I often end up in discussions where I point out that UAC bypass is a common thing and that UAC is not a very good security boundary if it is left default.
Truth be told that if you change the default UAC setting from «Notify me only when apps try to make changes to my computer» to «Always notify», I can not think of any UAC bypass that will work. (Do you?)
#UPDATE: https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/ This technique bypasses even if “Always notify” is set.
I guess most of you already have seen this method before, but a common way of showing UAC bypass in a GUI way is to use the task scheduler in Windows.
The task scheduler is auto elevated. If you create a basic task within task scheduler and when you come to the start a program page and hit browse, you can browse into c:\windows\system32 and right click CMD and choose runas administrator.
This will not popup a UAC prompt as expected. This is due to the fact that the task scheduler is running elevated. This GIF shows you the process:
After being inspired by Enigma0X3’s research on the file less UAC bypass (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/) I did some research on my own to see if could find my very own UAC bypass method. I have not yet been successful, but I have found another way to demonstrate a GUI bypass method.
If you start c:\windows\system32\iscsicpl.exe you can from the Configuration – Report button start CMD elevated. This is also because the iscsicpl.exe is auto elevated. This GIF shows you the process:
Hope you enjoyed this post and that this will help you showing that UAC is not the best security barrier. Instead you should focus on removing administrator rights on the local machines.
I’m not fully understanding the impact of this. You can launch some programs without administrative prompt if you really want it, what is the big deal? Virus can not use that technique since it requires end user to perform UI manipulations first. How does it make any less secure?
Hi. You are right. It does not make Windows less secure. The problem the blogpost is trying to address, is that showing how to bypass UAC using for example Empire / Metasploit does not always make an impact on the “audience”. It is often easier to understand the visual demonstration like in this post. The point is that you should not trust UAC. There are several bypass techniques that attackers can use and you should rather focus on removing local administrator rights.
it’s easy to create a schtask from a commandline or using an exploit.
SchTasks /Create /SC DAILY /TN “snuff stuff” /TR “%appdata%\Malware.exe.” /ST 09:00
There is a milion ways to do evil stuff.
And task scheduler is just one of them.
One of my favorits is setting a task to execute when a user with high privileges logs on to the system and run the task as that user.