渗透工具UACMe:滥用内置的Windows AutoElevate后门

Git地址:

hfiref0x/UACME: 击败 Windows 用户帐户控制 (github.com)


系统要求

  • x86-32/x64 Windows 7/8/8.1/10(客户端,但某些方法也适用于服务器版本)。
  • 管理员帐户,其中 UAC 设置为默认设置,需要。

用法

从命令行运行可执行文件:akagi32 [Key] [Param] 或 akagi64 [Key] [Param]。有关详细信息,请参阅下面的“运行示例”。

第一个参数是要使用的方法的数量,第二个是要运行的可选命令(可执行文件名,包括完整路径)。第二个参数可以为空 - 在这种情况下,程序将从system32文件夹中执行提升的cmd.exe。

注意:从3.5.0版本开始,所有“固定”方法都被视为过时,并与所有支持代码/单元一起完全删除。如果仍需要它们,请使用 v3.2.x 分支

  1. Author: Leo Davidson
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\sysprep\sysprep.exe
    • Component(s): cryptbase.dll
    • Implementation: ucmStandardAutoElevation
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 8.1 (9600)
      • How: sysprep.exe hardened LoadFrom manifest elements
    • Code status: removed starting from v3.5.0 
  2. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\sysprep\sysprep.exe
    • Component(s): ShCore.dll
    • Implementation: ucmStandardAutoElevation
    • Works from: Windows 8.1 (9600)
    • Fixed in: Windows 10 TP (> 9600)
      • How: Side effect of ShCore.dll moving to \KnownDlls
    • Code status: removed starting from v3.5.0 
  3. Author: Leo Davidson derivative by WinNT/Pitou
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\oobe\setupsqm.exe
    • Component(s): WdsCore.dll
    • Implementation: ucmStandardAutoElevation
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TH2 (10558)
      • How: Side effect of OOBE redesign
    • Code status: removed starting from v3.5.0 
  4. Author: Jon Ericson, WinNT/Gootkit, mzH
    • Type: AppCompat
    • Method: RedirectEXE Shim
    • Target(s): \system32\cliconfg.exe
    • Component(s): -
    • Implementation: ucmShimRedirectEXE
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TP (> 9600)
      • How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions
    • Code status: removed starting from v3.5.0 
  5. Author: WinNT/Simda
    • Type: Elevated COM interface
    • Method: ISecurityEditor
    • Target(s): HKLM registry keys
    • Component(s): -
    • Implementation: ucmSimdaTurnOffUac
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TH1 (10147)
      • How: ISecurityEditor interface method changed
    • Code status: removed starting from v3.5.0 
  6. Author: Win32/Carberp
    • Type: Dll Hijack
    • Method: WUSA
    • Target(s): \ehome\mcx2prov.exe, \system32\migwiz\migwiz.exe
    • Component(s): WdsCore.dll, CryptBase.dll, CryptSP.dll
    • Implementation: ucmWusaMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TH1 (10147)
      • How: WUSA /extract option removed
    • Code status: removed starting from v3.5.0 
  7. Author: Win32/Carberp derivative
    • Type: Dll Hijack
    • Method: WUSA
    • Target(s): \system32\cliconfg.exe
    • Component(s): ntwdblib.dll
    • Implementation: ucmWusaMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TH1 (10147)
      • How: WUSA /extract option removed
    • Code status: removed starting from v3.5.0 
  8. Author: Leo Davidson derivative by Win32/Tilon
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\sysprep\sysprep.exe
    • Component(s): Actionqueue.dll
    • Implementation: ucmStandardAutoElevation
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 8.1 (9600)
      • How: sysprep.exe hardened LoadFrom manifest
    • Code status: removed starting from v3.5.0 
  9. Author: Leo Davidson, WinNT/Simda, Win32/Carberp derivative
    • Type: Dll Hijack
    • Method: IFileOperation, ISecurityEditor, WUSA
    • Target(s): IFEO registry keys, \system32\cliconfg.exe
    • Component(s): Attacker defined Application Verifier Dll
    • Implementation: ucmAvrfMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TH1 (10147)
      • How: WUSA /extract option removed, ISecurityEditor interface method changed
    • Code status: removed starting from v3.5.0 
  10. Author: WinNT/Pitou, Win32/Carberp derivative
    • Type: Dll Hijack
    • Method: IFileOperation, WUSA
    • Target(s): \system32\{New}or{Existing}\{autoelevated}.exe, e.g. winsat.exe
    • Component(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dll
    • Implementation: ucmWinSATMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TH2 (10548)
