explaingit

0xhossam/uncanny

Analysis updated 2026-05-18

12CAudience · researcherComplexity · 5/5Setup · hard

TLDR

Security research documenting a Windows bug where a non-admin user can trick a system service into leaking machine-account network credentials.

Mindmap

mindmap
  root((UNCanny))
    What it does
      Documents NTLM coercion bug
      Uses install service plugin loading
      Leaks machine account auth
    Tech Stack
      C
      Windows
      PowerShell
      SMB
    Use Cases
      Security research reference
      Understand coercion techniques
      Lab reproduction and study
    Audience
      Security researchers
      Red teamers
    Setup
      Requires Developer Mode enabled
      Patch Impacket SMB server
      Not reliable for real operations

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Study a real world example of Windows service plugin resolution abuse.

USE CASE 2

Learn how NTLM coercion techniques are discovered and documented.

USE CASE 3

Reproduce the proof of concept in an authorized lab to understand machine-account credential leaks.

What is it built with?

CWindowsPowerShellSMB

How does it compare?

0xhossam/uncannyalexanderpach/low-latency-audio-pipelineatc1441/atc_rtl_ble_oepl
Stars121212
LanguageCCC
Setup difficultyhardmoderatehard
Complexity5/54/55/5
Audienceresearcherdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1day+

Requires a Windows lab with Developer Mode enabled and a patched Impacket SMB server to reproduce.

In plain English

UNCanny is a security research project that documents a technique for forcing a Windows machine to authenticate as itself (using its machine account) over a network, triggered by a normal user with no administrator access. This kind of technique is called NTLM coercion, and it is used in penetration testing and red team engagements to capture network credentials that can then be relayed to other systems on the same network. The author is clear that this primitive has significant limitations and is not reliable for real operations, but considers the research worth publishing. The technique works by abusing the Windows Store install service, a background process that runs with full system privileges to manage app installations. That service supports third-party plugins, and it loads them by looking up an installed package by name, finding where that package is stored on disk, and loading a DLL from that location. The key detail is that Windows allows any regular user to register a package whose install location points to a network share (a UNC path) rather than a local folder. When the install service tries to load a plugin from that network share, the operating system sends an authentication request to the attacker's server using the machine account, not the user's account. The attacker captures that credential. There is also a local privilege escalation path described in the README. If the attacker places a specially crafted DLL on the network share before the service loads it, the service will execute that DLL code as the SYSTEM account (the highest privilege level on a Windows machine). The work item the trigger creates also gets queued to disk and replays on reboot, meaning the coercion continues repeating until the registered package is removed. The main precondition that limits practical use is that Developer Mode must be enabled on the target machine. This setting allows loose-file app registration, which is what makes the UNC package registration possible. It is common on developer workstations but uncommon on locked-down corporate machines. The repository includes a proof-of-concept script and setup instructions for Kali Linux. The author notes this was published as a research artifact for others studying the same attack surface, not as a ready-to-deploy tool.

Copy-paste prompts

Prompt 1
Explain how the Windows Store install service plugin resolution bug works in plain terms.
Prompt 2
Walk me through why registering a UNC-based app package triggers machine authentication.
Prompt 3
Help me understand the limitations and preconditions of this coercion technique.

Frequently asked questions

What is uncanny?

Security research documenting a Windows bug where a non-admin user can trick a system service into leaking machine-account network credentials.

What language is uncanny written in?

Mainly C. The stack also includes C, Windows, PowerShell.

How hard is uncanny to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is uncanny for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.