Provadys Offsensive Security Blog

Articles


UAC bypass via elevated .NET applications

Published on Fri 15 September 2017 by @clavoillotte

.NET Framework can be made to load a profiling DLL or a COM component DLL via user-defined environment variables and CLSID registry entries, even when the process is elevated. This behavior can be exploited to bypass UAC in default settings on Windows 7 to 10 (including the latest RS3 builds) by making an auto-elevate .NET process (such as MMC snap-ins) load an arbitrary DLL.