Administrators Group: UAC Bypass in Windows 7 to… 10!

Presented at ekoparty 14 (2018), Sept. 27, 2018, 4 p.m. (120 minutes)

In this workshop, different techniques that allow a user to bypass UAC in Windows, will be presented.It will be explained what UAC is and how a pentester can skip it in a Pentest. Besides, the possible benefits obtained will be displayed in a practical manner. Finally, it will be shown, how to seize these techniques in a real Pentest and the situations in which these can be obtained. Including the Fileless technics of UAC Bypass that can help to a new permanence level in the device. Got it Super User!...and all of this from Windows 7 to 10! The attendants will know the latest techniques of UAC bypass. They will understand its concept and what it means. They will understand what they can do with that. It will all be practical so that the attendant can seize it in their intrusion tests. The agenda follows: Introduction: The manifest, the self-rising and the "relaxing" of the UAC policy in Windows 7. UAC bypass types. Going deeper: DLL Hijacking. Real case: Examples: (Example of an own compmgmtlauncher.exe) Techniques of file copying to secure locations thanks to a WUSA (Win 7/8/8.1) and IfileOperation (Win10) will be shown. Going deeper: Fileless. Real case: Examples, advantages of Fileless (Are all of them patched? we´ll see...). Variable environment injections based bypass. The tool UAC-A-Mola (Black Hat Arsenal 2017 Europa) is shown, which is used to investigations in new bypasses, detection, exploiting and mitigation. Things to bear in mind while in the workshop: UAC bypasses are modern, discovered at the end of 2016, 2017 and beginning of 2018 (mostly 2017-2018). The level of detail which is used when talking. Besides, showing an own DLL Hijacking over Invoke-CompMgmtLauncher. Everything will be live. Live demonstrations and with public interaction. The knowledge will flow in a special way.

Presenters:

• Pablo González
  Pablo Gonzalez works at Telefónica in Spain. He is an informatics engineer and has a post-graduate degree in informatics security. He has been speaker in Black Hat Europe 2017, 8dot8 2014 y 2015, Rooted CON, among others. MVP in Microsoft 2017-2018. Author of several books in cybersecurity: Metasploit para Pentesters, Ethical Hacking, Pentesting con Kali, Hacking con Metasploit, Got Root, Pentesting con Powershell 0xword editorial. Passionate for disclosure and cybersecurity. He is co-founder a¿in Flu-Project and founder of the HackersClub. He has been working for more than 10 years in cybersecurity. He is professor of varied master-degrees in cybersecurity in different Universities (UEM, UNIR, UOC, URJC).

Links:

• http://ekoparty.org/workshop-administrators-group.php

Similar Presentations:

• DEF CON 30 (2022) / Save The Environment (Variable): Hijacking Legitimate Applications with a Minimal Footprint
• DerbyCon 7.0 Legacy (2017) / Not a Security Boundary: Bypassing User Account Control
• Black Hat USA 2010 / Standing on the Shoulders of the Blue Monster: Hardening Windows Applications