- Mar 22, 2017
- 587
He used a confirmed escalation of privilege exploit - more than likely one of the many that are passed-around the pen-tester community. He needed to bypass UAC and elevate the agent so he could run the Mimikatz module which itself needs admin privileges.
He used the Invoke-BypassUAC.ps1 that's in the privsec\bypassmodule. The command you see him type "bypassuac EmsiBypass" = bypassuac is an alias and EmsiBypass is the listener which must be specified. The elevated agent is denoted by the * symbol next to it. Next he runs Mimikatz.
Emsisoft itself was not exploited.
If Emsisoft was not the target, their security was circumvented. Still the loser of the test in the end, technically.
It's just like accidentally executing a malware, which happens all the time, malware which does stuff to your system, malware which should've been stopped by the AV that says it will protect you with a thousand layers. Again, Emsisoft is great, but has its weaknesses, like any other AV.
Let's call these malware 0-day, as they don't have signatures for them. As an example, many Metasploit exploits are blocked by AVs, but just because they are known as being used for illegal activities. It's a matter of perception really, Metasploit is not meant for illegal stuff, but rather to demonstrate that your product has its weaknesses in some versions, in some circumstances and environments.
Last edited: