hfiref0x
commented
9 months ago Hello, thanks for information. I will consider adding it to the next version and let you know results.
Closed antonioCoco closed 9 months ago
hfiref0x
commented
9 months ago Hello, thanks for information. I will consider adding it to the next version and let you know results.
hfiref0x
commented
9 months ago There is an error after AcceptSecurityContext call 0x8009030c inside ForgeNetworkAuthToken.
Configuration: Windows 10 19044 LTSC VM, default workgroup, everything else also on default settings Windows Defender removed completely.
The following event log entry generated
An account failed to log on.
Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed: Security ID: NULL SID Account Name: admin Account Domain: DESKTOP-VM
Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006E Sub Status: 0xC000006E
Process Information: Caller Process ID: 0x0 Caller Process Name: -
Network Information: Workstation Name: DESKTOP-VM Source Network Address: - Source Port: -
Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
antonioCoco
commented
9 months ago ok, i was able to reproduce this error.
It appears your user has been removed from the group which allows the Network logons (SeNetworkLogonRight) or it has been manually added to Deny access to this computer from the network (SeDenyNetworkLogonRight) .
This shouldn't be the default config, Administrators and normal users should have this privilege enabled by default, also according to Microsoft doc here:
Denying this privilege wouldn't allow any of these users to authenticate over remote SMB shares, RPC services and any outbound auths, which would be unrealistic in real world environments.
Could you double-check if also the settings i mentioned above are in default ?
hfiref0x
commented
9 months ago Nothing has been manually customized since install. This is default "admin" account created during Windows install.
whoami /all
USER INFORMATION
----------------
User Name SID
===================== ==============================================
desktop-vm\admin S-1-5-21-3757089580-1629204324-2742774380-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
elevated
whoami /all
USER INFORMATION
----------------
User Name SID
===================== ==============================================
desktop-vm\admin S-1-5-21-3757089580-1629204324-2742774380-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled SspiUacBypass - Bypassing UAC with SSPI Datagram Contexts
by @splinter_code
Forging a token from a fake Network Authentication through Datagram Contexts
AcceptSecurityContext failed with secstatus code 0x8009030cp.s.
Let me know if you need more information
antonioCoco
commented
9 months ago Please send the following configurations from gpedit.msc :
Default conf should look like this:
All of my Win10 and Win11 machines in my lab have these settings.
hfiref0x
commented
9 months ago Policy Security Setting Access Credential Manager as a trusted caller Access this computer from the network Everyone,Administrators,Users,Backup Operators Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process LOCAL SERVICE,NETWORK SERVICE,Administrators Allow log on locally Guest,Administrators,Users,Backup Operators Allow log on through Remote Desktop Services Administrators,Remote Desktop Users Back up files and directories Administrators,Backup Operators Bypass traverse checking Everyone,LOCAL SERVICE,NETWORK SERVICE,Administrators,Users,Backup Operators Change the system time LOCAL SERVICE,Administrators Change the time zone LOCAL SERVICE,Administrators,Users Create a pagefile Administrators Create a token object Create global objects LOCAL SERVICE,NETWORK SERVICE,Administrators,SERVICE Create permanent shared objects
Create symbolic links Administrators Debug programs Administrators Deny access to this computer from the network Guest Deny log on as a batch job
Deny log on as a service
Deny log on locally Guest Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system Administrators Generate security audits LOCAL SERVICE,NETWORK SERVICE Impersonate a client after authentication LOCAL SERVICE,NETWORK SERVICE,Administrators,SERVICE Increase a process working set Users Increase scheduling priority Administrators,Window Manager\Window Manager Group Load and unload device drivers Administrators Lock pages in memory
Log on as a batch job Administrators,Backup Operators,Performance Log Users Log on as a service NT SERVICE\ALL SERVICES Manage auditing and security log Administrators Modify an object label
Modify firmware environment values Administrators Obtain an impersonation token for another user in the same session Administrators Perform volume maintenance tasks Administrators Profile single process Administrators Profile system performance Administrators,NT SERVICE\WdiServiceHost Remove computer from docking station Administrators,Users Replace a process level token LOCAL SERVICE,NETWORK SERVICE Restore files and directories Administrators,Backup Operators Shut down the system Administrators,Users,Backup Operators Synchronize directory service data
Take ownership of files or other objects Administrators
antonioCoco
commented
9 months ago The rights assignment seems fine...
I have just installed this fresh crap from MS --> 19044.1288.211006-0501.21h2_release_svc_refresh_CLIENT_LTSC_EVAL_x64FRE_en-us.iso
Without internet conn and without updates and no changes to the machine (neither vmware-tools) except disabling windefender, the PoC works out of the box.
