rasta-mouse/SCMUACBypass

SCMUACBypass

SCMUACBypass is a technique that allows attackers to authenticate to the Service Control Manager (SCM) using Kerberos and leverage privilege escalation (LPE) using a service binary payload. This technique is designed to be used in combination with Kerberos relay attack primitives, which means that the appropriate ticket(s) must already be in the attacker's cache. The included Aggressor script registers a new elevate command in Beacon, which is used to establish a link to a child beacon.

The elevate command is used to acquire credentials handle hook, which is then used to change to the Kerberos package. The InitializeSecurityContext is then called for the target HOST/127.0.0.1, and if the status is 00090312 or 00000000, then the link to the child beacon is established.

SCMUACBypass is a powerful technique that can be used to authenticate to the SCM and leverage privilege escalation. It is designed to be used in combination with Kerberos relay attack primitives, and the included Aggressor script registers a new elevate command in Beacon. This command is used to acquire credentials handle hook, which is then used to change to the Kerberos package. If the InitializeSecurityContext is successful, then the link to the child beacon is established. This technique can be used to gain access to a system and elevate privileges.

Overall, SCMUACBypass is a powerful technique that can be used to authenticate to the SCM and leverage privilege escalation. It requires the appropriate ticket(s) to be in the attacker's cache, and the included Aggressor script registers a new elevate command in Beacon. This command is used to acquire credentials handle hook, which is then used to change to the Kerberos package. If the InitializeSecurityContext is successful, then the link to the child beacon is established. This technique can be used to gain access to a system and elevate privileges.

In conclusion, SCMUACBypass is a powerful technique that can be used to authenticate to the SCM and leverage privilege escalation. It requires the appropriate ticket(s) to be in the attacker's cache, and the included Aggressor script registers a new elevate command in Beacon. This command is used to acquire credentials handle hook, which is then used to change to the Kerberos package. If the InitializeSecurityContext is successful, then the link to the child beacon is established. This technique can be

📓 rasta-mouse/SCMUACBypass

👉🏽 SCMUACBypass 👉🏽 SCMUACBypass allows attackers to authenticate to the Service Control Manager (SCM) using Kerberos. 👉🏽 It leverages privilege escalation (LPE) using a service binary payload. 👉🏽 This technique requires the appropriate ticket(s) to be in the attacker's cache. 👉🏽 SCMUACBypass is used in combination with Kerberos relay attack primitives. 👉🏽 The included Aggressor script registers a new elevate command in Beacon. 👉🏽 The elevate command acquires credentials handle hook to change to the Kerberos package. 👉🏽 The InitializeSecurityContext is called for the target HOST/127.0.0.1. 👉🏽 If the status is 00090312 or 00000000, the link to the child beacon is established. 👉🏽 SCMUACBypass is a powerful technique for gaining system access and privileging escalation. 👉🏽 It is an effective method for attackers to authenticate and elevate their privileges through Kerberos.

🔗 source link: https://github.com/rasta-mouse/SCMUACBypass

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/tradecraft-tools/rasta-mousescmuacbypass

#SCMUACBypass #Kerberos #PrivilegeEscalation #AttackPrimitives #ChildBeacon