Running Bypass UacMethodNetOle32 broke WMI and spawn elevated shells

FuzzySecurity / PowerShell-Suite

My musings with PowerShell

BSD 3-Clause "New" or "Revised" License

2.61k stars 766 forks source link

Running Bypass UacMethodNetOle32 broke WMI and spawn elevated shells #3

Closed H3LL0WORLD closed 7 years ago

H3LL0WORLD commented 7 years ago

I found that after running the UacMethodNetOle32 Bypass, WMI doesn't work anymore.

error ...and if I try to run procexp.exe, procmon.exe, etc. instead of running it properly it spawns me a powershell console. error

FuzzySecurity commented 7 years ago

Hey, I know why this happens. I suspect you closed the script prematurely and it did not remove Yamabiko. As I mention in my blogpost, this dll is loaded by pretty much 30% of everything you run. To correct the issue go to:

C:\Windows\Microsoft.NET\Framework[64]\

One of the folders in there will have "ole32.dll", delete it. After that everything will go back to normal.

H3LL0WORLD commented 7 years ago

Well, I tried that but it didn't work. What I did was restore the PC using a system restore point. Thanks :)

FuzzySecurity commented 7 years ago

Pretty sure that was the issue, which is why I highlighted in my post it could be used as a persistence mechanism (provided you make a transparent proxy dll). Anyway, closing this.