      • How: AppInfo elevated application path control hardening
    • Code status: removed starting from v3.5.0 
  11. Author: Jon Ericson, WinNT/Gootkit, mzH
    • Type: AppCompat
    • Method: Shim Memory Patch
    • Target(s): \system32\iscsicli.exe
    • Component(s): Attacker prepared shellcode
    • Implementation: ucmShimPatch
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 8.1 (9600)
      • How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions
    • Code status: removed starting from v3.5.0 
  12. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\sysprep\sysprep.exe
    • Component(s): dbgcore.dll
    • Implementation: ucmStandardAutoElevation
    • Works from: Windows 10 TH1 (10240)
    • Fixed in: Windows 10 TH2 (10565)
      • How: sysprep.exe manifest updated
    • Code status: removed starting from v3.5.0 
  13. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\mmc.exe EventVwr.msc
    • Component(s): elsext.dll
    • Implementation: ucmMMCMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS1 (14316)
      • How: Missing dependency removed
    • Code status: removed starting from v3.5.0 
  14. Author: Leo Davidson, WinNT/Sirefef derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system\credwiz.exe, \system32\wbem\oobe.exe
    • Component(s): netutils.dll
    • Implementation: ucmSirefefMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TH2 (10548)
      • How: AppInfo elevated application path control hardening
    • Code status: removed starting from v3.5.0 
  15. Author: Leo Davidson, Win32/Addrop, Metasploit derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\cliconfg.exe
    • Component(s): ntwdblib.dll
    • Implementation: ucmGenericAutoelevation
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS1 (14316)
      • How: Cliconfg.exe autoelevation removed
    • Code status: removed starting from v3.5.0 
  16. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\GWX\GWXUXWorker.exe, \system32\inetsrv\inetmgr.exe
    • Component(s): SLC.dll
    • Implementation: ucmGWX
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS1 (14316)
      • How: AppInfo elevated application path control and inetmgr executable hardening
    • Code status: removed starting from v3.5.0 
  17. Author: Leo Davidson derivative
    • Type: Dll Hijack (Import forwarding)
    • Method: IFileOperation
    • Target(s): \system32\sysprep\sysprep.exe
    • Component(s): unbcl.dll
    • Implementation: ucmStandardAutoElevation2
    • Works from: Windows 8.1 (9600)
    • Fixed in: Windows 10 RS1 (14371)
      • How: sysprep.exe manifest updated
    • Code status: removed starting from v3.5.0 
  18. Author: Leo Davidson derivative
    • Type: Dll Hijack (Manifest)
    • Method: IFileOperation
    • Target(s): \system32\taskhost.exe, \system32\tzsync.exe (any ms exe without manifest)
    • Component(s): Attacker defined
    • Implementation: ucmAutoElevateManifest
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS1 (14371)
      • How: Manifest parsing logic reviewed
    • Code status: removed starting from v3.5.0 
  19. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\inetsrv\inetmgr.exe
    • Component(s): MsCoree.dll
    • Implementation: ucmInetMgrMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS1 (14376)
      • How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images
    • Code status: removed starting from v3.5.0 
  20. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\mmc.exe, Rsop.msc
    • Component(s): WbemComn.dll
    • Implementation: ucmMMCMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS3 (16232)
      • How: Target requires wbemcomn.dll to be signed by MS
    • Code status: removed starting from v3.5.0 
  21. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation, SxS DotLocal
    • Target(s): \system32\sysprep\sysprep.exe
    • Component(s): comctl32.dll
    • Implementation: ucmSXSMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS3 (16232)
      • How: MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images
    • Code status: removed starting from v3.5.0 
