CobaltSrike 4.9.1.zip

# UACMe * Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor. # System Requirements * x86-32/x64 Windows 7/8/8.1/10TH1/10TH2/10RS1/10RS2 (client, some methods however works on server version too). * Admin account with UAC set on default settings required. # Usage Run executable from command line: akagi32 [Key] [Param] or akagi64 [Key] [Param]. See "Run examples" below for more info. First param is number of method to use, second is optional command (executable file name including full path) to run. Second param can be empty - in this case program will execute elevated cmd.exe from system32 folder. Keys (watch debug output with dbgview or similar for more info): 1. Author: Leo Davidson * Type: Dll Hijack * Method: IFileOperation * Target(s): \system32\sysprep\sysprep.exe * Component(s): cryptbase.dll * Works from: Windows 7 (7600) * Fixed in: Windows 8.1 (9600) * How: sysprep.exe hardened LoadFrom manifest elements 2. Author: Leo Davidson derivative * Type: Dll Hijack * Method: IFileOperation * Target(s): \system32\sysprep\sysprep.exe * Component(s): ShCore.dll * Works from: Windows 8.1 (9600) * Fixed in: Windows 10 TP (> 9600) * How: Side effect of ShCore.dll moving to \KnownDlls 3. Author: Leo Davidson derivative by WinNT/Pitou * Type: Dll Hijack * Method: IFileOperation * Target(s): \system32\oobe\setupsqm.exe * Component(s): WdsCore.dll * Works from: Windows 7 (7600) * Fixed in: Windows 10 TH2 (10558) * How: side effect of OOBE redesign 4. Author: Jon Ericson, WinNT/Gootkit, mzH * Type: AppCompat * Method: RedirectEXE Shim * Target(s): \system32\cliconfg.exe * Component(s): - * Works from: Windows 7 (7600) * Fixed in: Windows 10 TP (> 9600) * How: Sbdinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions 5. Author: WinNT/Simda * Type: Elevated COM interface * Method: ISecurityEditor * Target(s): HKLM registry keys * Component(s): - * Works from: Windows 7 (7600) * Fixed in: Windows 10 TH1 (10147) * How: ISecurityEditor interface method changed 6. Author: Win32/Carberp * Type: Dll Hijack * Method: WUSA * Target(s): \ehome\mcx2prov.exe, \system32\migwiz\migwiz.exe * Component(s): WdsCore.dll, CryptBase.dll, CryptSP.dll * Works from: Windows 7 (7600) * Fixed in: Windows 10 TH1 (10147) * How: WUSA /extract option removed 7. Author: Win32/Carberp derivative * Type: Dll Hijack * Method: WUSA * Target(s): \system32\cliconfg.exe * Component(s): ntwdblib.dll * Works from: Windows 7 (7600) * Fixed in: Windows 10 TH1 (10147) * How: WUSA /extract option removed 8. Author: Leo Davidson derivative by Win32/Tilon * Type: Dll Hijack * Method: IFileOperation * Target(s): \system32\sysprep\sysprep.exe * Component(s): Actionqueue.dll * Works from: Windows 7 (7600) * Fixed in: Windows 8.1 (9600) * How: sysprep.exe hardened LoadFrom manifest 9. Author: Leo Davidson, WinNT/Simda, Win32/Carberp derivative * Type: Dll Hijack * Method: IFileOperation, ISecurityEditor, WUSA * Target(s): IFEO registry keys, \system32\cliconfg.exe * Component(s): Attacker defined Application Verifier Dll * Works from: Windows 7 (7600) * Fixed in: Windows 10 TH1 (10147) * How: WUSA /extract option removed, ISecurityEditor interface method changed 10. Author: WinNT/Pitou, Win32/Carberp derivative * Type: Dll Hijack * Method: IFileOperation, WUSA * Target(s): \system32\\{New}or{Existing}\\{autoelevated}.exe, e.g. winsat.exe * Component(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dll * Works from: Windows 7 (7600) * Fixed in: Windows 10 TH2 (10548) * How: AppInfo elevated application path control hardening 