- Mar 13, 2016
- 1,298
hehe Andy with Sully, I tied to setup something simular to automate the tweaks of SafeAdmin, but you are implementing them all by yourself, so I humbly say Andy San thank you very much 
User Account like a Castle
- Thread starter Andy Ful
- Start date
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,497
You are welcome - good ideas should be developed.hehe Andy with Sully, I tied to setup something simular to automate the tweaks of SafeAdmin, but you are implementing them all by yourself, so I humbly say Andy San thank you very much
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,497
@Jack , thanks for editing my first post. Why should this post be edited? I put in it some code, taken from the excellent article: "Living off the land and fileless attack techniques" (An ISTR Special Report July 2017). The two lines of simple code, easily bypassed UAC on Admin account. I tried the code on my computer (the newest Windows 10 fresh updated) and it worked well as follows:
1. The first command, hid some executable code into environment variable %WinDir% by modifying the registry key available as standard user ( "HKCU\Environment" ).
2. The second command, fooled the system scheduled task DiskCleanup\SilentCleanup to run with silent elevation an executable code hidden into environment variable %WinDir%, and next cleaned the registry changes from the point 1.
After some time, I made some tests on Windows 8 and noticed, that there is no such scheduled task as DiskCleanup\SilentCleanup, so the above bypass would not work (also on Windows Vista and 7). Next, I realized, that if the second command would fail, then the bad %WinDir% value would be persistent (not good news).
The quick solution to this problem was adding the third command to clean the registry changes made by the first command, even when the second command would fail (deleting the registry value "windir" in the key "HKCU\Environment" ):
reg delete hkcu\Environment /v windir /f
Important.
If someone tried the original code from the Example in my first post (before today) on Windows Vista, 7 or 8, then it is necessary to run the above command to clean the registry and clean the bad value of %WinDir% environment variable.
1. The first command, hid some executable code into environment variable %WinDir% by modifying the registry key available as standard user ( "HKCU\Environment" ).
2. The second command, fooled the system scheduled task DiskCleanup\SilentCleanup to run with silent elevation an executable code hidden into environment variable %WinDir%, and next cleaned the registry changes from the point 1.
After some time, I made some tests on Windows 8 and noticed, that there is no such scheduled task as DiskCleanup\SilentCleanup, so the above bypass would not work (also on Windows Vista and 7). Next, I realized, that if the second command would fail, then the bad %WinDir% value would be persistent (not good news).
The quick solution to this problem was adding the third command to clean the registry changes made by the first command, even when the second command would fail (deleting the registry value "windir" in the key "HKCU\Environment" ):
reg delete hkcu\Environment /v windir /f
Important.
If someone tried the original code from the Example in my first post (before today) on Windows Vista, 7 or 8, then it is necessary to run the above command to clean the registry and clean the bad value of %WinDir% environment variable.
Similar threads
