C# tool for UAC bypasses

SharpBypassUAC currently supports the eventvwr, fodhelper, computerdefaults, sdclt, slui, and DiskCleanup UAC bypasses.

SharpBypassUAC accepts a base64 encoded windows command to be executed in high integrity. The command is base64 encoded to be easily used in tools such as Covenant's "Assembly" task

-b, --bypass=VALUE Bypass to execute: eventvwr, fodhelper, computerdefaults, sdclt, slui

-e, --encodedCommand=VALUE Base64 encoded command to execute

SharpBypassUAC.exe -b eventvwr -e Y21kIC9jIHN0YXJ0IGNhbGMuZXhl

SharpBypassUAC.exe -b fodhelper -e Y21kIC9jIHN0YXJ0IGNhbGMuZXhl

SharpBypassUAC.exe -b computerdefaults -e Y21kIC9jIHN0YXJ0IGNhbGMuZXhl

SharpBypassUAC.exe -b sdclt -e Y21kIC9jIHN0YXJ0IGNhbGMuZXhl

• Note: this appears to only work on Windows 10 in my testing

SharpBypassUAC.exe -b slui -e Y21kIC9jIHN0YXJ0IGNhbGMuZXhl

SharpBypassUAC.exe -b dikcleanup -e Y21kIC9jIHN0YXJ0IGNhbGMuZXhlICYmIFJFTQ==

• Note: The command you execute will need to end in "&& REM"

Most of these bypasses rely on modifying registry keys in the HKCU hive, specifically keys under HKCU\Software\Classes. HKCU\Software\Classes\ should be monitored for any new keys or modification to existing keys. If this is too noisy in your environment, the specific keys used for each technique are listed below.

Registry modifications to:

• HKCU\Software\Classes\mscfile\Shell\Open\command
  • Modifies the "(default)" value with the command to execute

Registry modifications to:

• HKCU\Software\Classes\ms-settings\Shell\Open\command
  • Modifies the "(default)" value with the command to execute
  • Modifies the "DelegateExecute" value with an empty value

Registry modifications to:

• HKCU\Software\Classes\ms-settings\Shell\Open\command
  • Modifies the "(default)" value with the command to execute
  • Modifies the "DelegateExecute" value with an empty value

Registry modifications to:

• HKCU\Software\Classes\Folder\shell\open\command
  • Modifies the "(default)" value with the command to execute
  • Modifies the "DelegateExecute" value with an empty value

Registry modifications to:

• HKCU\Software\Classes\exefile\Shell\Open\command
  • Modifies the "(default)" value with the command to execute

Registry modifications to:

• HKCU\Environment
  • Modifies the "windir" value with the command to execute

Starts the "\Microsoft\Windows\DiskCleanup\SilentCleanup" scheduled task. Example:

schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

eventvwr: enigma0x3's Invoke-EventVwrBypass.ps1 script

fodhelper and computerdefaults: winscripting.blog's FodhelperBypass.ps1 script

sdclt: Emeric Nasi's blog post

slui: bytecode77's slui file handler hijack tool

DiskCleanup: enigma0x3's Bypassing UAC on Windows 10 using Disk Cleanup blog post and gushmazuko's DiskCleanupBypass_direct.ps1 script

Many of these were discovered by going through the UACME project found on github.