Most of the UAC bypass techniques require dropping a file to disk (for example, placing a
DLL on disk to perform a DLL hijack). The technique used in this module differs from the
other public methods and provides a useful new technique that does not rely on a privileged
file copy, code injection, or placing a traditional file on disk.
As a normal user, you have write access to keys in HKCU, if an elevated process interacts
with keys you are able to manipulate, you can potentially interfere with actions a high
integrity process is attempting to perform (hijack the process being started). Due to the
fact that I was able to hijack the process, it is possible to simply execute whatever
malicious cmd.exe or powershell.exe command you wish ..
This means that code execution has been achieved in a high integrity process
(bypassing UAC) without dropping a DLL or other file down to the file system. This
significantly reduces the risk to the attacker because they aren’t placing a traditional
file on the file system that can be caught by AV/HIPS or forensically identified later ..
1º - Download post-module from github using wget
wget https://github.com/r00t-3xp10it/msf-auxiliarys/blob/master/local%20privilege%20escalation/enigma_fileless_uac_bypass.rb
2º - Port post-module to metasploit database (KALI distros)
cp enigma_fileless_uac_bypass.rb /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb
3º - Start postgresql
service postgresql start
4º - Rebuild metasploit database
msfdb reinit
5º - Reload all modules into msf database
msfconsole -x 'db_status; reload_all'
6º - Load post-module
msf > use post/windows/escalate/enigma_fileless_uac_bypass
7º - read/access info/options
msf post(enigma_fileless_uac_bypass) > info
msf post(enigma_fileless_uac_bypass) > show advanced options