  22. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation, SxS DotLocal
    • Target(s): \system32\consent.exe
    • Component(s): comctl32.dll
    • Implementation: ucmSXSMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v2.5.0
  23. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\pkgmgr.exe
    • Component(s): DismCore.dll
    • Implementation: ucmDismMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v2.5.1
  24. Author: BreakingMalware
    • Type: Shell API
    • Method: Environment variables expansion
    • Target(s): \system32\CompMgmtLauncher.exe
    • Component(s): Attacker defined
    • Implementation: ucmCometMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS2 (15031)
      • How: CompMgmtLauncher.exe autoelevation removed
    • Code status: removed starting from v3.5.0 
  25. Author: Enigma0x3
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\EventVwr.exe, \system32\CompMgmtLauncher.exe
    • Component(s): Attacker defined
    • Implementation: ucmHijackShellCommandMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS2 (15031)
      • How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removed
    • Code status: removed starting from v3.5.0 
  26. Author: Enigma0x3
    • Type: Race Condition
    • Method: File overwrite
    • Target(s): %temp%\GUID\dismhost.exe
    • Component(s): LogProvider.dll
    • Implementation: ucmDiskCleanupRaceCondition
    • Works from: Windows 10 TH1 (10240)
    • AlwaysNotify compatible
    • Fixed in: Windows 10 RS2 (15031)
      • How: File security permissions altered
    • Code status: removed starting from v3.5.0 
  27. Author: ExpLife
    • Type: Elevated COM interface
    • Method: IARPUninstallStringLauncher
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmUninstallLauncherMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS3 (16199)
      • How: UninstallStringLauncher interface removed from COMAutoApprovalList
    • Code status: removed starting from v3.5.0 
  28. Author: Exploit/Sandworm
    • Type: Whitelisted component
    • Method: InfDefaultInstall
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmSandwormMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 8.1 (9600)
      • How: InfDefaultInstall.exe removed from g_lpAutoApproveEXEList (MS14-060)
    • Code status: removed starting from v3.5.0 
  29. Author: Enigma0x3
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\sdclt.exe
    • Component(s): Attacker defined
    • Implementation: ucmAppPathMethod
    • Works from: Windows 10 TH1 (10240)
    • Fixed in: Windows 10 RS3 (16215)
      • How: Shell API update
    • Code status: removed starting from v3.5.0 
  30. Author: Leo Davidson derivative, lhc645
    • Type: Dll Hijack
    • Method: WOW64 logger
    • Target(s): \syswow64\{any elevated exe, e.g wusa.exe}
    • Component(s): wow64log.dll
    • Implementation: ucmWow64LoggerMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v2.7.0
  31. Author: Enigma0x3
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\sdclt.exe
    • Component(s): Attacker defined
    • Implementation: ucmSdcltIsolatedCommandMethod
    • Works from: Windows 10 TH1 (10240)
    • Fixed in: Windows 10 RS4 (17025)
      • How: Shell API / Windows components update
    • Code status: removed starting from v3.5.0 
  32. Author: xi-tauw
    • Type: Dll Hijack
    • Method: UIPI bypass with uiAccess application
    • Target(s): \Program Files\Windows Media Player\osk.exe, \system32\EventVwr.exe, \system32\mmc.exe
    • Component(s): duser.dll, osksupport.dll
    • Implementation: ucmUiAccessMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v2.7.1
  33. Author: winscripting.blog
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\fodhelper.exe
    • Component(s): Attacker defined
    • Implementation: ucmShellRegModMethod
    • Works from: Windows 10 TH1 (10240)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v2.7.2
  34. Author: James Forshaw
    • Type: Shell API
    • Method: Environment variables expansion
    • Target(s): \system32\svchost.exe via \system32\schtasks.exe
    • Component(s): Attacker defined
