Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
BYOVD attack - CIS case
Message
<blockquote data-quote="Andy Ful" data-source="post: 1109240" data-attributes="member: 32260"><p>Understand. You probably mean the UAC setting ConsentPromptBehaviorUser = 0. This setting will fully block the UAC bypass from the video. However, ConsentPromptBehaviorUser = 0 does not disable the elevation but blocks the possibility of entering the credentials via the UAC credential prompt on SUA. This can be bypassed if the attacker knows the Admin password and can pass it through without using the credential prompt.</p><p></p><p>Technically, process elevation is impossible on SUA. To elevate, the process execution must be redirected to the Admin account. In Windows, this is usually done via the UAC credential prompt, but there are other possibilities too. After entering the credentials the process runs with high privileges on the Admin account.</p><p></p><p>Anyway, the UAC bypass in the video uses the auto elevation feature of the Windows system process. This method will not work on SUA even on default UAC settings (elevation tweak for standard accounts is not required). Next, the malware can behave in three ways:</p><ol> <li data-xf-list-type="ol">It will run with standard rights on SUA.</li> <li data-xf-list-type="ol">It will refuse to run.</li> <li data-xf-list-type="ol">It can trigger the UAC credential prompt (POC from the video, blocked by ConsentPromptBehaviorUser = 0)</li> </ol></blockquote><p></p>
[QUOTE="Andy Ful, post: 1109240, member: 32260"] Understand. You probably mean the UAC setting ConsentPromptBehaviorUser = 0. This setting will fully block the UAC bypass from the video. However, ConsentPromptBehaviorUser = 0 does not disable the elevation but blocks the possibility of entering the credentials via the UAC credential prompt on SUA. This can be bypassed if the attacker knows the Admin password and can pass it through without using the credential prompt. Technically, process elevation is impossible on SUA. To elevate, the process execution must be redirected to the Admin account. In Windows, this is usually done via the UAC credential prompt, but there are other possibilities too. After entering the credentials the process runs with high privileges on the Admin account. Anyway, the UAC bypass in the video uses the auto elevation feature of the Windows system process. This method will not work on SUA even on default UAC settings (elevation tweak for standard accounts is not required). Next, the malware can behave in three ways: [LIST=1] [*]It will run with standard rights on SUA. [*]It will refuse to run. [*]It can trigger the UAC credential prompt (POC from the video, blocked by ConsentPromptBehaviorUser = 0) [/LIST] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
