SlideShare a Scribd company logo
Not a Security Boundary:
New Methods for
Bypassing User Account
Control
Matt Nelson (@enigma0x3)
SpecterOps
@enigma0x3
 Job: Red Teamer and Security
Researcher at @SpecterOps
 Trainer: BlackHat 2016, ATRTO
 Blogger: enigma0x3.net
 Speaker: Various BSides, DerbyCon,
ShmooCon, OPCDE
 Other: Multiple CVEs for Device
Guard research, plenty of UAC
bypasses & COM lover
2
tl;dr
 UAC/Integrity Level Overview
 Bypass Research Overview
 Bypass Evolution
 Mitigations
 Demos throughout!
3
UAC: What is it?
 UAC == User Account Control
 “UAC is meant to enable users to run with standard
user rights, as opposed to administrative rights”
 If user == Local Administrator, two tokens are
assigned to the logon session (split-token admin)
 If a user is not a local admin, UAC offers Over-the-
Shoulder (OTS) elevation
 We will be focusing on the split-token admin
scenario 4
https://technet.microsoft.com/en-us/library/2007.06.uac.aspx?f=255&MSPPError=-2147217396
Who Cares?
 Every organization has users in the Local
Administrators group
 A common answer is “We have UAC set to Always
Notify”, so we are safe
 Attackers encounter UAC all the time
 Roadblock between them and their objective
 Blue: Are you aware of all the users in your
environment that are running as Local
Administrators?
5
““Attackers don’t care about
security boundaries” - Jessica
Payne at MSIgniteNZ
(@jepayneMSFT)
6
https://twitter.com/jepayneMSFT/status/791702594309677056
Security Boundary?
7
https://blogs.technet.microsoft.com/markrussinovich/2007/02/12/psexec-user-account-control-and-
security-boundaries/
“What’s a security boundary? It’s a wall
through which code and data can’t pass
without the authorization of a security
policy. “ - Mark Russinovich
Security Boundary?
8
https://web.archive.org/web/20070303183621/http://microsofttech.fr.edgesuite.net/msexp/downloa
d/0370/0370_pres.zip
1.
UAC/Integrity
Level Overview
How these tie together
9
Integrity Levels
 An Integrity Level is assigned to a security access
token
 Defined by SID; assists in Access Control for various
OS components
 Mandatory access token policies
 TOKEN_MANDATORY_NO_WRITE_UP,
TOKEN_MANDATORY_NEW_PROCESS_MIN
 The Security Reference Monitor compares the
user/group SIDs in the security access token with
the ACL on an object to determine access 10
Integrity Levels
11
https://msdn.microsoft.com/en-us/library/bb625963.aspx
Integrity Levels
 When researching UAC, we are mostly interested
in 2 integrity levels:
 High Integrity (HI) security access tokens ==
Administrator
 Medium Integrity (MI) security access token ==
Normal user
 Split-Token admin processes are assigned a MI
security access token
 Elevation via UAC == granted HI security access
token 12
UAC Levels
 UAC level determines the notification level
 Technically 4 levels: Always Notify, Notify (Secure
Desktop), Notify (No Secure Desktop), Never
Notify
 Realistically, there are only 2 we care about
 Always Notify and the Default (Notify w/ Secure
Desktop)
13
14
2.
Bypass Research
Overview
A Quick Example
15
Purpose
 Silently obtain a HI security access token without
raising suspicion to the user
 Often executed from an agent (Meterpreter, Empire,
Beacon, etc.)
 You aren’t bypassing anything if you elevate while
logged in via the GUI
 At that point, you can just click “Yes” on the UAC
prompt...
16
Don’t be this guy....
17
Elevation Objects
 Identify objects that silently elevate
 Scheduled Tasks, Auto-Elevate Windows Binaries,
COM interfaces, etc.
 Take these objects and trace their various
execution behavior
 Determine any locations these objects interact with
that a MI process can manipulate
 Can be registry keys, files, folders, etc.
18
Elevation Objects
19
Elevation Objects
20
Abusing These Objects
 After identifying an object that reads from a
location you can modify, determine how to abuse
it
 Registry key additions
 Environment variable manipulation
 Winning a race condition
 After modifying, these elevating objects should
read and pull your payload 21
Abusing These Objects
22
3.
Bypass Evolution
Then there was light
23
Disclaimer
 There are many public UAC bypasses that
currently exist
 Most definitive source for all bypasses is @hfireF0x’s
UACME project: https://github.com/hfiref0x/UACME
 This section only highlights the evolution of
bypass tradecraft, not specific techniques.
 I will not cover every bypass nor every technique (we
would be here for hours)
24
IFileOperation
 Leo Davidson released PoC code in 2009
 One of the first UAC bypasses to publically be
released
 IFileOperation::CopyItem()
 Has to be invoked from inside a Microsoft signed
binary (can be spoofed)
 A privilege file copy opens up the possibility for a
DLLHijack
 Fixed in Windows 10 RS2 (15007)
25
IFileOperation
26
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Bypass-UAC/Bypass-UAC.ps1
https://youtu.be/HPozzQHJez0
WUSA
 Original Finder: Vozzie
 Windows Update Standalone Installer
 Auto-Elevating Windows binary
 Pre-Windows 10, has an “/extract” flag
 Allows extraction of a cab from one location to another
 Cab a payload using makecab and perform a
privileged file copy using: wusa <path> /extract
<path> 27
WUSA
28
https://youtu.be/HPozzQHJez0
Registry Modification (eventvwr.exe)
 Abuses Registry verb handlers
 Shellopencommand, isolatedCommand, etc
 These values determine the binary and parameters for
a specified verb
 Many binaries can be used here
 More: https://enigma0x3.net/2016/08/15/fileless-
uac-bypass-using-eventvwr-exe-and-registry-hijacking/
29
Registry Modification (eventvwr.exe)
30
Registry Modification (eventvwr.exe)
31
Registry Modification (eventvwr.exe)
32
https://youtu.be/vauUN_vaL8I
33
https://twitter.com/JohnLaTwC/status/817010045464367111
Registry Modification (eventvwr.exe)
◈ Microsoft actually issued a fix in Windows 10 RS2 (15031)
34http://www.winhelponline.com/blog/microsoft-fixes-eventvwr-exe-uac-bypass-exploit-windows-10-
creators-update/
Race Condition (Disk Cleanup)
 Found by @mattifestation/@enigma0x3
 Windows 10 Scheduled Task with “Run with
Highest Privileges” set
 Creates a folder in %localappdata%Temp<guid>
 Executes dismhost.exe in a HI context
 Dismhost.exe loads DLLs from the temp directory
 Fixed in Windows 10 RS2 (15031)
35
Race Condition (Disk Cleanup)
36
Race Condition (Disk Cleanup)
37
Race Condition (Disk Cleanup)
38
Race Condition (Disk Cleanup)
39
https://youtu.be/tryZ_45kQOw
Environment Variables (Disk
Cleanup)
 Discovered by James Forshaw (@tiraniddo)
 Same Scheduled Task as the Race Condition
 Utilizes an environment variable in its action
 These environment variables can be modified
without elevation
 HKEY_CURRENT_USEREnvironment
40
Environment Variables (Disk
Cleanup)
41https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html
Environment Variables (Disk
Cleanup)
 Hijacking the %windir% environment variable can
lead to silent elevation when the task is ran
 reg add hkcuEnvironment /v windir /d "cmd /K reg
delete hkcuEnvironment /v windir /f && REM “
 More:
https://tyranidslair.blogspot.com/2017/05/exploitin
g-environment-variables-in.html
42
Environment Variables (Disk
Cleanup)
43
https://youtu.be/KQC7wAEMsTQ
COM Hijacking
 Finders: @FuzzySec/@enigma0x3
 Hijack InProcServer32, Server or LocalServer32 &
invoke an auto-elevating binary that instantiates
that COM object
 Our malicious binary loads
44
COM Hijacking
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareClassesCLSI
D{0A29FF9E-7F9C-4437-8B11-F424491E3931}]
[HKEY_CURRENT_USERSoftwareClassesCLSI
D{0A29FF9E-7F9C-4437-8B11-
F424491E3931}Server]
@="C:UsersMattDesktopMessageBox64.dll
" 45
COM Hijacking
46
https://youtu.be/0tD7wHvblmA
Token Manipulation
 Discovered by James Forshaw (@tiraniddo):
 https://tyranidslair.blogspot.com/2017/05/reading-
your-way-around-uac-part-1.html
 Weaponized by Ruben Boonen (@fuzzysec)
 Forget auto-elevating objects…
 Uses DuplicateTokenEx() to duplicate a HI token &
calls CreateProcessWithLogonW() with that new token
 Results in an Always Notify bypass without any
OS modifications :-) 47
Token Manipulation
48
https://youtu.be/xpbC9M2sGpM
Token Manipulation
49
 https://github.com/FuzzySecurity/PowerShell-
Suite/blob/master/UAC-TokenMagic.ps1 by
@fuzzysec
 Took @tiraniddo’s post and weaponized it
 Uses Add-Type to interface with the Win32 API
 Compiles and drops files to disk 
Token Manipulation
50
 Re-implemented via PSReflect 
 https://github.com/enigma0x3/Misc-PowerShell-
Stuff/blob/master/Invoke-TokenDuplication.ps1
 Enumerates process list and checks for a process
with a HI security access token
 When one is found, uses that ProcID to elevate
 If one is not, starts one via the RunAs verb
4.
Mitigations
Let’s Be Real
51
Local Admin Accounts
◈ Every environment I have ever operated in had a
percentage of users that were local administrators
on their own host...
52
Stop Running as a Local
Administrator
 Why do users need to be local administrators?
 Stop it.
 Seriously.
 Practice real least privilege
 pls.
53
CREDITS
 Special Thanks:
 James Forshaw (@tiraniddo)
 Ruben Boonen (@FuzzySec)
 Matt Graeber (@mattifestation)
 @hfiref0x
 & many more for their great research!
54
55
THANKS!
Any questions?
@enigma0x3
matt@specterops.io
Resources
 https://blogs.technet.microsoft.com/markrussinovich/2007/
02/12/psexec-user-account-control-and-security-
boundaries/
 https://github.com/FuzzySecurity/DefCon25
 https://github.com/hfiref0x/UACME
 https://github.com/enigma0x3/Misc-PowerShell-
Stuff/blob/master/Invoke-TokenDuplication.ps1 56

More Related Content

What's hot

Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
Farouk2nd
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
Positive Hack Days
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
Riyaz Walikar
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
CODE BLUE
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
Herman Duarte
 

What's hot (20)

Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 

Similar to Not a Security Boundary: Bypassing User Account Control

An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
Soya Aoyama
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibility
micham
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 -  Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 -  Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
Iftach Ian Amit
 
Best free tools for win database admin
Best free tools for win database adminBest free tools for win database admin
Best free tools for win database admin
Concentrated Technology
 
Best free tools for w d a
Best free tools for w d aBest free tools for w d a
Best free tools for w d a
Concentrated Technology
 
Wcl310 Raiders of the Elevated Token
Wcl310 Raiders of the Elevated TokenWcl310 Raiders of the Elevated Token
Wcl310 Raiders of the Elevated Token
Raymond Comvalius
 
Addmi 03-addm prerequisites
Addmi 03-addm prerequisitesAddmi 03-addm prerequisites
Addmi 03-addm prerequisites
odanyboy
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
Ricardo L0gan
 
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
eugeniadean34240
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Activity 5
Activity 5Activity 5
Activity 5
Heidi Owens
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive
Shawn Wells
 
What to Do When You Don’t Know What to Do: Control System Patching Problems a...
What to Do When You Don’t Know What to Do: Control System Patching Problems a...What to Do When You Don’t Know What to Do: Control System Patching Problems a...
What to Do When You Don’t Know What to Do: Control System Patching Problems a...
EnergySec
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse Center
Abdessabour Arous
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
Rob Ragan
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designs
Manuel Santander
 

Similar to Not a Security Boundary: Bypassing User Account Control (20)

An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibility
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 -  Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 -  Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Best free tools for win database admin
Best free tools for win database adminBest free tools for win database admin
Best free tools for win database admin
 
Best free tools for w d a
Best free tools for w d aBest free tools for w d a
Best free tools for w d a
 
Wcl310 Raiders of the Elevated Token
Wcl310 Raiders of the Elevated TokenWcl310 Raiders of the Elevated Token
Wcl310 Raiders of the Elevated Token
 
Addmi 03-addm prerequisites
Addmi 03-addm prerequisitesAddmi 03-addm prerequisites
Addmi 03-addm prerequisites
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Activity 5
Activity 5Activity 5
Activity 5
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive
 
What to Do When You Don’t Know What to Do: Control System Patching Problems a...
What to Do When You Don’t Know What to Do: Control System Patching Problems a...What to Do When You Don’t Know What to Do: Control System Patching Problems a...
What to Do When You Don’t Know What to Do: Control System Patching Problems a...
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse Center
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designs
 

