Ok these are a really simple UAC bypass from a userland GUI perspective. This is about increasing process integrity levels – it’s not about performing LPE from low integrity to high/SYSTEM with no interaction. These clearly work in older version of Windows as well but since Windows 11 will be the current version in the near future I thought it was fun to re-visit these!
And just to be clear, a medium integrity process as an administrator user will have the following privileges:
What we are talking about here is to move to a high integrity process without knowing credentials or having the secure desktop launch.
Right click on the right-hand pane and click VIEW SOURCE
From notepad click FILE OPEN
Right click + shift and click open powershell window here
And now you have a process with high integrity
Msconfig UAC Bypass
The use case for this bypass is when you have access to the session but DO NOT have the credentials.
The mitigation for this is to set UAC to the maximum level
Another method comes from running c:\windows\system32\iscsicpl.exe
Right Click + SHIFT and Open Powershell
Right click and run the task
MMC/Device Manager/Group Policy Editor etc.
Rick click and view source
Use the file open and then RIGHT CLICK + SHIFT to launch a shell
Shockingly you can run these with all kinds of the .msc consoles:
Here’s using Group Policy Editor.
Ok so we get the gist of how to exploit this manually so what we need is a list of more binaries we can use:
So there’s lots of ways of doing this via binaries.
These might seem like they are not useful, but you can find position where these can be exploited. It’s often the small things that make a difference, I’ve certainly been in positions where they techniques have helped before.
I recommend that people increase their UAC levels (do bear in the mind the user experience change though).