    • Implementation: ucmDiskCleanupEnvironmentVariable
    • Works from: Windows 8.1 (9600)
    • AlwaysNotify compatible
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v2.7.2
  35. Author: CIA & James Forshaw
    • Type: Impersonation
    • Method: Token Manipulations
    • Target(s): Autoelevated applications
    • Component(s): Attacker defined
    • Implementation: ucmTokenModification
    • Works from: Windows 7 (7600)
    • AlwaysNotify compatible, see note
    • Fixed in: Windows 10 RS5 (17686)
      • How: ntoskrnl.exe->SeTokenCanImpersonate additional access token check added
    • Code status: removed starting from v3.5.0 
  36. Author: Thomas Vanhoutte aka SandboxEscaper
    • Type: Race condition
    • Method: NTFS reparse point & Dll Hijack
    • Target(s): wusa.exe, pkgmgr.exe
    • Component(s): Attacker defined
    • Implementation: ucmJunctionMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v2.7.4
  37. Author: Ernesto Fernandez, Thomas Vanhoutte
    • Type: Dll Hijack
    • Method: SxS DotLocal, NTFS reparse point
    • Target(s): \system32\dccw.exe
    • Component(s): GdiPlus.dll
    • Implementation: ucmSXSDccwMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v2.7.5
  38. Author: Clement Rouault
    • Type: Whitelisted component
    • Method: APPINFO command line spoofing
    • Target(s): \system32\mmc.exe
    • Component(s): Attacker defined
    • Implementation: ucmHakrilMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v2.7.6
  39. Author: Stefan Kanthak
    • Type: Dll Hijack
    • Method: .NET Code Profiler
    • Target(s): \system32\mmc.exe
    • Component(s): Attacker defined
    • Implementation: ucmCorProfilerMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v2.7.7
  40. Author: Ruben Boonen
    • Type: COM Handler Hijack
    • Method: Registry key manipulation
    • Target(s): \system32\mmc.exe, \system32\recdisc.exe
    • Component(s): Attacker defined
    • Implementation: ucmCOMHandlersMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 19H1 (18362)
      • How: Side effect of Windows changes
    • Code status: removed starting from v3.5.0 
  41. Author: Oddvar Moe
    • Type: Elevated COM interface
    • Method: ICMLuaUtil
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmCMLuaUtilShellExecMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v2.7.9
  42. Author: BreakingMalware and Enigma0x3
    • Type: Elevated COM interface
    • Method: IFwCplLua
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmFwCplLuaMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS4 (17134)
      • How: Shell API update
    • Code status: removed starting from v3.5.0 
  43. Author: Oddvar Moe derivative
    • Type: Elevated COM interface
    • Method: IColorDataProxy, ICMLuaUtil
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmDccwCOMMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v2.8.3
  44. Author: bytecode77
    • Type: Shell API
    • Method: Environment variables expansion
    • Target(s): Multiple auto-elevated processes
    • Component(s): Various per target
    • Implementation: ucmVolatileEnvMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS3 (16299)
      • How: Current user system directory variables ignored during process creation
    • Code status: removed starting from v3.5.0 
  45. Author: bytecode77
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\slui.exe
    • Component(s): Attacker defined
    • Implementation: ucmSluiHijackMethod
    • Works from: Windows 8.1 (9600)
    • Fixed in: Windows 10 20H1 (19041)
      • How: Side effect of Windows changes
    • Code status: removed starting from v3.5.0 
  46. Author: Anonymous
    • Type: Race Condition
    • Method: Registry key manipulation
    • Target(s): \system32\BitlockerWizardElev.exe
    • Component(s): Attacker defined
    • Implementation: ucmBitlockerRCMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS4 (>16299)
      • How: Shell API update
    • Code status: removed starting from v3.5.0 
  47. Author: clavoillotte & 3gstudent
    • Type: COM Handler Hijack
    • Method: Registry key manipulation
    • Target(s): \system32\mmc.exe
