The document discusses bypassing User Account Control (UAC) on Windows systems. It begins with an overview of UAC and how it works to prevent unauthorized elevation of privileges. It then covers various methods that have been used to bypass UAC, such as DLL hijacking, COM interface elevation, and token impersonation. The document concludes by demonstrating a new UAC bypass technique discovered by the author that leverages a vulnerability in the "dccw.exe" process and involves DLL hijacking. Code samples implementing the technique in C++ and Metasploit are provided.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Alors que l’adoption de DevOps pour des organisations Agile était une transition naturelle, le passage à DevSecOps a introduit de nouveaux défis. DevSecOps nécessite un changement important de mentalité et de culture d'entreprise pour intégrer les nouveaux outils et les nouvelles activités de sécurité. C’est la raison pour laquelle suivre le rythme d’Agile et la culture DevOps lors de l’introduction de la sécurité dans le cycle de développement logiciel (SDLC) est un défit pour de nombreuses entreprises.
Dans ce webinaire, Cem Nisanoglu explore le modèle opérationnel de DevSecOps et souligne l'importance de la gestion des changements, de l'automatisation, et des indicateurs de sécurité dans une transition vers DevSecOps, ainsi que la manière dont ces activités peuvent contribuer à la formation de sécurité, à des cycles de release plus rapides, et à l'optimisation des budgets de sécurité dans l’entreprise.
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
Slides presented at the 2019 RH-ISAC Retail Cyber Intelligence Summit by Adam Pennington in Denver, CO on "Leveraging MITRE ATT&CK™ for Detection, Analysis & Defense"
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Alors que l’adoption de DevOps pour des organisations Agile était une transition naturelle, le passage à DevSecOps a introduit de nouveaux défis. DevSecOps nécessite un changement important de mentalité et de culture d'entreprise pour intégrer les nouveaux outils et les nouvelles activités de sécurité. C’est la raison pour laquelle suivre le rythme d’Agile et la culture DevOps lors de l’introduction de la sécurité dans le cycle de développement logiciel (SDLC) est un défit pour de nombreuses entreprises.
Dans ce webinaire, Cem Nisanoglu explore le modèle opérationnel de DevSecOps et souligne l'importance de la gestion des changements, de l'automatisation, et des indicateurs de sécurité dans une transition vers DevSecOps, ainsi que la manière dont ces activités peuvent contribuer à la formation de sécurité, à des cycles de release plus rapides, et à l'optimisation des budgets de sécurité dans l’entreprise.
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
Slides presented at the 2019 RH-ISAC Retail Cyber Intelligence Summit by Adam Pennington in Denver, CO on "Leveraging MITRE ATT&CK™ for Detection, Analysis & Defense"
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
From ATT&CKcon 3.0
By Brian Donohue, Red Canary
This presentation will highlight the Atomic Red Team project's efforts to define and increase the test coverage of MITRE ATT&CK techniques. We'll describe the challenges we encountered in defining what "coverage" means in the context of an ATT&CK-based framework, and how to use that definition to improve an open source project that's used by a diverse audience of practitioners to satisfy an equally diverse array of needs. The audience will learn how the Atomic Red Team maintainers standardize and categorize atomic tests, perform gap analysis to achieve deep technique-level coverage and broad matrix-level coverage, and quickly fill those gaps with new tests.
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division
No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
From ATT&CKcon 3.0
By Brian Donohue, Red Canary
This presentation will highlight the Atomic Red Team project's efforts to define and increase the test coverage of MITRE ATT&CK techniques. We'll describe the challenges we encountered in defining what "coverage" means in the context of an ATT&CK-based framework, and how to use that definition to improve an open source project that's used by a diverse audience of practitioners to satisfy an equally diverse array of needs. The audience will learn how the Atomic Red Team maintainers standardize and categorize atomic tests, perform gap analysis to achieve deep technique-level coverage and broad matrix-level coverage, and quickly fill those gaps with new tests.
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division
No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
This presentation discusses most common appliacation compatibility issues in Windows 7 that applications designed for Windows Xp may experience. It explains the new features of the OS such as UAC, file and registry virtualization, WRP, Session 0 isolation, Mandatory Integrity Level that compatible applications have to be aware with to run well on Windows 7
In this presentation I have explained about difference between regular malware attack and fileless attack. Also added ways to capture it using EventTracker.
From the infection phase to the command & control functionalities, this talk is a 360 degrees analysis of a recent Russian botnet distribution package. Particular features of this botnet are communication over HTTP protocol and use of PHP and Mysql.
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackSoya Aoyama
How many sites do you use? Is the password long enough and secure? Do not tell me you reused it.
Unfortunately, we have not a memory good enough to remember so many passwords long and secure.
For this reason, there are several companies providing password management applications. However, are they really secure?
I have executed a man-in-the-middle attack against a certain password management application.
Surprisingly, the password was exchanged in plain text between .exe and .dll, and it was very easy to steal it.
The program I created is generic and, under certain conditions, can steal information between all .exe and .dll in Windows.
In this talk, I will demonstrate the actual attack, and provide technical explanations to enable this attack. And finally, I suggest ways to protect other apps from this attack.
How to escalate privileges to administrator in latest Windows.Soya Aoyama
Attackers hope getting administrator privileges always. If they had get it, they can do anything. Therefore, they try to get administrator privileges in various ways, such as account stealing, privilege escalation, UAC bypass. I have found one way to escalate privileges to administrator without using vulnerability. I hope you to see the demo, understand the mechanism, and prepare against the attacks.
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
TeamT5 has helped many cyber-attack victims defending against APT actors for years. We see enormous cases showing that the actors still maintained their access to the victim network after some malware cleaning by unexperienced network managers or immature security teams. The main reason would be lacking knowledge regarding threat actors’ techniques in lateral movement operations. For example, Microsoft Windows Active Directory plays a key role and dominates most corporate network environments for centralized management and authentication. However, there are many scenarios of improper security settings would cause Active Directory attacks to become a convenient way for threat actors to move around.
In this talk, we are going to present lateral movement methods to penetrate corporate network environment and techniques to bypass security monitoring systems. All cases are based on our real experiences fighting with APT actors in recent years. We categorize them into 4 categories and list the items as below:
1.AD Farm's penetration technique: mimilib, MemSSP, skeleton key, ACL abuse
2.Web-shell technique: IIS module abuse, Web source code injection, Deserialization, Rootkit
3.Second Tier backdoor techniques: DLL-hijack, IAT insert, Port reuse
4.Miscellaneous technique: how actors moving laterally in your network without malware or hacking tools.
The target audiences of this talk include security researchers, antivirus vendors, SOC team analyst and incident response teams. The techniques disclosed in this talk would help and facilitate blue team members to detect and understand threat actors’ footprints inside a corporate network and effectively block their activities.
You noticed that Windows 7 is much less frequent in its requests for elevation than Windows Vista. But why are some applications still requesting for elevation? Why do some applications running in the background require interaction to show their output? Is this security in Windows 7?
This session will demonstrate how security related compatibility issues caused by legacy applications can be analyzed and what solutions are available to fix them yourself. The session has an overview of potential issues and what tools can enable you to take control over both legacy applications and web applications accessed by Internet Explorer 8 and 9.
Our deep dive into OceanLotus’s latest marauding campaigns shows that the group isn’t letting up in its efforts and combines legitimate code and publicly available tools with its own harmful creations.
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
8. UAC Bypass
8
Attack consisting in execute code with administrator rights
without prompting the user for consent on Windows
systems. Some requirements must be met in most cases:
q Vulnerable auto-elevate process.
q The user belongs to the Administrators group.
q The UAC security level is not set to "Always Notify".
Attacker Administrator Shell
UAC
19. DLL Hijacking
19
The most common way to perform a bypass UAC attack. It
works thanks to the way DLLs are loaded in Windows systems
by some auto-elevate processes, since they do not found a
specific DLL at first trial, allowing an attacker to trick them by
loading a malicious DLL instead of the legit one.
q IFileOperation
q WUSA
q Environment variables expansion
q Race condition
q UIPI bypass
q COM handler hijacking
q NTFS reparse point
20. DLL Hijacking - IFileOperation
20
Invoke
IFileOperation
Masquerade
PEB
Process
Injection
Copy the
malicious DLL
to the targeted
location
Windows Trusted
Certificate Process
Execute auto-
elevate process
21. DLL Hijacking - WUSA
21
Copy the
malicious DLL
to the targeted
location
WUSA Extract
Functionality
Execute auto-
elevate process
Windows Update Standalone Installer (WUSA) runs at high
integrity.