11. Author: Jon Ericson, WinNT/Gootkit, mzH * Type: AppCompat * Method: Shim Memory Patch * Target(s): \system32\iscsicli.exe * Component(s): Attacker prepared shellcode * Works from: Windows 7 (7600) * Fixed in: Windows 8.1 (9600) * How: Sbdinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions 12. Author: Leo Davidson derivative * Type: Dll Hijack * Method: IFileOperation * Target(s): \system32\sysprep\sysprep.exe * Component(s): dbgcore.dll * Works from: Windows 10 TH1 (10240) * Fixed in: Windows 10 TH2 (10565) * How: sysprep.exe manifest updated 13. Author: Leo Davidson derivative * Type: Dll Hijack * Method: IFileOperation * Target(s): \system32\mmc.exe EventVwr.msc * Component(s): elsext.dll * Works from: Windows 7 (7600) * Fixed in: Windows 10 RS1 (14316) * How: Missing dependency removed 14. Author: Leo Davidson, WinNT/Sirefef derivative * Type: Dll Hijack * Method: IFileOperation * Target(s): \system\credwiz.exe, \system32\wbem\oobe.exe * Component(s): netutils.dll * Works from: Windows 7 (7600) * Fixed in: Windows 10 TH2 (10548) * How: AppInfo elevated application path control hardening 15. Author: Leo Davidson, Win32/Addrop, Metasploit derivative * Type: Dll Hijack * Method: IFileOperation * Target(s): \system32\cliconfg.exe * Component(s): ntwdblib.dll * Works from: Windows 7 (7600) * Fixed in: Windows 10 RS1 (14316) * How: Cliconfg.exe autoelevation removed 16. Author: Leo Davidson derivative * Type: Dll Hijack * Method: IFileOperation * Target(s): \system32\GWX\GWXUXWorker.exe, \system32\inetsrv\inetmgr.exe * Component(s): SLC.dll * Works from: Windows 7 (7600) * Fixed in: Windows 10 RS1 (14316) * How: AppInfo elevated application path control and inetmgr executable hardening 17. Author: Leo Davidson derivative * Type: Dll Hijack (Import forwarding) * Method: IFileOperation * Target(s): \system32\sysprep\sysprep.exe * Component(s): unbcl.dll * Works from: Windows 8.1 (9600) * Fixed in: Windows 10 RS1 (14371) * How: sysprep.exe manifest updated 18. Author: Leo Davidson derivative * Type: Dll Hijack (Manifest) * Method: IFileOperation * Target(s): \system32\taskhost.exe, \system32\tzsync.exe (any ms exe without manifest) * Component(s): Attacker defined dll * Works from: Windows 7 (7600) * Fixed in: Windows 10 RS1 (14371) * How: Manifest parsing logic reviewed 19. Author: Leo Davidson derivative * Type: Dll Hijack * Method: IFileOperation * Target(s): \system32\inetsrv\inetmgr.exe * Component(s): MsCoree.dll * Works from: Windows 7 (7600) * Fixed in: Windows 10 RS1 (14376) * How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images 20. Author: Leo Davidson derivative * Type: Dll Hijack * Method: IFileOperation * Target(s): \system32\mmc.exe, Rsop.msc * Component(s): WbemComn.dll * Works from: Windows 7 (7600) * Fixed in: unfixed :see_no_evil: * How: - 21. Author: Leo Davidson derivative * Type: Dll Hijack * Method: IFileOperation, SxS DotLocal * Target(s): \system32\sysprep\sysprep.exe * Component(s): comctl32.dll * Works from: Windows 7 (7600) * Fixed in: unfixed :see_no_evil: * How: - 22. Author: Leo Davidson derivative * Type: Dll Hijack * Method: IFileOperation, SxS DotLocal * Target(s): \system32\consent.exe * Component(s): comctl32.dll * Works from: Windows 7 (7600) * Fixed in: unfixed :see_no_evil: * How: - 23. Author: Leo Davidson derivative * Type: Dll Hijack * Method: IFileOperation * Target(s): \system32\pkgmgr.exe * Component(s): DismCore.dll * Works from: Windows 7 (7600) * Fixed in: unfixed :see_no_evil: * How: - 24. Author: BreakingMalware * Type: Shell API