Using Havoc C2 to bypass UAC

Note: This was first published on https://100daysofredteam.com as a series of posts.
For this demonstration, I will be using Matthew David’s UAC BOF Bonanza project. This project combines multiple UAC bypass techniques into a Beacon Object File (BOF) that can be used with Havoc C2. I will be demonstrating following techniques:
- SilentCleanupWinDir — Modifies the “Environment\windir” registry key and executes the SilentCleanup scheduled task via schtasksrun by @TrustedSec.
- RegistryShellCommand — Modifies the “
ms-settings\Shell\Open\command
" registry key and executes an auto-elevated EXE (ComputerDefaults.exe). - SspiUacBypass — Forges a token from a fake network authentication though SSPI Datagram Contexts. It will then impersonate the forged token and use CreateSvcRpc by @x86matthew to create a new SYSTEM service. Original research and code is from @splinter_code.
- TrustedPathDLLHijack — Creates fake windows directory
C:\Windows \
, copies supplied DLL to location, and executes auto-elevated EXE (ComputerDefaults.exe). - CmstpElevatedCOM — Creates an elevated ICMLuaUtil COM object and calls its
ShellExec
function to execute the provided file on disk. - ColorDataProxy — Creates an elevated ICMLuaUtil COM object and calls its
SetRegistryStringValue
function to write the location of the provided file to theDisplayCalibrator
registry value residing in HKLM. It will then create an elevated IColorDataProxy COM object and call itsLaunchDccw
function, resulting in the execution of the provided file. - EditionUpgradeManager — Modifies the “Environment\windir” registry key, creates a elevated IEditionUpgradeManager COM object, and then calls the
AcquireModernLicenseWithPreviousId
function from the elevated COM object to execute the provided file.
I am using Debian 12, Ubuntu 24.04, Havoc C2 0.7 and Windows 10 target for this demonstration. I am assuming that there’s already a beacon from a Windows 10 machine calling back to Havoc C2.
Note: I am using Debian 12 with mingw-w64 version 10 or higher (along with build-essentials) to compile the project as per Matthew’s recommendation.
Install build-essentials and mingw-w64 on Debian 12:
sudo apt install build-essential
sudo apt install mingw-w64
Clone the project using the following command:
git clone https://github.com/icyguider/UAC-BOF-Bonanza.git
Compile the project:
cd UAC-BOF-Bonanza
make

To load this in Havoc C2, go to Scripts → Script Manager → Load Script and select the Havoc-UACBypass.py file.

I am assuming that there’s already a beacon from a Windows 10 machine calling back to Havoc C2.

To see available UAC bypass options, issue the following command:
help uac-bypass

UAC bypass via silentcleanup technique
To see the command format use
help uac-bypass silentcleanup

To use this technique, we need a locally stored EXE file that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2.
Let’s execute this technique:
uac-bypass trustedpath /home/rt/uac.exe


UAC bypass via sspidatagram technique
To see the command format use
help uac-bypass sspidatagram

To use this technique, we need an EXE file, stored on the target machine, that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2. For this demo, I will use the one that I already have on the target machine.
Let’s execute this technique:
uac-bypass sspidatagrap C:\Users\rt\Downloads\uac.exe


UAC bypass via registrycommand technique
To see the command format use
help uac-bypass registrycommand

To use this technique, we need an EXE file, stored on the target machine, that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2. For this demo, I will use the one that I already have on the target machine.
Let’s execute this technique:
uac-bypass registrycommand C:\Users\rt\Downloads\uac.exe


UAC bypass via trustedpath technique
To see the command format use
help uac-bypass trustedpath

To use this technique, we need a locally stored DLL file that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2.
Let’s execute this technique:
uac-bypass trustedpath /home/rt/uac.dll

Even though the execution was successful, I did not receive an elevated beacon. Maybe I need to use a different DLL.
UAC bypass via elevatedcom technique
To see the command format use
help uac-bypass elevatedcom

To use this technique, we need an EXE file, stored on the target machine, that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2. For this demo, I will use the one that I already have on the target machine.
Let’s execute this technique:
uac-bypass elevatedcom C:\Users\rt\Downloads\uac2.exe


UAC bypass via colordataproxy technique
To see the command format use
help uac-bypass colordataproxy

To use this technique, we need an EXE file, stored on the target machine, that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2. For this demo, I will use the one that I already have on the target machine.
Let’s execute this technique:
uac-bypass colordataproxy C:\Users\rt\Downloads\uac2.exe


UAC bypass via editionupgrade technique
To see the command format use
help uac-bypass editionupgrade

To use this technique, we need a locally stored EXE file that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2.
Let’s execute this technique:
uac-bypass editionupgrade /home/rt/uac2.exe


This technique is relatively more expensive due to following reasons:
- The beacon used to execute this technique became unresponsive.
- Even if you manage to land another beacon on the target machine, this technique cannot be reused without rebooting it.

Red Team Notes
- Matthew David’s UAC Bypass Bonanza can be used to bypass User Access Control on Windows machines and execute code with elevated privileges.
- Shout out to Matthew David (Icyguider) for helping me out with this.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
References