User Account like a Castle

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
hehe Andy with Sully, I tied to setup something simular to automate the tweaks of SafeAdmin, but you are implementing them all by yourself, so I humbly say Andy San thank you very much ;)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
hehe Andy with Sully, I tied to setup something simular to automate the tweaks of SafeAdmin, but you are implementing them all by yourself, so I humbly say Andy San thank you very much ;)
You are welcome - good ideas should be developed.:)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Jack , thanks for editing my first post. Why should this post be edited? I put in it some code, taken from the excellent article: "Living off the land and fileless attack techniques" (An ISTR Special Report July 2017). The two lines of simple code, easily bypassed UAC on Admin account. I tried the code on my computer (the newest Windows 10 fresh updated) and it worked well as follows:
1. The first command, hid some executable code into environment variable %WinDir% by modifying the registry key available as standard user ( "HKCU\Environment" ).
2. The second command, fooled the system scheduled task DiskCleanup\SilentCleanup to run with silent elevation an executable code hidden into environment variable %WinDir%, and next cleaned the registry changes from the point 1.
After some time, I made some tests on Windows 8 and noticed, that there is no such scheduled task as DiskCleanup\SilentCleanup, so the above bypass would not work (also on Windows Vista and 7). Next, I realized, that if the second command would fail, then the bad %WinDir% value would be persistent (not good news).
The quick solution to this problem was adding the third command to clean the registry changes made by the first command, even when the second command would fail (deleting the registry value "windir" in the key "HKCU\Environment" ):
reg delete hkcu\Environment /v windir /f

Important.
If someone tried the original code from the Example in my first post (before today) on Windows Vista, 7 or 8, then it is necessary to run the above command to clean the registry and clean the bad value of %WinDir% environment variable.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top