    • Component(s): Attacker defined
    • Implementation: ucmCOMHandlersMethod2
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 19H1 (18362)
      • How: Side effect of Windows changes
    • Code status: removed starting from v3.5.0 
  48. Author: deroko
    • Type: Elevated COM interface
    • Method: ISPPLUAObject
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmSPPLUAObjectMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS5 (17763)
      • How: ISPPLUAObject interface method changed
    • Code status: removed starting from v3.5.0 
  49. Author: RinN
    • Type: Elevated COM interface
    • Method: ICreateNewLink
    • Target(s): \system32\TpmInit.exe
    • Component(s): WbemComn.dll
    • Implementation: ucmCreateNewLinkMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS1 (14393)
      • How: Side effect of consent.exe COMAutoApprovalList introduction
    • Code status: removed starting from v3.5.0 
  50. Author: Anonymous
    • Type: Elevated COM interface
    • Method: IDateTimeStateWrite, ISPPLUAObject
    • Target(s): w32time service
    • Component(s): w32time.dll
    • Implementation: ucmDateTimeStateWriterMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS5 (17763)
      • How: Side effect of ISPPLUAObject interface change
    • Code status: removed starting from v3.5.0 
  51. Author: bytecode77 derivative
    • Type: Elevated COM interface
    • Method: IAccessibilityCplAdmin
    • Target(s): \system32\rstrui.exe
    • Component(s): Attacker defined
    • Implementation: ucmAcCplAdminMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS4 (17134)
      • How: Shell API update
    • Code status: removed starting from v3.5.0 
  52. Author: David Wells
    • Type: Whitelisted component
    • Method: AipNormalizePath parsing abuse
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmDirectoryMockMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.0.4
  53. Author: Emeric Nasi
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\sdclt.exe
    • Component(s): Attacker defined
    • Implementation: ucmShellRegModMethod
    • Works from: Windows 10 (14393)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.1.3
  54. Author: egre55
    • Type: Dll Hijack
    • Method: Dll path search abuse
    • Target(s): \syswow64\SystemPropertiesAdvanced.exe and other SystemProperties*.exe
    • Component(s): \AppData\Local\Microsoft\WindowsApps\srrstr.dll
    • Implementation: ucmEgre55Method
    • Works from: Windows 10 (14393)
    • Fixed in: Windows 10 19H1 (18362)
      • How: SysDm.cpl!_CreateSystemRestorePage has been updated for secured load library call
    • Code status: removed starting from v3.5.0 
  55. Author: James Forshaw
    • Type: GUI Hack
    • Method: UIPI bypass with token modification
    • Target(s): \system32\osk.exe, \system32\msconfig.exe
    • Component(s): Attacker defined
    • Implementation: ucmTokenModUIAccessMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.1.5
  56. Author: Hashim Jawad
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\WSReset.exe
    • Component(s): Attacker defined
    • Implementation: ucmShellRegModMethod2
    • Works from: Windows 10 (17134)
    • Fixed in: Windows 11 (22000)
      • How: Windows components redesign
    • Code status: removed starting from v3.5.7 
  57. Author: Leo Davidson derivative by Win32/Gapz
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\sysprep\sysprep.exe
    • Component(s): unattend.dll
    • Implementation: ucmStandardAutoElevation
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 8.1 (9600)
      • How: sysprep.exe hardened LoadFrom manifest elements
    • Code status: removed starting from v3.5.0 
  58. Author: RinN
    • Type: Elevated COM interface
    • Method: IEditionUpgradeManager
    • Target(s): \system32\clipup.exe
    • Component(s): Attacker defined
    • Implementation: ucmEditionUpgradeManagerMethod
    • Works from: Windows 10 (14393)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.2.0
  59. Author: James Forshaw
    • Type: AppInfo ALPC
    • Method: RAiLaunchAdminProcess and DebugObject
