User Account Control (UAC) ¶

The User Account Control (UAC) is the equivalent of sudo on Linux. It's shown when administrative privileges are required, for instance, when a regular user wants to install applications for all users.

You can refer to UACME (6.3k ⭐) to defeat UAC.

Bypass UAC using eventvwr (2016) ¶

Bypass User Account Control (UAC) using eventvwr.exe. The attack is done by editing the registry, which means you must have sufficient privileges to do so (not necessarily an admin, but not a regular user).

Bypass UAC using SystemPropertiesAdvanced (2016) ¶

The 32-bit version of SystemPropertiesAdvanced located at C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe can be exploited to bypass UAC if srrstr.dll is not found in Windows directories.

Create and put a DLL in any folder that is within the path and execute the binary above to execute your DLL while bypassing UAC.

➡️ You can use msfvenom to create a malicious DLL.

CVE-2019-1388 ¶

A flaw in UAC allows users to open a browser as Administrator, which can be further exploited allowing us to start a shell as Administrator.

AlwaysInstallElevated Misconfiguration ¶

If an admin allowed programs to be installed without administrator privileges, then we can install a malicious program.

PS> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
PS> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
PS> msiexec /quiet /qn /i $Env:TMP\malicious.msi