Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Import:UAC Bypass"

From NetSec
Jump to: navigation, search
(Created page with "UAC has been used in every version of Windows since Windows Vista, it basically requires the user to click on the "yes" button everytime an application requires a higher set of p...")
 
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
UAC has been used in every version of Windows since Windows Vista, it basically requires the user to click on the "yes" button everytime an application requires a higher set of permissions to run. I won't go into the granules of the Windows security model, but UAC will run a set of heuristics on a file to query if it needs elevated permissions.
+
{{cleanup}}
  
UAC Bypassing is a very commonly used technique in installations of malware, and other attacks against Windows. Even though Microsoft has been informed many times of the bugs within UAC and the ability to bypass it with simplistic techniques, Microsoft still has not fixed it, and has continued to use it in their latest release Windows 8. Lets get down to some techniques.
+
'''UAC''' has been used in every version of Windows since Windows Vista, it requires the user to click on the "yes" button everytime an application requires a higher set of permissions to run. Without going into the granules of the Windows security model, UAC will run a set of heuristics on a file to query if it needs elevated permissions.
  
The entire process of bypassing UAC relies on process hijacking or process spawning, if you are able to hijack a process that can either create elevated COM objects or spawn a process and have the process run your code, you will not recieve a UAC prompt. A few pre-elevated processes are:
+
'''UAC Bypassing''' is a very commonly used technique in installations of malware, and other attacks against Windows. Even though Microsoft has been informed many times of the bugs within UAC and the ability to bypass it with simplistic techniques, Microsoft still has not fixed it, and has continued to use it in their latest release Windows 8.
 +
 
 +
The entire process of bypassing UAC relies on process hijacking or process spawning, if an attacker is able to hijack a process that can either create elevated COM objects or spawn a process and have the process run code, UAC will not be triggered. A few pre-elevated processes are:
 
:*taskmgr.exe
 
:*taskmgr.exe
 
:*cleanmgr.exe
 
:*cleanmgr.exe
Line 14: Line 16:
 
:*calc.exe
 
:*calc.exe
  
The most amazing thing is that you can inject code into a running process by using APIs like ''WriteProcessMemory'' and ''CreateRemoteThread''.
+
Code can be injected into a running process using APIs like ''WriteProcessMemory'' and ''CreateRemoteThread''.

Latest revision as of 12:37, 20 October 2012

UAC has been used in every version of Windows since Windows Vista, it requires the user to click on the "yes" button everytime an application requires a higher set of permissions to run. Without going into the granules of the Windows security model, UAC will run a set of heuristics on a file to query if it needs elevated permissions.

UAC Bypassing is a very commonly used technique in installations of malware, and other attacks against Windows. Even though Microsoft has been informed many times of the bugs within UAC and the ability to bypass it with simplistic techniques, Microsoft still has not fixed it, and has continued to use it in their latest release Windows 8.

The entire process of bypassing UAC relies on process hijacking or process spawning, if an attacker is able to hijack a process that can either create elevated COM objects or spawn a process and have the process run code, UAC will not be triggered. A few pre-elevated processes are:

  • taskmgr.exe
  • cleanmgr.exe
  • diskpart.exe

A few processes that can create elevated COM objects are:

  • explorer.exe
  • notepad.exe
  • calc.exe

Code can be injected into a running process using APIs like WriteProcessMemory and CreateRemoteThread.