I'm unable to reproduce your env/error if not with the network logon right removed...
Let's give another try... i have pushed some code to print the hexdump of the NTLM security buffers in --> https://github.com/antonioCoco/SspiUacBypass/tree/debug I have also attached a precompiled version of this new debug version, so we can exclude any compilation thing is getting into the way... Please send the output of the new release, i would like to check the NTLM security buffers generated on your env.
If you could also try to create a new local admin user and try the PoC from its new session (it should get RID 1002), that would be good too. Thanks for the patience :pray: but this thing is quite weird and is boggling my mind.
Olivier-true
commented
9 months ago I tested your work on privilege elevation (windows 10.0.19045), without sending the samples, and it works. It's thanks to people like you that we can move forward in our learning. Once again, thank you, and good evening from France.
hfiref0x
commented
9 months ago SspiUacBypass - Bypassing UAC with SSPI Datagram Contexts
by @splinter_code
Forging a token from a fake Network Authentication through Datagram Contexts
NTLM Negotiate Type1 buffer (size 0):
ZERO LENGTH
NTLM Challenge Type2 buffer (size 168):
0000 4e 54 4c 4d 53 53 50 00 02 00 00 00 00 00 00 00 NTLMSSP.........
0010 38 00 00 00 f3 82 98 e2 39 84 05 f2 ce 40 1a e5 8.......9....@..
0020 00 00 00 00 00 00 00 00 70 00 70 00 38 00 00 00 ........p.p.8...
0030 0a 00 61 4a 00 00 00 0f 02 00 14 00 44 00 45 00 ..aJ........D.E.
0040 53 00 4b 00 54 00 4f 00 50 00 2d 00 56 00 4d 00 S.K.T.O.P.-.V.M.
0050 01 00 14 00 44 00 45 00 53 00 4b 00 54 00 4f 00 ....D.E.S.K.T.O.
0060 50 00 2d 00 56 00 4d 00 04 00 14 00 44 00 45 00 P.-.V.M.....D.E.
0070 53 00 4b 00 54 00 4f 00 50 00 2d 00 56 00 4d 00 S.K.T.O.P.-.V.M.
0080 03 00 14 00 44 00 45 00 53 00 4b 00 54 00 4f 00 ....D.E.S.K.T.O.
0090 50 00 2d 00 56 00 4d 00 07 00 08 00 a6 7c 6c 24 P.-.V.M......|l$
00a0 e2 ec d9 01 00 00 00 00 ........
NTLM Authenticate Type3 buffer (size 406):
0000 4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP.........
0010 8a 00 00 00 f4 00 f4 00 a2 00 00 00 14 00 14 00 ................
0020 58 00 00 00 0a 00 0a 00 6c 00 00 00 14 00 14 00 X.......l.......
0030 76 00 00 00 00 00 00 00 96 01 00 00 45 82 80 22 v...........E.."
0040 0a 00 61 4a 00 00 00 0f c5 21 1c 55 81 54 3d 03 ..aJ.....!.U.T=.
0050 e5 87 dc 4a ef 89 02 fa 44 00 45 00 53 00 4b 00 ...J....D.E.S.K.
0060 54 00 4f 00 50 00 2d 00 56 00 4d 00 61 00 64 00 T.O.P.-.V.M.a.d.
0070 6d 00 69 00 6e 00 44 00 45 00 53 00 4b 00 54 00 m.i.n.D.E.S.K.T.
0080 4f 00 50 00 2d 00 56 00 4d 00 00 00 00 00 00 00 O.P.-.V.M.......
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 86 27 0d ff e2 2f 48 f4 c0 a3 92 ab 1e 11 ...'.../H.......
00b0 05 b2 01 01 00 00 00 00 00 00 a6 7c 6c 24 e2 ec ...........|l$..
00c0 d9 01 8b 72 a3 65 c6 97 5e d1 00 00 00 00 02 00 ...r.e..^.......
00d0 14 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 ..D.E.S.K.T.O.P.
00e0 2d 00 56 00 4d 00 01 00 14 00 44 00 45 00 53 00 -.V.M.....D.E.S.
00f0 4b 00 54 00 4f 00 50 00 2d 00 56 00 4d 00 04 00 K.T.O.P.-.V.M...
0100 14 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 ..D.E.S.K.T.O.P.
0110 2d 00 56 00 4d 00 03 00 14 00 44 00 45 00 53 00 -.V.M.....D.E.S.
