Methods
Account Control (UAC) is a Windows security feature designed to protect the operating system from unauthorized changes. If administrator-level permission is required to make changes to the system, Account Control notifies the user, providing the option to approve or reject the change.
I also recommend that you familiarize yourself with the Integrity Levels
1 / 2 / 3 and uacFind out if uac is enabled
Find out if uac is enabled
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
Check the uac level
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v FilterAdministratorTokentaken from the hacker.recipes
UAC limits pass-the-hash
UAC (User Account Control) limits which local users can do remote administration operations. And since most of the attacks exploiting pass-the-hash rely on remote admin operations, it affects this technique.
- the registry key LocalAccountTokenFilterPolicy is set to 0 by default. It means that the built-in local admin account (RID-500, "Administrator") is the only local account allowed to do remote administration tasks. Setting it to 1 allows the other local admins as well.
- the registry key FilterAdministratorToken is set to 0 by default. It allows the built-in local admin account (RID-500, "Administrator") to do remote administration tasks. If set to 1, it doesn't.
In short, by default, only the following accounts can fully take advantage of pass-the-hash:
- local accounts : the built-in, RID-500, "Administrator" account
- domain accounts : all domain accounts with local admin rightsBelow are links to forum posts, as well as some resources that give a general idea of what User Account Control is, and practical examples that I managed to find.
– elastic.co: Exploring Windows UAC Bypasses: Techniques and Detection Strategies
– juggernaut-sec.com: UAC-Bypass – Windows Privilege Escalation
– fortinet: Offense and Defense – A Tale of Two Sides: Bypass UAC
– https://github.com/sailay1996/UAC_Bypass_In_The_Wild – https://github.com/hfiref0x/UACME
– https://github.com/k4sth4/UAC-bypass
– https://github.com/x0xr00t/Automated-MUlti-UAC-Bypass
– Disable Windows Defender (+ UAC Bypass, + Upgrade to SYSTEM)
– https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1
– https://github.com/bytecode77/slui-file-handler-hijack-privilege-escalation
– https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
– https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass&lang=en
– https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html
– https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_silentcleanup/
– https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html
THE NOTE This article is for informational purposes only. We do not encourage you to commit any hacking. Everything you do is your responsibility. TOX : 340EF1DCEEC5B395B9B45963F945C00238ADDEAC87C117F64F46206911474C61981D96420B72 Telegram : @DevSecAS
