UAC Bypass via Token Duplication.
Sources:
- https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1
- https://github.com/stephenfewer/ReflectiveDLLInjection
- https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-TokenDuplication.ps1
- https://tyranidslair.blogspot.ca/2017/05/reading-your-way-around-uac-part-1.html
- https://tyranidslair.blogspot.ca/2017/05/reading-your-way-around-uac-part-2.html
- https://tyranidslair.blogspot.ca/2017/05/reading-your-way-around-uac-part-3.html
- https://github.com/rsmudge/ElevateKit
UAC-TokenDuplication is a reflective DLL that will bypass UAC on any Windows 7+ version on x86 and x64. It uses the Token Duplication technique described in the references listed above, it especially draws from UAC-TokenMagic.ps1. The Aggressor script uses the DLL files to make UAC bypass simple and straightforward in Cobalt Strike. In conjunction with the Aggressor script, the DLLs need to be stored in a child folder named dll. Further details can be found at https://ijustwannared.team