Compress the
malicious DLL
into a CAB file
22. DLL Hijacking - WUSA
22
Copy the
malicious DLL
to the targeted
location
WUSA Extract
Functionality
Execute auto-
elevate process
Windows Update Standalone Installer (WUSA) runs at high
integrity.
Compress the
malicious DLL
into a CAB file
23. DLL Hijacking – UIPI Bypass
23
Inject
IFileOperation
DLL
hijacking
Copy to a
"secure"
path
Malicious
DLL
Execute
High
integrity
application
Process
Injection
Execute auto-
elevate process
Windows Trusted
Certificate Process
User Interface Privilege Isolation (UIPI) prevents lower
integrity processes from sending "messages" to higher
integrity processes.
24. DLL Hijacking – Environment Variable
Expansion
24
Copy the
malicious DLL
to the targeted
location
Modify the
environment
variable in the
Windows Registry
Execute auto-
elevate process
25. DLL Hijacking – Race Condition
25
Copy the
malicious DLL
to the targeted
location
DLL hijacking
Execute auto-
elevate process
26. DLL Hijacking – COM Handler Hijacking
26
The value is
modified in
"HKCR:CLSID"
Modify the
"HKCU:SoftwareClassesCLSID"
with the path of the malicious DLL
Execute
auto-elevate
process
A COM handler specifies a COM object by its CLSID key from
which the process associated with it will load a DLL.
27. DLL Hijacking – NTFS Reparse Point
27
Create
"wusa.exe"
race condition
A reparse point is a collection of user data associated with a
file or a directory used in NTFS to implement hard links,
junctions and symbolic links.
Compress the
malicious DLL
into a CAB file
Extract the malicious
DLL to the targeted
location by means of
NTFS reparse point
Execute auto-
elevate process
28. COM Interface Elevation
28
In Windows, a COM interface defines a set of methods that a
COM object can invoke. The problem appears since some of
this interfaces can elevate their privileges without user consent.
Execute a method
that allows us to
execute code
Find an
elevated COM
interface
Run the selected
method
29. Application Compatibility Exploiting
29
Abuses the way Application Compatibility (AppCompat) works
by creating a shim (file that contains the details on how
Windows should manipulate an antiquated program to execute
it properly) for an auto-elevate application that forces it to
load a malicious binary - CVE-2015-0002.
Auto-elevate
application
Malicious
binary
Malicious shim
file
30. Application Compatibility Exploiting
30
Abuses the way Application Compatibility (AppCompat) works
by creating a shim (file that contains the details on how
Windows should manipulate an antiquated program to execute
it properly) for an auto-elevate application that forces it to
load a malicious binary - CVE-2015-0002.
Auto-elevate
application
Malicious
binary
Malicious shim
file
31. Shell API
31
This method abuses the way some auto-elevate applications
use the shell API of Windows to execute its own commands.
Environment variables expansion Registry manipulation
Execute
command
Modify the
Windows
Registry
32. Token Impersonation
32
Abuse
QueryLimitedInformation
access right to get
Impersonate and
Duplicate rights
Check the rights
of "mmc.exe"
(high integrity
process)
Copy the high
integrity token
with Duplicate
right
Misuses the way tokens and their grants works in Windows
systems. The following scheme explains the James Forshaw
implementation.
Modify the
copied token
Impersonate the
copied token using
Impersonate right
33. Token Impersonation
33
Abuse
QueryLimitedInformation
access right to get
Impersonate and
Duplicate rights
Check the rights
of "mmc.exe"
(high integrity
process)
Copy the high
integrity token
with Duplicate
right
Misuses the way tokens and their grants works in Windows
systems. The following scheme explains the James Forshaw
implementation.
Modify the
copied token
Impersonate the
copied token using
Impersonate right
34. GUI Misusing
34
The way such UAC
bypass is performed is
taking advantage of the
way these processes use
the "FileDialog"
component, since you
can "right-click" with the
mouse on other
application and point
out the "Run as
administrator" option,
no UAC prompt will be
displayed.
