Internal Infrastructure Pentest - UAC Bypass

less than 1 minute read

•	Windows 7 UAC whitelist, http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
•	Malicious Application Compatibility Shims, https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf
•	Junfeng Zhang from WinSxS dev team blog, https://blogs.msdn.microsoft.com/junfeng/
•	Beyond good ol' Run key, series of articles, http://www.hexacorn.com/blog
•	KernelMode.Info UACMe thread, http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643
•	Command Injection/Elevation - Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited
•	"Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking, https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
•	Bypassing UAC on Windows 10 using Disk Cleanup, https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/
•	Using IARPUninstallStringLauncher COM interface to bypass UAC, http://www.freebuf.com/articles/system/116611.html
•	Bypassing UAC using App Paths, https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
•	"Fileless" UAC Bypass using sdclt.exe, https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
•	UAC Bypass or story about three escalations, https://habrahabr.ru/company/pm/blog/328008/
•	Exploiting Environment Variables in Scheduled Tasks for UAC Bypass, https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html
•	First entry: Welcome and fileless UAC bypass, https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
•	Reading Your Way Around UAC in 3 parts:
i.	https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.html
ii.	https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.html
iii.	https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.html
•	Research on CMSTP.exe, https://msitpros.com/?p=3960
•	https://github.com/hfiref0x/UACME