From 7549cc7d616fc60542f2aedefe1ed2db0b336f7b Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 3 Jun 2021 02:48:44 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/windows-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/windows-index.md | 2 + atomics/Indexes/index.yaml | 50 +++++++++++++++++++ atomics/T1548.002/T1548.002.md | 41 +++++++++++++++ 6 files changed, 99 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index e84bab59..8f816a2c 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -118,6 +118,7 @@ privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using Co privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell @@ -215,6 +216,7 @@ defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using Compute defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index e3a45879..703da0de 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -85,6 +85,7 @@ privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using Co privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell @@ -151,6 +152,7 @@ defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using Compute defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 3a916e39..d1a78b05 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -227,6 +227,7 @@ - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] - Atomic Test #8: Disable UAC using reg.exe [windows] + - Atomic Test #9: Bypass UAC using SilentCleanup task [windows] - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md) - Atomic Test #1: User scope COR_PROFILER [windows] - Atomic Test #2: System Scope COR_PROFILER [windows] @@ -417,6 +418,7 @@ - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] - Atomic Test #8: Disable UAC using reg.exe [windows] + - Atomic Test #9: Bypass UAC using SilentCleanup task [windows] - [T1218.003 CMSTP](../../T1218.003/T1218.003.md) - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows] - Atomic Test #2: CMSTP Executing UAC Bypass [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 6433b60d..d1f5864e 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -178,6 +178,7 @@ - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] - Atomic Test #8: Disable UAC using reg.exe [windows] + - Atomic Test #9: Bypass UAC using SilentCleanup task [windows] - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md) - Atomic Test #1: User scope COR_PROFILER [windows] - Atomic Test #2: System Scope COR_PROFILER [windows] @@ -308,6 +309,7 @@ - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] - Atomic Test #8: Disable UAC using reg.exe [windows] + - Atomic Test #9: Bypass UAC using SilentCleanup task [windows] - [T1218.003 CMSTP](../../T1218.003/T1218.003.md) - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows] - Atomic Test #2: CMSTP Executing UAC Bypass [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index af7d14dd..375f275d 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -10120,6 +10120,31 @@ privilege-escalation: ' name: command_prompt elevation_required: true + - name: Bypass UAC using SilentCleanup task + auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608 + description: | + Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ + + There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). + + For example, we can set the windir registry kye to: "cmd /k REM " + + And forcefully run SilentCleanup task: + + schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I + + REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. + supported_platforms: + - windows + input_arguments: + file_path: + description: Path to the bat file + type: String + default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat + executor: + command: "#{file_path}\n" + name: command_prompt + elevation_required: false T1574.012: technique: external_references: @@ -19315,6 +19340,31 @@ defense-evasion: ' name: command_prompt elevation_required: true + - name: Bypass UAC using SilentCleanup task + auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608 + description: | + Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ + + There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). + + For example, we can set the windir registry kye to: "cmd /k REM " + + And forcefully run SilentCleanup task: + + schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I + + REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. + supported_platforms: + - windows + input_arguments: + file_path: + description: Path to the bat file + type: String + default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat + executor: + command: "#{file_path}\n" + name: command_prompt + elevation_required: false T1218.003: technique: external_references: diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md index 98064122..597dc756 100644 --- a/atomics/T1548.002/T1548.002.md +++ b/atomics/T1548.002/T1548.002.md @@ -28,6 +28,8 @@ Another bypass is possible through some lateral movement techniques if credentia - [Atomic Test #8 - Disable UAC using reg.exe](#atomic-test-8---disable-uac-using-regexe) +- [Atomic Test #9 - Bypass UAC using SilentCleanup task](#atomic-test-9---bypass-uac-using-silentcleanup-task) +
@@ -314,4 +316,43 @@ reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v En +
+
+ +## Atomic Test #9 - Bypass UAC using SilentCleanup task +Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ + +There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). + +For example, we can set the windir registry kye to: "cmd /k REM " + +And forcefully run SilentCleanup task: + +schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I + +REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| file_path | Path to the bat file | String | PathToAtomicsFolder\T1548.002\src\T1548.002.bat| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +#{file_path} +``` + + + + + +