App Review Microsoft Defender's challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful
The best method to stop such attacks, is the prevention against UAC bypasses. One can use SUA which can probably stop almost all of them. Also, the UAC set to max setting can prevent most such attempts. Of course, one can use additional security layers that can restrict scripting, exploits, etc.
The problem still can be with lateral movement in Enterprises.

I think that the most probable scenarios are:

Loader (like GuLoader) -----> UAC bypass + method from the video
Lateral movement ------> using stolen Administrator credentials ------> method from the video
Spearphishing ------> user thinks that the malware is an updater -------> user bypasses manually UAC ------> method from the video

Generally, there are more popular attack vectors, so the chances of being attacked in this way are rather small.
 
Last edited:
  • Like
  • +Reputation
Reactions: SeriousHoax, simmerskool, micasayyo and 11 others
Andy Ful said:
You are right. If this attack is treated as a full attack, it is kinda stupid.
Click to expand...
There is nothing stupid about showing these folks the main underlying issue in security as it has always been when it comes to Windows and the swiss cheese of security holes it has always been. There is a reason constant updates and security patches are implemented into this operating system. If one were to consider how many times in the past, things have been embedded in legit programs bypassing security suites, they could quickly realize that a POC as such could be weaponized easily. Pointing out such flaws is helpful in every way as stated before. Although its up to security vendors and OS engineers to take these findings seriously before they do end up being exploited especially in a business environment.
 
  • Like
  • Applause
  • +Reputation
Reactions: Jonny Quest, Nevi, Shadowra and 4 others
@Andy Ful or anyone else for that matter,

would setting the "User Account Control Behaviour of the elevation prompt for standard users" under Group Policy in Win 10/11 Pro to 'Automatically deny elevation requests" help to thwart this type of threat, or would a UAC bypass defeat it?

UAC Behaviour for Standard Users.png

I suppose what I'm also trying to get at is it's my understanding anyways that the safest way to use a SUA is to run it only as sua and never elevate any task from it. Rather, all elevation tasks should be done from a separate Admin account.
 
Last edited:
  • Like
Reactions: Jonny Quest, simmerskool, Shadowra and 3 others
Andy Ful said:
The presented method is not a full attack, and it is not probable that it can affect home users. However, it can probably be used as a part of targeted attacks in businesses.
Interestingly, Tamper protection was bypassed in the video.
Click to expand...

Andy Ful said:
The best method to stop such attacks, is the prevention against UAC bypasses. One can use SUA which can probably stop almost all of them. Also, the UAC set to max setting can prevent most such attempts. Of course, one can use additional security layers that can restrict scripting, exploits, etc.
The problem still can be with lateral movement in Enterprises. (my Bold added)

Generally, there are more popular attack vectors, so the chances of being attacked in this way are rather small.
Click to expand...
Andy, thank you for those disclaimers as to help the normal home user like myself, not go into panic mode. My takeaway from all of this, is to bump my UAC up to the next level.

UAC.jpg
 
  • Like
  • Applause
  • Hundred Points
Reactions: Nevi, roger_m, simmerskool and 7 others
wat0114 said:
@Andy Ful or anyone else for that matter,

would setting the "User Account Control Behaviour of the elevation prompt for standard users" under Group Policy in Win 10/11 Pro to 'Automatically deny elevation requests" help to thwart this type of threat, or would a UAC bypass defeat it?

View attachment 282242

I suppose what I'm also trying to get at is it's my understanding anyways that the safest way to use a SUA is to run it only as sua and never elevate any task from it. Rather, all elevation tasks should be done from a separate Admin account.
Click to expand...
This policy is included in the H_C (No Elevation on SUA). Is as Strong as SUA, but simply you will not see the UAC credential prompt. If something can bypass UAC on SUA, it can also bypass this policy.
 
  • Like
  • +Reputation
  • Thanks
Reactions: SeriousHoax, simmerskool, Shadowra and 6 others
  • Like
  • +Reputation
  • Thanks
Reactions: SeriousHoax, simmerskool, Shadowra and 5 others
At least in the case of this bypass demo, UAC seems kind of dumb to me. I guess (sorry bear with me, I may way off on this) the kDefender file you launch elevated is a shortcut that runs a script via Windows Command Processor, which of course UAC correctly sees as a signed Microsoft publisher file as seen with the grey background UAC prompt, but why can it not recognize, for instance, the "I_am_nice_and_clean.dat" file and alert on it, or anything else that may be a part of the payload? Is it because it's a .dat file and not an executable?

If using a HIPS or similar program, could it not be possible and effective protection to alert on any child processes command prompt and other signed parent processes such as powershell attempt to launch?

EDIT

well I guess the bypass was designed to trick UAC
 
Last edited:
  • Like
Reactions: simmerskool and Shadowra
LennyFox said:
Thanks, although most home users have memory integrity enabled (is on by default, see link) also would protected processes prevent shutting doen the service?

BTW glad I am using your WHHL ;), WDAC-ISG uses higher integrity level than admin rights (y)(y)(y) (discussed on reddit)

View attachment 282235
Click to expand...
The protected processes are User-mode AV services. Code Integrity protects them against thread injection and writing into their virtual memory.
Any non-Windows DLLs loaded into the protected service must be signed with the same certificate used to sign the anti-malware service.
If I correctly remember, the protected User-mode AV services can be blocked by the method used in the video.
I can make a video to be sure.
 
  • +Reputation
Reactions: simmerskool
Andy,

I don't suppose you could provide a basic flowchart of this bypass, without of course revealing details on how it works? :whistle:
 
  • Like
Reactions: Andy Ful
wat0114 said:
At least in the case of this bypass demo, UAC seems kind of dumb to me.
Click to expand...

UAC is only another warning that adds to others. If one cannot recognize the danger from warnings, then UAC can be only an annoying alert. The same is true, when the software or system produces too many warnings.

wat0114 said:
I guess (sorry bear with me, I may way off on this) the kDefender file you launch elevated is a shortcut that runs a script via Windows Command Processor, which of course UAC correctly sees as a signed Microsoft publisher file as seen with the grey background UAC prompt, but why can it not recognize, for instance, the "I_am_nice_and_clean.dat" file and alert on it, or anything else that may be a part of the payload? Is it because it's a .dat file and not an executable?
Click to expand...

Yes, the "I_am_nice_and_clean.dat" is not executable.

wat0114 said:
If using a HIPS or similar program, could it not be possible and effective protection to alert on any child processes command prompt and other signed parent processes such as powershell attempt to launch?
Click to expand...

It is possible. But in targeted attacks, the attacker will not use PowerShell or CMD, just like I did in Comodo's challenge part. 2.
 
Last edited:
  • +Reputation
Reactions: simmerskool

You may also like...