User Account Control (UAC) Bypass

Microsoft introduced User Account Control (UAC) in Windows Vista and refined it in Windows 7. UAC works a lot like sudo in UNIX. Day-to-day a user works with normal privileges. When the user needs to perform a privileged action—the system asks if they would like to elevate their rights.

Cobalt Strike ships with a few UAC bypass attacks. These attacks will not work if the current user is not an Administrator. To check if the current user is in the Administrators group, use run whoami /groups.

1) elevate uac-token-duplication [LISTENER]

• This command spawns a temporary process with elevated rights and inject a payload stage into it. This attack uses a UAC-loophole that allows a non-elevated process to launch an arbitrary process with a token stolen from an elevated process. This loophole requires the attack to remove several rights assigned to the elevated token. The abilities of your new session will reflect these restricted rights. If Always Notify is at its highest setting, this attack requires that an elevated process is already running in the current desktop session (as the same user). This attack works on Windows 7 and Windows 10 prior to the November 2018 update.

2) runasadmin uac-token-duplication [COMMAND]

• This is the same attack described above, but this variant runs a command of your choosing in an elevated context.

3) runasadmin uac-cmstplua [COMMAND]

• This command attempta to bypass UAC and run a command in an elevated context. This attack relies on a COM object that automatically elevates from certain process contexts (Microsoft signed, lives in c:\windows*).