Home Grown Red Team: UAC Bypass On Windows Defender For Endpoint With HighBorn
UPDATE: This method now alerts on Microsoft’s Defender For Endpoint. You can still use it against Windows 10/11 targets and bypass Windows Defender but EDR will alert on it. See my other post for bypassing DFE with UAC bypass.
The days of running fodhelper are over, but there are a lot of ways to bypass UAC without alterting Defender or even Defender for Endpoint. We can use my personal tool, HighBorn, and the ETW bypass from SharSploit.
One of the reasons that I wanted to write this post was to help people implement SharpSploit features into their C# exploits. So let’s get to it!
We are going to start out with a beacon on our Havoc C2. If you haven’t read through my Getting System On Windows 11 With Havoc C2, give it a once over to get the beacon on your target.
With a beacon already connected to my Havoc C2, I’m going to transition over to a Windows Development VM to craft and compile HighBorn.
Getting The Resources In Order
Start out by opening a Powershell window and git cloning my Home-Grown-Red-Team repo and SharpSploit.
git clone https://github.com/assume-breach/Home-Grown-Red-Team.git
git clone https://github.com/cobbr/SharpSploit.git
SharpSploit has a lot of functionality. Today, we’re just going to focus on the ETW bypass. This is located in the “Evasion” folder.
Let’s open “ETW.cs.”
On line 26 we see the function call, “PatchETWEventWrite.”
This is the function we are going to use to patch ETW using HighBorn.
Even though I have net 4.0 on Visual Studio, I always have to change the repo to net 3.5. Open the SharpSploit sln file and update the target if needed.
Click “Edit” and go to “Find & Replace” then go to “Replace in Files.”
Replace all instances of net40 with net35.
Click “Replace All.”
Now change the configuration to “Release” and click “Build” then “Build Solution.” You’ll see a bunch of errors, but this is for the SharpSploit Tests files. If you click “Output” you’ll see that SharpSploit compiled properly.
Now if you go to “SharpSploit/SharpSploit/bin/Release/net35” you’ll see the SharpSploit.dll file.
Embedding SharpSploit In HighBorn
Open the Home-Grown-Red-Team folder and go to HighBorn. Open the HighBorn sln file. On the right side you’ll see “References” in the Solution Explorer.
Right click on it and then click “Add Reference.”
In the next window click “Browse” and then navigate to your SharpSploit.dll file. Click “Add” and it should populate in your references menu.
Click “OK” and then expand the References tab in your Solutions Explorer. You should see “SharpSploit” added.
Click on “Program.cs” in the Solutions Explorer and then go to line 40. You will see that I have integrated the ETW bypass into HighBorn. This will look to SharpSploit and pull the bypass function at runtime.
Now let’s scroll down to line 71. We need to edit the URL and put your Kali box’s IP.
Once changed, you can change Debug to “Release” at the top and click “Build” and then “Build Solution.”
And your HighBorn.exe file should be build.
Go to the file path of the EXE and transfer it over to your Kali box.
If you haven’t cloned the Home Grown Red Team repo to your Kali box, you can just move the HighBorn.c file from Windows over to Kali. This is going to be our malcious DLL.
We’ll save the file and compile it.
x86_64-w64-mingw32-gcc -shared -o secur32.dll HighBorn.c -lcomctl32 -Wl, — subsystem,windows
You should now have the “secur32.dll” file. Let’s move that to our web server.
Calling HighBorn For A High Integrity Shell
Now we can call our exploit.
dotnet inline-execute /home/kali/Desktop/HighBorn.exe
And now we have a high integrity beacon.
Going over to Microsoft Defender for Endpoint, we don’t have any alerts.
Want To See What It Looks Like When You Bork It?
Forget to put your IP into the exploit properly? Misconfigure you DLL file? Here’s what you’ll get.
Bad operator! Bad!
The point of this post was so I could demonstrate how to use different offensive libraries like SharpSploit when writing your own exploits.
Got a question or a suggestion? Let me know on Medium or get with me on Twitter @assume_breach