Recently uploaded

Digital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade communityDigital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade community
Piotr Siuda
 
Effective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptxEffective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptx
AirtoryInc
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
samyanvichadda
 
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In IndiaLordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
exchangeid32
 
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai AvailableChennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
shamrisumri
 
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECTUse of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
Edward Blurock
 
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
dilbaagsingh0898
 
Trump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination ShirtTrump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination Shirt
exgf28
 
Trump fist pump t shirts Trump fist pump t shirts
Trump fist pump t shirts Trump fist pump t shirtsTrump fist pump t shirts Trump fist pump t shirts
Trump fist pump t shirts Trump fist pump t shirts
exgf28
 
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
ffg01100
 
Maximizing Network Efficiency with Large Language Models (LLM)
Maximizing Network Efficiency with Large Language Models (LLM)Maximizing Network Efficiency with Large Language Models (LLM)
Maximizing Network Efficiency with Large Language Models (LLM)
Bangladesh Network Operators Group
 
Network Security version1.0 - Module 3.pptx
Network Security version1.0 - Module 3.pptxNetwork Security version1.0 - Module 3.pptx
Network Security version1.0 - Module 3.pptx
Infotainmentforall
 
Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18
Bangladesh Network Operators Group
 
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdfHow-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
Dolphin Data Lab
 
Open Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using GraylogOpen Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using Graylog
Bangladesh Network Operators Group
 
Team Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public servicesTeam Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public services
Bangladesh Network Operators Group
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
adelewhite125
 
Understanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat IntelligenceUnderstanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat Intelligence
Lumiverse Solutions Pvt Ltd
 
My President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodieMy President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodie
exgf28
 
Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...
APNIC
 

Recently uploaded (20)

Digital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade communityDigital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade community
 
Effective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptxEffective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptx
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
 
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In IndiaLordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
 
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai AvailableChennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
 
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECTUse of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
 
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
 
Trump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination ShirtTrump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination Shirt
 
Trump fist pump t shirts Trump fist pump t shirts
Trump fist pump t shirts Trump fist pump t shirtsTrump fist pump t shirts Trump fist pump t shirts
Trump fist pump t shirts Trump fist pump t shirts
 
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
 
Maximizing Network Efficiency with Large Language Models (LLM)
Maximizing Network Efficiency with Large Language Models (LLM)Maximizing Network Efficiency with Large Language Models (LLM)
Maximizing Network Efficiency with Large Language Models (LLM)
 
Network Security version1.0 - Module 3.pptx
Network Security version1.0 - Module 3.pptxNetwork Security version1.0 - Module 3.pptx
Network Security version1.0 - Module 3.pptx
 
Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18
 
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdfHow-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
 
Open Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using GraylogOpen Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using Graylog
 
Team Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public servicesTeam Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public services
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
 
Understanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat IntelligenceUnderstanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat Intelligence
 
My President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodieMy President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodie
 
Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...
 

Not a Security Boundary: Bypassing User Account Control

Editor's Notes

  1. Note that we are focusing on split-token admins (AAM) mode OTW exploitation is likely possible Split-token == user is a LA, UAC gives user a normal token and then elevation occurs that grants the process an administrative token
  2. Note that we are focusing on split-token admins (AAM) mode OTW exploitation is likely possible Split-token == user is a LA, UAC gives user a normal token and then elevation occurs that grants the process an administrative token
  3. Blue: Do you know how many users are Local Admins on their own host?
  4. Lee & Jeffery Derby 2016 keynote: “What do you have and what do you get?” One user should not be able to read or modify the data of another user, nor be able to cause other users to execute code, without the permission of the other user.
  5. Mark Russonivich Windows Vista User Account Control Internals
  6. TOKEN_MANDATORY_NO_WRITE_UP: The default policy that is assigned to all access tokens. The policy restricts write access by this subject to any object at a higher integrity level.
  7. Won’t outline all IFileOperation Dll Hijack bypasses, just cover the IFileOperation technique
  8. Requires injection into explorer.exe to call the method
  9. OpenProcess, OpenProcessToken, DuplicateTokenEx, AllocateAndInitializeSid, ntSetInformationToken (lower the token IL level), ntFilterToken (creates a new restricted token), DuplicateTokenEx, ImpersonateLoggedOnUser and then CreateProcesswithLogonW