Questions about this topic? Sign up to ask in the talk tab.

Import:UAC Bypass

From NetSec
Revision as of 01:36, 3 August 2012 by LashawnSeccombe (Talk | contribs) (Created page with "UAC has been used in every version of Windows since Windows Vista, it basically requires the user to click on the "yes" button everytime an application requires a higher set of p...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

UAC has been used in every version of Windows since Windows Vista, it basically requires the user to click on the "yes" button everytime an application requires a higher set of permissions to run. I won't go into the granules of the Windows security model, but UAC will run a set of heuristics on a file to query if it needs elevated permissions.

UAC Bypassing is a very commonly used technique in installations of malware, and other attacks against Windows. Even though Microsoft has been informed many times of the bugs within UAC and the ability to bypass it with simplistic techniques, Microsoft still has not fixed it, and has continued to use it in their latest release Windows 8. Lets get down to some techniques.

The entire process of bypassing UAC relies on process hijacking or process spawning, if you are able to hijack a process that can either create elevated COM objects or spawn a process and have the process run your code, you will not recieve a UAC prompt. A few pre-elevated processes are:

  • taskmgr.exe
  • cleanmgr.exe
  • diskpart.exe

A few processes that can create elevated COM objects are:

  • explorer.exe
  • notepad.exe
  • calc.exe

The most amazing thing is that you can inject code into a running process by using APIs like WriteProcessMemory and CreateRemoteThread.