0120 4b 00 54 00 4f 00 50 00 2d 00 56 00 4d 00 07 00 K.T.O.P.-.V.M...
0130 08 00 a6 7c 6c 24 e2 ec d9 01 06 00 04 00 02 00 ...|l$..........
0140 00 00 08 00 30 00 30 00 00 00 00 00 00 00 01 00 ....0.0.........
0150 00 00 00 20 00 00 93 ec 0e c8 a2 99 01 eb 98 82 ... ............
0160 e3 7c e2 c9 de b3 e0 ba 66 fc 8b 6f ef 29 cf 36 .|......f..o.).6
0170 43 2b b2 80 7a fd 0a 00 10 00 00 00 00 00 00 00 C+..z...........
0180 00 00 00 00 00 00 00 00 00 00 09 00 00 00 00 00 ................
0190 00 00 00 00 00 00 ......
AcceptSecurityContext failed with secstatus code 0x8009030cEdit:
I've tried your last version on x64 Windows 11 22621 running on VmWare 17. It fails with same message.
Forging a token from a fake Network Authentication through Datagram Contexts
NTLM Negotiate Type1 buffer (size 0):
ZERO LENGTH
NTLM Challenge Type2 buffer (size 208):
0000 4e 54 4c 4d 53 53 50 00 02 00 00 00 00 00 00 00 NTLMSSP.........
0010 38 00 00 00 f3 82 98 e2 02 81 0f c1 0f 68 d3 04 8............h..
0020 00 00 00 00 00 00 00 00 98 00 98 00 38 00 00 00 ............8...
0030 0a 00 5d 58 00 00 00 0f 02 00 1e 00 44 00 45 00 ..]X........D.E.
0040 53 00 4b 00 54 00 4f 00 50 00 2d 00 55 00 47 00 S.K.T.O.P.-.U.G.
0050 4a 00 45 00 38 00 55 00 49 00 01 00 1e 00 44 00 J.E.8.U.I.....D.
0060 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 55 00 E.S.K.T.O.P.-.U.
0070 47 00 4a 00 45 00 38 00 55 00 49 00 04 00 1e 00 G.J.E.8.U.I.....
0080 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 D.E.S.K.T.O.P.-.
0090 55 00 47 00 4a 00 45 00 38 00 55 00 49 00 03 00 U.G.J.E.8.U.I...
00a0 1e 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 ..D.E.S.K.T.O.P.
00b0 2d 00 55 00 47 00 4a 00 45 00 38 00 55 00 49 00 -.U.G.J.E.8.U.I.
00c0 07 00 08 00 ed 58 1b bb e6 ec d9 01 00 00 00 00 .....X..........
NTLM Authenticate Type3 buffer (size 466):
0000 4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP.........
0010 9e 00 00 00 1c 01 1c 01 b6 00 00 00 1e 00 1e 00 ................
0020 58 00 00 00 0a 00 0a 00 76 00 00 00 1e 00 1e 00 X.......v.......
0030 80 00 00 00 00 00 00 00 d2 01 00 00 45 82 80 22 ............E.."
0040 0a 00 5d 58 00 00 00 0f 5d d9 23 63 d8 55 0d 05 ..]X....].#c.U..
0050 cd cc 68 fd c2 0b 0e f2 44 00 45 00 53 00 4b 00 ..h.....D.E.S.K.
0060 54 00 4f 00 50 00 2d 00 55 00 47 00 4a 00 45 00 T.O.P.-.U.G.J.E.
0070 38 00 55 00 49 00 61 00 64 00 6d 00 69 00 6e 00 8.U.I.a.d.m.i.n.
0080 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 D.E.S.K.T.O.P.-.
0090 55 00 47 00 4a 00 45 00 38 00 55 00 49 00 00 00 U.G.J.E.8.U.I...
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 4f 73 2f 21 f0 f6 73 36 0e fc ......Os/!..s6..
00c0 a7 e8 92 8a 7b 23 01 01 00 00 00 00 00 00 ed 58 ....{#.........X
00d0 1b bb e6 ec d9 01 c5 e6 b0 98 e9 96 fa 98 00 00 ................
00e0 00 00 02 00 1e 00 44 00 45 00 53 00 4b 00 54 00 ......D.E.S.K.T.
00f0 4f 00 50 00 2d 00 55 00 47 00 4a 00 45 00 38 00 O.P.-.U.G.J.E.8.
0100 55 00 49 00 01 00 1e 00 44 00 45 00 53 00 4b 00 U.I.....D.E.S.K.
