While it's not something I spend much time on, finding a new way to bypass UAC is always amusing. When reading through some of the features of the Rubeus tool I realised that there was a possible way of abusing Kerberos to bypass UAC, well on domain joined systems at least. It's unclear if this has been documented before, this post seems to discuss something similar but relies on doing the UAC bypass from another system, but what I'm going to describe works locally. Even if it has been described as a technique before I'm not sure it's been documented how it works under the hood.
- The user SID is not a member of the local account domain.
- The LocalAccountTokenFilterPolicy LSA policy is non-zero, which disables the local account filtering.
- The product type is NtProductLanManNt, which actually corresponds to a domain controller.
Well, about that!
- Query for the user's TGT using the delegation trick.
- Make a request to the KDC for a new service ticket for the local machine using the TGT. Add a KERB-AD-RESTRICTION-ENTRY but fill in a bogus machine ID.
- Import the service ticket into the cache.
- Access the SCM to bypass UAC.