Jump to content
YOUR-AD-HERE
HOSTING
TOOLS
SERVICE

Locked UAC Bypass


J0k3rj0k3r

Recommended Posts

UAC Bypass Using eventvwr.exe and Registry Hijacking

 

This technique differs from the other public techniques by having a few handy benefits::

 

  • This technique does not require dropping a traditional file to the file system. Most (if not all) public UAC bypasses currently require dropping a file (typically a DLL) to the file system. Doing so increases the risk of the attacker getting caught. Since this technique doesn’t drop a traditional file, that extra risk to the attacker is mitigated.
  • This technique does not require any process injection, meaning the attack won’t get flagged by security solutions that monitor for this type of behavior.
  • There is no privileged file copy required. Most UAC bypasses require some sort of privileged file copy in order to get a malicious DLL into a secure location to setup a DLL hijack. Since it is possible to replace what executable “eventvwr.exe” starts to load the required Snap-in, it is possible to simply use an existing, trusted Microsoft binary to execute code in memory instead.

This particular technique can be remediated or fixed by setting the UAC level to “Always Notify” or by removing the current user from the Local Administrators group. Further, if you would like to monitor for this attack, you could utilize methods/signatures to look for and alert on new registry entries in HKCU\Software\Classes.

Example:

 

This is the hidden content, please

 

Download

[HIDE-THANKS]bypass.vb

This is the hidden content, please

[TABLE=class: highlight tab-size js-file-line-container]

[TR]

[/TR]

[TR]

[/TR]

[/TABLE]

[TABLE=class: highlight tab-size js-file-line-container]

[TR]

[/TR]

[TR]

[/TR]

[/TABLE]

[TABLE=class: highlight tab-size js-file-line-container]

[TR]

[/TR]

[TR]

[/TR]

[/TABLE]

[/HIDE-THANKS][TABLE=class: highlight tab-size js-file-line-container]

[TR]

[/TR]

[TR]

[/TR]

[/TABLE]

[TABLE=class: highlight tab-size js-file-line-container]

[TR]

[/TR]

[TR]

[/TR]

[/TABLE]

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.