Skip to content

[Plugin] Add mmc_clsid_uac_bypass/data/adversaries/clsid_escalation_chain.yml #3185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Plugin] Add mmc_clsid_uac_bypass/data/adversaries/clsid_escalation_chain.yml #3185

wants to merge 1 commit into from

Conversation

vVv-Keys
Copy link

Description

Adds a new adversary profile (clsid_escalation_chain.yml) under the plugin mmc_clsid_uac_bypass. This profile chains multiple real-world TTPs, beginning with the MMC CLSID UAC bypass contributed earlier, followed by host reconnaissance and simulated lateral movement actions. It is designed to support purple team exercises and adversary emulation using only built-in Windows binaries.

This profile is especially useful for defenders and red teams aiming to test detection logic for:

  • UAC bypass via registry hijack
  • Discovery actions without external tools
  • Lateral movement attempts via standard OS capabilities

Summary

This update adds an adversary chain that combines a custom CLSID UAC bypass with standard system discovery and lateral movement techniques.

The chain emulates a stealthy post-exploitation scenario where a local user:

  1. Escalates privileges using a COM hijack on MMC auto-elevated CLSID
  2. Performs host-based discovery
  3. Attempts lateral movement via SMB share access

Reference Techniques

  • T1548.002 – Bypass User Access Control (via CLSID hijack)
  • T1082 – System Information Discovery
  • T1077 – Lateral Movement via SMB/Net Use

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

  • Confirmed adversary profile appears in the Caldera UI
  • Executed full chain using a deployed Sandcat agent on a Windows VM
  • Verified successful payload execution, discovery commands, and simulated lateral movement
  • Ensured cleanup logic from abilities executes as expected
  • Used only native Windows commands (no external payload dependencies)

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works

@vVv-Keys
plugins/mmc_clsid_uac_bypass/data/adversaries/clsid_escalation_chain.yml
ca16666 
This update adds an adversary chain that combines the CLSID UAC bypass with system discovery and lateral movement techniques.

Reference:
T1548.002 – UAC Bypass
T1082 – System Information Discovery
T1077 – Lateral Movement via SMB/Net Use
@vVv-Keys vVv-Keys changed the title plugins/mmc_clsid_uac_bypass/data/adversaries/clsid_escalation_chain.yml [Plugin] Add mmc_clsid_uac_bypass/data/adversaries/clsid_escalation_chain.yml Jun 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@vVv-Keys