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmDebugObjectMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.2.3
  60. Author: Enigma0x3 derivative by WinNT/Glupteba
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\CompMgmtLauncher.exe
    • Component(s): Attacker defined
    • Implementation: ucmGluptebaMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS2 (15063)
      • How: CompMgmtLauncher.exe autoelevation removed
    • Code status: removed starting from v3.5.0 
  61. Author: Enigma0x3/bytecode77 derivative by Nassim Asrir
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\slui.exe, \system32\changepk.exe
    • Component(s): Attacker defined
    • Implementation: ucmShellRegModMethod
    • Works from: Windows 10 (14393)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.2.5
  62. Author: winscripting.blog
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\computerdefaults.exe
    • Component(s): Attacker defined
    • Implementation: ucmShellRegModMethod
    • Works from: Windows 10 RS4 (17134)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.2.6
  63. Author: Arush Agarampur
    • Type: Dll Hijack
    • Method: ISecurityEditor
    • Target(s): Native Image Cache elements
    • Component(s): Attacker defined
    • Implementation: ucmNICPoisonMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.2.7
  64. Author: Arush Agarampur
    • Type: Elevated COM interface
    • Method: IIEAxiAdminInstaller, IIEAxiInstaller2, IFileOperation
    • Target(s): IE add-on install cache
    • Component(s): Attacker defined
    • Implementation: ucmIeAddOnInstallMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.5.1
  65. Author: Arush Agarampur
    • Type: Elevated COM interface
    • Method: IWscAdmin
    • Target(s): Shell Protocol Hijack
    • Component(s): Attacker defined
    • Implementation: ucmWscActionProtocolMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.5.2
  66. Author: Arush Agarampur
    • Type: Elevated COM interface
    • Method: IFwCplLua, Shell Protocol Hijack
    • Target(s): Shell protocol registry entry and environment variables
    • Component(s): Attacker defined
    • Implementation: ucmFwCplLuaMethod2
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.5.3
  67. Author: Arush Agarampur
    • Type: Shell API
    • Method: Shell Protocol Hijack
    • Target(s): \system32\fodhelper.exe
    • Component(s): Attacker defined
    • Implementation: ucmMsSettingsProtocolMethod
    • Works from: Windows 10 TH1 (10240)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.5.4
  68. Author: Arush Agarampur
    • Type: Shell API
    • Method: Shell Protocol Hijack
    • Target(s): \system32\wsreset.exe
    • Component(s): Attacker defined
    • Implementation: ucmMsStoreProtocolMethod
    • Works from: Windows 10 RS5 (17763)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.5.5
  69. Author: Arush Agarampur
    • Type: Shell API
    • Method: Environment variables expansion, Dll Hijack
    • Target(s): \system32\taskhostw.exe
    • Component(s): pcadm.dll
    • Implementation: ucmPcaMethod
    • Works from: Windows 7 (7600)
    • AlwaysNotify compatible
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.5.6
  70. Author: V3ded
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\fodhelper.exe, \system32\computerdefaults.exe
    • Component(s): Attacker defined
    • Implementation: ucmShellRegModMethod3
    • Works from: Windows 10 (10240)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.5.7
  71. Author: Arush Agarampur
    • Type: Dll Hijack
    • Method: ISecurityEditor
    • Target(s): Native Image Cache elements
    • Component(s): Attacker defined
    • Implementation: ucmNICPoisonMethod2
    • Works from: Windows 7 RTM (7600)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.5.8
  72. Author: Emeric Nasi
    • Type: Dll Hijack
    • Method: Dll path search abuse
    • Target(s): \syswow64\msdt.exe, \system32\sdiagnhost.exe
    • Component(s): BluetoothDiagnosticUtil.dll
    • Implementation: ucmMsdtMethod
    • Works from: Windows 10 (10240)
    • Fixed in: unfixed 
      • How: -
    • Code status: added in v3.5.9

