mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 23:05:58 +02:00 
			
		
		
		
	Added wsreset.exe - uac bypass
This commit is contained in:
		
							
								
								
									
										29
									
								
								yml/OSBinaries/Wsreset.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										29
									
								
								yml/OSBinaries/Wsreset.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,29 @@ | ||||
| --- | ||||
| Name: Wsreset.exe | ||||
| Description: Used to reset Windows Store settings according to its manifest file | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2019-03-18' | ||||
| Commands: | ||||
|   - Command: wsreset.exe | ||||
|     Description: During startup, wsreset.exe checks the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user.  | ||||
|     Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.  | ||||
|     Category: UAC bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1088 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1088 | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\wsreset.exe | ||||
| Code Sample: | ||||
|   - Code:  | ||||
| Detection: | ||||
|  - IOC: wsreset.exe launching child process other than mmc.exe | ||||
|  - IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command | ||||
| Resources: | ||||
|   - Link: https://www.activecyber.us/activelabs/windows-uac-bypass | ||||
|   - Link: https://twitter.com/ihack4falafel/status/1106644790114947073 | ||||
|   - Link: https://github.com/hfiref0x/UACME/blob/master/README.md | ||||
| Acknowledgement: | ||||
|   - Person: Hashim Jawad | ||||
|     Handle: '@ihack4falafel' | ||||
| --- | ||||
		Reference in New Issue
	
	Block a user