UAC Bypass Guide

TL;DR

This guide shows how to bypass User Account Control (UAC) without needing a Meterpreter session. We’ll use a combination of techniques, focusing on creating a task that runs with elevated privileges.

Prerequisites

• Windows machine
• Administrative access (to initially set up the bypass)
• Basic understanding of command line

Steps

1. Create a Scheduled Task

   We’ll create a task that executes a PowerShell script. This script will then launch cmd.exe with elevated privileges.

   schtasks /create /tn "ElevatedCmd" /tr "powershell -ExecutionPolicy Bypass -Command "Start-Process cmd -Verb RunAs"" /sc ONCE /ru SYSTEM

   Explanation:

   • schtasks /create: Creates a new scheduled task.
   • /tn "ElevatedCmd": Sets the task name to ‘ElevatedCmd’. Choose any unique name you like.
   • /tr "powershell -ExecutionPolicy Bypass -Command "Start-Process cmd -Verb RunAs"": Specifies the command to run. This launches PowerShell, bypasses execution policy restrictions, and starts cmd.exe with ‘Run As administrator’ (elevated privileges).
   • /sc ONCE: Sets the task schedule to run only once.
   • /ru SYSTEM: Runs the task as the SYSTEM account, which has high privileges.
2. Trigger the Task

   Now we need to trigger the scheduled task.

   schtasks /run /tn "ElevatedCmd"

   This will prompt UAC if it’s enabled. However, because the task is configured to run as SYSTEM and uses PowerShell with bypass, it can often circumvent standard UAC restrictions.

3. Verify Elevated Command Prompt

   If successful, an elevated command prompt window will appear. You can confirm this by typing whoami in the cmd window; it should show ‘nt authoritysystem’.

   whoami

4. Alternative Task Configuration (Using a Batch File)

   Instead of PowerShell, you can use a batch file. First create a batch file named elevate.bat with the following content:

   @echo off
   runas cmd.exe

   Then modify the task creation command to use this batch file:

   schtasks /create /tn "ElevatedCmd" /tr "C:pathtoelevate.bat" /sc ONCE /ru SYSTEM

   (Replace C:pathtoelevate.bat with the actual path to your batch file.)

5. Important Considerations
   • Antivirus/EDR: Antivirus and Endpoint Detection and Response (EDR) solutions may detect this technique.
   • UAC Levels: The effectiveness of this bypass depends on the UAC level configured on the system. Higher UAC levels are more resistant.
   • Logging: This activity will likely be logged in Windows Event Logs.