I often end up in discussions where I point out that UAC bypass is a common thing and that UAC is not a very good security boundary if it is left default.
Truth be told that if you change the default UAC setting from «Notify me only when apps try to make changes to my computer» to «Always notify», I can not think of any UAC bypass that will work. (Do you?)
#UPDATE: https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/ This technique bypasses even if “Always notify” is set.
I guess most of you already have seen this method before, but a common way of showing UAC bypass in a GUI way is to use the task scheduler in Windows.
The task scheduler is auto elevated. If you create a basic task within task scheduler and when you come to the start a program page and hit browse, you can browse into c:\windows\system32 and right click CMD and choose runas administrator.
This will not popup a UAC prompt as expected. This is due to the fact that the task scheduler is running elevated. This GIF shows you the process:
After being inspired by Enigma0X3’s research on the file less UAC bypass (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/) I did some research on my own to see if could find my very own UAC bypass method. I have not yet been successful, but I have found another way to demonstrate a GUI bypass method.
If you start c:\windows\system32\iscsicpl.exe you can from the Configuration – Report button start CMD elevated. This is also because the iscsicpl.exe is auto elevated. This GIF shows you the process:
Hope you enjoyed this post and that this will help you showing that UAC is not the best security barrier. Instead you should focus on removing administrator rights on the local machines.