38. Vulnerability Verification
38
dccw.exe DLL hijacking
confirmation
We created the folders
that were looked for
unsuccessfully by
"dccw.exe". When it
was executed again, an
error was presented.
39. Vulnerability Verification
39
dccw.exe DLL hijacking
confirmation
We created the folders
that were looked for
unsuccessfully by
"dccw.exe". When it
was executed again, an
error was presented.
40. Exploit Development
40
Malicious DLL
To execute code ("cmd.exe")
at high integrity we need to
craft a DLL to be loaded
when "dccw.exe" will be
executed. This DLL needs to
export some functions from
the legit "GdiPlus.dll" loaded
by "dccw.exe".
The DLL is compressed and
base64 encoded in the
code.
Interoperabiltiy
To allow the C++ PoC
execution in Windows x86
and Windows x64, the
binary and the DLL have
been developed for x86
systems.
41. Exploit Development
41
Initial Checks
q Build version.
q Administrator rights.
q Administrators group.
q UAC security level.
Create Temporary Elements
In the same directory of the PoC:
1. Create the folder "dccw.exe.Local".
2. Create the folders that match with the
"x86_microsoft.windows.gdiplus_*"
pattern in the "WinSxS" folder into
the folder created in step 1.
3. Drop the malicious DLL into the
folders created in step 2.
42. Exploit Development
C++ - Masquerade PEB
Modify the Process Environment
Block (PEB) due to COM
objects rely on PSAPI, which
parses the PEB, to identify the
process from which they have
been invoked. The resultant PEB
will look like the one of a
Microsoft signed application
(e.g. "explorer.exe").
Trick the system to invoke IFileOperation at high integrity.
Metasploit - Process Injection
Inject a malicious DLL into a
Microsoft signed application
(e.g. "notepad.exe") and
execute it.
43. Exploit Development
43
Invoke IFileOperation
Copy the previously created "dccw.exe.Local" and the elements
contained in it to the vulnerable location.
dccw.exe.Local
WindowsSystem32
WindowsSysWOW64
44. Exploit Development
44
Execute "dccw.exe"
The DLL hijacking is
performed and "cmd.exe" is
executed with administrator
rights.
Remove Traces
All created files and folders are
deleted from the computer to
stay undetected.
45. Exploit Development
45
Initial Checks
Masquerade
PEB / Process
Injection
Execute
dccw.exe
Administrators
Group
Administrator
Rights
Build Version
UAC Settings
Invoke
IFileOperation
Create
Temporary
Elements
WinSxS folders with
"x86_microsoft.windo
ws.gdiplus_*" pattern
Drop the
malicious DLL to
those folders
Copy
temporary
files to DLL
hijacking
path
Execute code at
high integrity
Remove
Traces
47. Requirements
47
C++
q The target must be a
Windows 8 or 10.
q The UAC level must not be
set to "Always notify".
q The compromised user must
belong to the "Administrators
group".
Metasploit
q The target must be a Windows
8 or 10.
q The UAC level must not be set to
"Always notify".
q The compromised user must
belong to the "Administrators
group".
q Having a Meterpreter session.
q The TARGET option must match
the processor architecture of the
victim.
48. C++ PoC - Windows 10 x64 14393
48
github.com/L3cr0f/DccwBypassUAC
49. Metasploit Module - Windows 10 x86 15063
49
www.rapid7.com/db/modules/exploit/windows/local/bypassuac_injection_winsxs
51. 51
"A weakness that would allow to bypass
the 'Consent Prompt' is not considered a
security vulnerability, since that is not
considered a security boundary."
But…
"User Account Control (UAC) is a
fundamental component of Microsoft's
overall security vision."
- Microsoft
53. 53
Conclusions
q Bypass User Account Control is not a big deal.
q Build patches are not enough.
q Microsoft should consider UAC bypasses as a vulnerability
so as to protect users.
q Nowadays, the only solution is setting up different users so
as to use the one with lowest privileges.
Achievements
q Development of a new bypass UAC method that works on
latest Windows 10 build versions.
q Development of a new Metasploit module that works on
latest Windows 10 build versions and which has being
included in the Metasploit Framework.
q This bypass UAC has been partially included in the UACME
project as the 37th method.