注意: 

  • 方法(30)(63)及更高版本仅在x64版本中实现;
  • 方法(30)需要x64,因为它滥用WOW64子系统功能;
  • 方法(55)不是很可靠(就像任何GUI黑客一样),并且只是为了好玩而包含。

运行示例:

  • 赤城32.exe 23
  • 赤城64.exe 61
  • akagi32 23 c:\windows\system32\calc.exe
  • akagi64 61 c:\windows\system32\charmap.exe

注意:

  • 方法(30)(63)及更高版本仅在x64版本中实现;
  • 方法(30)需要x64,因为它滥用WOW64子系统功能;
  • 方法(55)不是很可靠(就像任何GUI黑客一样),并且只是为了好玩而包含。

运行示例:

  • 赤城32.exe 23
  • 赤城64.exe 61
  • akagi32 23 c:\windows\system32\calc.exe
  • akagi64 61 c:\windows\system32\charmap.exe

警告

  • 此工具仅显示恶意软件使用的流行的UAC绕过方法,并以不同的方式重新实现其中一些方法,以改善原始概念。有不同的,尚不为公众所知的方法。请注意这一点;
  • 此工具不适用于AV测试,并且未经测试可在激进的AV环境中工作,如果您仍然计划将其与已安装的膨胀软件AV软件一起使用 - 请自行承担使用风险;
  • 一些AV可能会将此工具标记为HackTool,MSE / WinDefender不断将其标记为恶意软件,没有;
  • 如果您在真实计算机上运行此程序,请记住在使用后删除所有程序剩余部分,有关它掉落到系统文件夹的文件的更多信息,请参阅源代码;
  • 为 x64 创建的大多数方法,没有考虑 x86-32 支持。我认为支持32位版本的Windows或wow64没有任何意义,但是通过小的调整,它们中的大多数也将在wow64下运行。

如果您想知道为什么这仍然存在并且有效 - 这是解释 - 官方Microsoft WHITEFLAG(包括完全无能的声明作为奖励)There are really only two effectively distinct settings for the UAC slider - The Old New Thing

Windows 10 支持和测试策略

  • UACMe仅使用LSTB / LTSC变体(1607 / 1809)和最后RTM-1版本进行测试,例如,如果当前版本是2004年,它将在2004年(19041)和先前版本1909(18363)上进行测试;
  • 不支持内部生成,因为方法可能已在此处修复。

保护

  • 没有管理权限的帐户。

恶意软件使用情况

  • 我们不对此工具在恶意目的中的使用承担任何责任。它是免费的,开源的,并为每个人提供原样。

其他用法

  • 目前用作“THOR APT”扫描仪的“签名”(来自德国的手工图案匹配欺诈软件)。对于欺诈软件中此工具的使用,我们不承担任何责任;
  • 存储库 GitHub - hfiref0x/UACME: Defeating Windows User Account Control,其内容是 UACMe 代码的唯一正版来源。我们与该项目的外部链接无关,在任何地方都提到以及修改(分叉);
  • 2016年7月,所谓的“安全公司”Cymmetria发布了有关名为“Patchwork”的脚本小子恶意软件捆绑包的报告,并将其错误地标记为APT。他们表示它正在使用“UACME方法”,实际上它只是UACMe v1.9中略微和不专业地修改的注入器dll,并且正在以恶意软件自我实现的方式使用Carberp / Pitou混合方法。对于在第三方“安全公司”的可疑广告活动中使用UACMe,我们不承担任何责任。

源代码

  • UACMe附带完整的源代码,用C语言编写;
  • 为了从源代码构建,您需要Microsoft Visual Studio 2015及更高版本。

已编译的二进制文件

  • 自 2.8.9 起不再提供,将来也永远不会提供。原因(以及为什么你也不应该向公众提供):
    • 如果你简单地看一下这个项目,它是一个HackTool,尽管最初的目标是成为一个演示者。当然,一些AV将其检测为HackTool(例如MS WD),但是大多数VirusTotal患者将其检测为通用“恶意软件”。这当然是不正确的,但是不幸的是,一些懒惰的恶意软件编写者盲目地将代码复制粘贴到他们的垃圾软件中(甚至直接使用此工具),因此一些AV根据项目代码部分创建了签名;
    • 通过向每个人提供编译的二进制文件,您可以使脚本小子的生活变得更加轻松,因为需要从源代码编译对于非常愚蠢的脚本小子和“按钮点击器”来说是一个完美的障碍;
    • 在存储库中编译二进制文件最终将导致各种内容过滤器(SmartScreen,Google安全浏览等)将此存储库页面标记为恶意(由于上述原因)。
  • 此决定是最终决定,不会改变。

提示

  • 首先为要生成的解决方案中的项目选择“平台工具集”(项目>属性>常规):

    • v140 for Visual Studio 2015;
    • v141 for Visual Studio 2017;
    • v142 for Visual Studio 2019.
  • 对于 v140 及更高版本,设置目标平台版本(项目>属性>常规):

