Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

Bypassing UAC in the most Complex Way Possible

While it’s not something I spend much time on, finding a new way to bypass UAC is always amusing. When reading through some of the features of the Rubeus tool I realised that there was a possible way of abusing Kerberos to bypass UAC, well on domain joined systems at least. It’s unclear if this has been documented before, this post seems to discuss something similar but relies on doing the UAC bypass from another system, but what I’m going to describe works locally. Even if it has been described as a technique before I’m not sure it’s been documented how it works under the hood. Bypassing UAC in the most Complex Way Possible!