Description
Runs a PowerShell cradle to load a Specter into a high integrity process from an medium integrity process without triggering a UAC prompt.
Overview
Spawns a high integrity process from a medium integrity process without having to use the GUI. There are 19 techniques provided out-of-the-box. The table below outlines key information about each technique.
The success of these techniques is dependent upon the OS version being vulnerable and an AV that doesn’t have this behavior signaturized. Windows Defender has done a pretty good job of creating behavioral based signatures quickly after discovery.
| Name | Description |
|---|---|
| FodHelper | Abuses the FodHelper.exe auto-elevate binary via registry hijack. |
| Sdclt | Abuses Sdclt.exe auto-elevate binary via registry hijack. |
| Slui | Abuses Slui.exe auto-elevate binary via registry hijack. |
| TokenDuplication | Duplicates a high-integrity token from an elevated process. |
| EventVwr | Abuses EventVwr.exe auto-elevate binary via registry hijack. |
| RunAs | Uses the RunAs verb to request elevation. |
| ComputerDefaults | Abuses ComputerDefaults.exe auto-elevate binary via registry hijack. |
| WsReset | Abuses WsReset.exe auto-elevate binary via registry hijack. |
| SilentCleanup | Abuses the SilentCleanup scheduled task which runs with elevated privileges. |
| SluiChangePk | Abuses Slui.exe with the changepk argument via registry hijack. |
| Cmstp | Abuses CMSTP.exe to execute an elevated COM object. |
| CompMgmtLauncher | Abuses CompMgmtLauncher.exe auto-elevate binary via registry hijack. |
| SdcltIsolatedCommand | Abuses Sdclt.exe IsolatedCommand registry key for elevation. |
| SdcltAppPaths | Abuses Sdclt.exe via App Paths registry hijack. |
| Perfmon | Abuses Perfmon.exe auto-elevate binary via registry hijack. |
| FodHelperProtocol | Abuses FodHelper.exe via protocol handler registry hijack. |
| WsResetProtocol | Abuses WsReset.exe via protocol handler registry hijack. |
| FodHelperCurVer | Abuses FodHelper.exe via CurVer registry hijack. |
| CmstpLuaUtil | Abuses CMSTP via the CMLUAUTIL elevated COM object. |
By default the FodHelper technique is used. You can specify a different technique with the -Technique parameter.
Use the -Force parameter to override safety checks for techniques that are flagged as potentially unsafe.
Parameters
- Technique — The UAC bypass technique to use. Valid values:
FodHelper,Sdclt,Slui,TokenDuplication,EventVwr,RunAs,ComputerDefaults,WsReset,SilentCleanup,SluiChangePk,Cmstp,CompMgmtLauncher,SdcltIsolatedCommand,SdcltAppPaths,Perfmon,FodHelperProtocol,WsResetProtocol,FodHelperCurVer,CmstpLuaUtil. Default:FodHelper. - Force — Override safety checks for techniques that require it.
Dependencies
- credentials
Pre-Requisites
- User is a member of the local Administrators group.
- Process is running at medium integrity.
Operating Systems
- Windows