integrity process. |
| TokenDuplication | True | 6.1.7600 | 10.0.17686 | Modifies the registry to start a child process of Sdclt which auto-elevates to a high integrity process. |
| FodHelper | False | 10.0.10240 | 11.0.0 | Modifies the registry to start a child process of Sdclt which auto-elevates to a high integrity process. |
Dependencies
- credentials
Pre-Requisites
- User is Administrator