UAC Bypass with Token Duplication

Hey all,

We all know that UAC is not a security boundary.  That being said, it can be super annoying, and sometimes difficult, when you just want to spawn a window-less high integrity session so you can continue with funtimes.

Recently I came across the technique described on Tyranid’s Lair to bypass UAC, but I could only find Powershell implementations like UAC-TokenMagic and Invoke-TokenDuplication. So to take a different route, I put together a reflective DLL that uses this technique and an Aggressor script to make everything easy.

The DLL creates a duplicate token for wusa.exe, crafts a new restricted token, spawns an elevated hidden instance of cmd.exe, and proceeds to inject shellcode into cmd.exe via RTLCreateUserThread.  I’ve tested it on Windows 7, 10, 2008, and 2012 on both x64 and x86 architectures.


5 thoughts on “UAC Bypass with Token Duplication

  1. hello, that I try, there is this error that I can not explain
    > elevate uac-tokendupe
    [*] Task Beacon to run windows/beacon_smb/bind_pipe ( via UAC Token Duplication
    [-] Could not find reflective loader in UAC-TokenDuplication-x64.dll


    1. Hey Isaac, the aggressor script cannot find the x64 DLL. IIRC, the script looks for the DLLs in a subdirectory named “dll” relative to TokenDuplication.cna. Do you have the DLL in the same directory by chance?


      1. Unfortunately I didn’t include compiled versions of the DLLs. I can think of two options: grab an IDE like Visual Studio and compile the source provided on my github or use a similar powershell module that I linked on my post. Sorry dude.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s