Invoke-WScriptUACBypass

SYNOPSIS

Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe.

Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie
License: BSD 3-Clause
Required Dependencies: None

SYNTAX

Invoke-WScriptUACBypass [-Command] <String> [-WindowStyle <String>]

DESCRIPTION

Drops wscript.exe and a custom manifest into C:\Windows and then proceeds to execute VBScript using the wscript executable with the new manifest. The VBScript executed by C:\Windows\wscript.exe will run elevated.

EXAMPLES

-------------------------- EXAMPLE 1 --------------------------

"

Launches the specified PowerShell encoded command in high-integrity.

-------------------------- EXAMPLE 2 --------------------------

Invoke-WScriptUACBypass -Command cmd.exe -WindowStyle 'Visible'

Spawns a high integrity cmd.exe.

PARAMETERS

-Command

The shell command you want wscript.exe to run elevated.

Type: String
Parameter Sets: (All)
Aliases: CMD

Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False

-WindowStyle

Whether to display or hide the window for the executed '-Command X'. Accepted values are 'Hidden' and 'Normal'/'Visible. Default is 'Hidden'.

Type: String
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: Hidden
Accept pipeline input: False
Accept wildcard characters: False

INPUTS

OUTPUTS

NOTES

http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html https://github.com/Vozzie/uacscript https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1