Questions about this topic? Sign up to ask in the talk tab.

Import:UAC Bypass

From NetSec
Revision as of 12:32, 20 October 2012 by MinnaMichalik (Talk | contribs)

Jump to: navigation, search

UAC has been used in every version of Windows since Windows Vista, it requires the user to click on the "yes" button everytime an application requires a higher set of permissions to run. Without going into the granules of the Windows security model, UAC will run a set of heuristics on a file to query if it needs elevated permissions.

UAC Bypassing is a very commonly used technique in installations of malware, and other attacks against Windows. Even though Microsoft has been informed many times of the bugs within UAC and the ability to bypass it with simplistic techniques, Microsoft still has not fixed it, and has continued to use it in their latest release Windows 8.

The entire process of bypassing UAC relies on process hijacking or process spawning, if an attacker is able to hijack a process that can either create elevated COM objects or spawn a process and have the process run code, UAC will not be triggered. A few pre-elevated processes are:

  • taskmgr.exe
  • cleanmgr.exe
  • diskpart.exe

A few processes that can create elevated COM objects are:

  • explorer.exe
  • notepad.exe
  • calc.exe

Code can be injected into a running process using APIs like WriteProcessMemory and CreateRemoteThread.