    • 如果选择 v140,则选择 8.1(请注意,必须安装 Windows 8.1 SDK);
    • 如果为 v141/v142,请选择“10”(请注意,必须安装 Windows 10 (19041) SDK)。
  • 要构建工作二进制文件:

    • 编译有效负载单位
    • 编译 Naka 模块
    • 使用 Naka 模块加密所有有效负载单元
    • 使用 Naka 模块为这些单元生成秘密 blob
    • 将编译的单元和秘密 blob 移动到 Akagi\Bin 目录
    • 重建赤城

引用

  • Windows 7 UAC 白名单,Windows 7 UAC whitelist: Code-injection Issue (and more)
  • 恶意应用程序兼容性填充程序,https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf
  • 来自WinSxS开发团队博客的张俊峰,https://blogs.msdn.microsoft.com/junfeng/
  • 除了好的运行键,系列文章,http://www.hexacorn.com/blog
  • KernelMode.Info UACMe 线程,https://www.kernelmode.info/forum/viewtopicf985.html?f=11&t=3643
  • 命令注入/提升 - 重新访问环境变量,https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited
  • “无文件”UAC 绕过 使用 eventvwr.exe和注册表劫持,“Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking | enigma0x3
  • 使用磁盘清理绕过 Windows 10 上的 UAC,Bypassing UAC on Windows 10 using Disk Cleanup | enigma0x3
  • 使用 IARPUninstallStringLauncher COM 接口绕过 UAC,访问的文章审核中... - FreeBuf网络安全行业门户
  • 使用应用程序路径绕过 UAC,Bypassing UAC using App Paths | enigma0x3
  • 使用 sdclt.exe https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ 的“无文件”UAC 旁路
  • UAC旁路或关于三个升级的故事,UAC Bypass или история о трех эскалациях / Habr
  • 利用 UAC 绕过的计划任务中的环境变量,https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html
  • 第一个条目:欢迎和无文件 UAC 绕过,First entry: Welcome and fileless UAC bypass – winscripting.blog
  • 阅读UAC的3个部分:
    1. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.html
    2. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.html
    3. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.html
  • 关于CMSTP.exe的研究,Research on CMSTP.exe – MSitPros Blog
  • 通过提升的 .NET 应用程序绕过 UAC,UAC bypass via elevated .NET applications - Almond Offensive Security Blog
  • 通过模拟可信目录绕过 UAC,https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
  • 另一个sdclt UAC旁路,http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
  • UAC绕过通过系统属性高级.exe和DLL劫持,SystemPropertiesAdvanced.exe DLL Hijacking UAC Bypass – egre55 – thoughts on security
  • 访问 UIAccess 的访问令牌,https://tyranidslair.blogspot.com/2019/02/accessing-access-tokens-for-uiaccess.html
  • Windows 应用商店二进制文件中的无文件 UAC 绕过,https://www.activecyber.us/1/post/2019/03/windows-uac-bypass.html
  • 从 .NET 调用本地 Windows RPC 服务器,https://googleprojectzero.blogspot.com/2019/12/calling-local-windows-rpc-servers-from.html
  • Microsoft Windows 10 UAC 绕过本地权限提升漏洞,Microsoft Windows 10 Local Privilege Escalation ≈ Packet Storm
  • UACMe 3.5,WD和缓解方法,https://swapcontext.blogspot.com/2020/10/uacme-35-wd-and-ways-of-mitigation.html
  • UAC 绕过 COMAutoApprovalList,https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html
  • 将编程标识符 (ProgID) 用于 UAC 绕过、Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses
  • MSDT DLL 劫持 UAC 绕过,MSDT DLL Hijack UAC bypass - Sevagas

每日分享: 

人的自身比起财产和他人对自己的看法具有压倒性的优势;由此可知,注重保持身体健康和发挥个人自身才能比全力投入获得财富更为明智。但我们不应该把这一说法错误地理解为:我们不应在意去获得我们的生活必需品。

一《人生的智慧 第一章 基本的划分》

你可能感兴趣的