0110 54 00 4f 00 50 00 2d 00 55 00 47 00 4a 00 45 00 T.O.P.-.U.G.J.E.
0120 38 00 55 00 49 00 04 00 1e 00 44 00 45 00 53 00 8.U.I.....D.E.S.
0130 4b 00 54 00 4f 00 50 00 2d 00 55 00 47 00 4a 00 K.T.O.P.-.U.G.J.
0140 45 00 38 00 55 00 49 00 03 00 1e 00 44 00 45 00 E.8.U.I.....D.E.
0150 53 00 4b 00 54 00 4f 00 50 00 2d 00 55 00 47 00 S.K.T.O.P.-.U.G.
0160 4a 00 45 00 38 00 55 00 49 00 07 00 08 00 ed 58 J.E.8.U.I......X
0170 1b bb e6 ec d9 01 06 00 04 00 02 00 00 00 08 00 ................
0180 30 00 30 00 00 00 00 00 00 00 01 00 00 00 00 20 0.0............
0190 00 00 c9 81 f8 71 06 74 ff df 33 45 84 a2 de 62 .....q.t..3E...b
01a0 c0 c1 d8 3e 56 0a 4d 77 1e af 4b 16 5e 1b b6 3b ...>V.Mw..K.^..;
01b0 8b 0e 0a 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
01c0 00 00 00 00 00 00 09 00 00 00 00 00 00 00 00 00 ................
01d0 00 00 ..
AcceptSecurityContext failed with secstatus code 0x8009030cBoth are using NAT for network connection.
antonioCoco
commented
9 months ago Thanks for verifying. The security buffers are looking good.
The last idea that comes to my mind is if you configured your "admin" user with a blank password... NTLM responses generated from blank passwords aren't accepted during network authentications.
hfiref0x
commented
9 months ago Your guess was correct. With password set this bypass works. However this requirement significantly lowers this method value.
antonioCoco
commented
9 months ago Finally! š glad that the root cause has been found.
BTW I disagree and Iām not here to argue on what is valuable and what is not. If you think the efforts to merge this code is not worth its value, fair, but it's your decision.
I will remain available in case any further assistance is needed for the integration. If not feel free to close the issue. š
hfiref0x
commented
9 months ago I'll try to add this to the next version, thanks. The RPC SCM calls used in this PoC, what is the origin of internal structures?
antonioCoco
commented
9 months ago They are undocumented. According to the researcher who wrote this implementation:
"I logged the communication of the Windows service APIs by hooking the NtWriteFile, NtReadFile, and NtFsControlFile functions. I analysed this data flow to gradually build my own RPC client.
After I got my first version working, I found some useful information in the Wireshark documentation which helped me label the remaining unknown fields in the RPC headers." ref --> https://www.x86matthew.com/view_post?id=create_svc_rpc
I slightly changed this code to force the usage of SMB instead of ALPC and that's it.
My initial concern was about potential changes across different OS versions, but from my tests it appears they haven't changed at least since Win7.
hfiref0x
commented
9 months ago I'm asking this because the following RPC code seems unaware of UNICODE data and works only with ANSI and there is no easy workaround (like changing data types etc and there is a lot of "magic numbers" used). So far it stuck at StartService RPC call with ERROR_FILE_NOT_FOUND as result.
antonioCoco
commented
9 months ago Yeah, i noticed that.
The OP numbers are hardcoded into the ANSI version functions into the SCM. With a little of efforts with Wireshark i have been able to adjust it to point to the Wide versions opnums. Some tweaking also to the NDR marshalling for UNICODE has been applied in func _RpcAppendRequestDataBinary
You can find the unicode version of the PoC at --> https://github.com/antonioCoco/SspiUacBypass/tree/unicode
Hope that is helpful.
hfiref0x
commented
9 months ago https://github.com/hfiref0x/UACME/commit/4c95fcfc201200ffff7365578188997c036a7a83 should integrate it, let me know if you want to add something else before I merge this to master.
antonioCoco
commented
9 months ago Looking great!
Just FYI you defined supGetThreadTokenImpersonationLevel but is never used in the code. Maybe you wanted to use it for implementing my IsThreadTokenIdentification check?
hfiref0x
commented
9 months ago Yes, corrected it.
Hi, recently i released a new UAC bypass that is leveraging SSPI Datagram contexts and a bug in token impersonation during loopback network authentications.
Article --> https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html Source code --> https://github.com/antonioCoco/SspiUacBypass
In a nutshell:
I guess it could be a nice addition to UACMe which i consider my main reference for all known UAC bypasses. Glad to provide any help if needed.