diff --git a/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md b/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md index a3cc184236e..307e3ab66f8 100644 --- a/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md +++ b/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md @@ -255,6 +255,28 @@ If you take a look to **UACME** you will note that **most UAC bypasses abuse a D Consists on watching if an **autoElevated binary** tries to **read** from the **registry** the **name/path** of a **binary** or **command** to be **executed** (this is more interesting if the binary searches this information inside the **HKCU**). +### UAC bypass via `SysWOW64\iscsicpl.exe` + user `PATH` DLL hijack + +The 32-bit `C:\Windows\SysWOW64\iscsicpl.exe` is an **auto-elevated** binary that can be abused to load `iscsiexe.dll` by search order. If you can place a malicious `iscsiexe.dll` inside a **user-writable** folder and then modify the current user `PATH` (for example via `HKCU\Environment\Path`) so that folder is searched, Windows may load the attacker DLL inside the elevated `iscsicpl.exe` process **without showing a UAC prompt**. + +Practical notes: +- This is useful when the current user is in **Administrators** but running at **Medium Integrity** due to UAC. +- The **SysWOW64** copy is the relevant one for this bypass. Treat the **System32** copy as a separate binary and validate behavior independently. +- The primitive is a combination of **auto-elevation** and **DLL search-order hijacking**, so the same ProcMon workflow used for other UAC bypasses is useful to validate the missing DLL load. + +Minimal flow: + +```cmd +copy iscsiexe.dll %TEMP%\iscsiexe.dll +reg add "HKCU\Environment" /v Path /t REG_SZ /d "%TEMP%" /f +C:\Windows\System32\cmd.exe /c C:\Windows\SysWOW64\iscsicpl.exe +``` + +Detection ideas: +- Alert on `reg add` / registry writes to `HKCU\Environment\Path` immediately followed by execution of `C:\Windows\SysWOW64\iscsicpl.exe`. +- Hunt for `iscsiexe.dll` in **user-controlled** locations such as `%TEMP%` or `%LOCALAPPDATA%\Microsoft\WindowsApps`. +- Correlate `iscsicpl.exe` launches with unexpected child processes or DLL loads from outside the normal Windows directories. + ### Administrator Protection (25H2) drive-letter hijack via per-logon-session DOS device map Windows 11 25H2 “Administrator Protection” uses shadow-admin tokens with per-session `\Sessions\0\DosDevices/` maps. The directory is created lazily by `SeGetTokenDeviceMap` on first `\??` resolution. If the attacker impersonates the shadow-admin token only at **SecurityIdentification**, the directory is created with the attacker as **owner** (inherits `CREATOR OWNER`), allowing drive-letter links that take precedence over `\GLOBAL??`. @@ -279,9 +301,11 @@ New-NtSymbolicLink "\Sessions\0\DosDevices/$auth/C:" "\??\\C:\\Users\\attacker\\ ## References - [HTB: Rainbow – SEH overflow to RCE over HTTP (0xdf) – fodhelper UAC bypass steps](https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html) - [LOLBAS: Fodhelper.exe](https://lolbas-project.github.io/lolbas/Binaries/Fodhelper/) +- [LOLBAS: Iscsicpl.exe](https://lolbas-project.github.io/lolbas/Binaries/Iscsicpl/) - [Microsoft Docs – How User Account Control works](https://learn.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works) - [UACME – UAC bypass techniques collection](https://github.com/hfiref0x/UACME) - [Checkpoint Research – KONNI Adopts AI to Generate PowerShell Backdoors](https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/) +- [Check Point Research – Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets](https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/) - [Project Zero – Windows Administrator Protection drive-letter hijack](https://projectzero.google/2026/26/windows-administrator-protection.html) {{#include ../../banners/hacktricks-training.md}}