@wat0114 this is not the issue with @Rasheed187, he dislike UAC because: 1- it prompted his favorite tool (Process Explorer), not because UAC is inefficient. 2- he uses an HIPS, so he find UAC useless compared to it. UAC is useless to him, problem is he strongly believes it is also useless to others..
I will try to explain my point of view one more time. You guys have UAC enabled for malware protection purposes right? So this will result in perhaps hundreds of expected UAC alerts per year. The question is: Is it really worth it, when system is already protected with AV and anti-exploitation tools? And like guest said, a lot of malware (ransomware, keyloggers, banking trojans) don't even need admin rights.
less needed indeed if you only focus on the malware aspect but i still remind you that UAC is also there to prevent voluntary elevation requests made by unauthorized person. but a huge amount of them still need admin rights and are just blocked by UAC at max. I will say, if you don't use UAC at max, don't bother to use it at all.
Well in my case, I don't use any security software right now, on all of my computers, as I believe I don't have a reason to, my only security software if you were to call it that, is sandboxie to run non-trusted stuff, and simplewall which is my firewall, that's all. So even tho I don't really need UAC, I use it to follow what the programs are doing. UAC is required for changing many many many settings and different stuff on the pc, not just when elevating a process, you can check the wiki link I sent you which I'm 99.9% sure you didn't check the first time, and scroll down to see some of the stuff that UAC alerts about. Also my pc is lightning fast so the uac prompt for process elevation literally takes a few hundred milliseconds at worst, sooooooo
I believe most that frequent Wilders will remember that malware developers were having a "field day" a while back by malicious using eventvwr.exe; one of a slew of like Windows processes that allow for auto-elevation. Microsoft patched the eventvwr.exe issue in Win 10 Anniversary upgrade by internally modifying it to directly run mmc.exe versus eventvwr.msc: https://www.winhelponline.com/blog/...ac-bypass-exploit-windows-10-creators-update/ . Don't know if this ever was like patched in Win 7. Well as this recently posted POC shows: http://soclevelone.com/index.php/2019/01/14/bypassing-windows-uac/ , it is still possible to maliciously use eventvwr.exe and also fodhelper.exe as this example shows. At least, this bypass will be detected if UAC is set to max level if running as a limited admin.
Exactly, malware authors try to circumvent UAC, because it creates a problem for them, so that itself proves, that UAC is not worthless, it is an additional layer. It is not bulletproof, but neither is any other security solution, otherwise we could just get rid of AVs well, because no AV detects 100% and no firewall blocks all traffic without help. If one relies on UAC, he should focus on preventing bypassing UAC, mostly done by scripts/powershell.
Here's another unique UAC bypass in that it is injecting a malicious .dll into an auto elevating Win system executable: https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e. It appears to me this technique will bypass UAC set to max. level.
People, who have UAC set to max, would surely not just allow any random alert. I wonder, if CMD would show in the program location the fake long path?
Compile the poc yourself and test it, I currently don't have vs installed cuz I rarely do c++ projects and I clean installed recently, maybe some other time... In any case, it will require an executable, and those won't run themselves, so no problem here for me
Based on what is posted in the write up: I am interpreting this as the name passed to UAC for elevation is C:\Windows\System32\winSAT.exe. In other words, no path manipulation would be obvious in the UAC prompt if indeed it would be displayed. Now winSAT.exe, mmc.exe, etc. all will show UAC prompt when UAC is set to max. level.
Need more proof UAC should always be set to max. level. Maybe this code from a Metasploit UAC bypass module will convince you: https://cxsecurity.com/issue/WLB-2018120142 Also: https://www.prodefence.org/multiple-ways-to-bypass-uac-using-metasploit/
For those not running at least Win 10 RS5: https://tyranidslair.blogspot.com/2018/10/farewell-to-token-stealing-uac-bypass.html
Btw, none of the bypasses in UACME actually work on Always Notify level, at least last when I tested them a few months ago. Currently, only method 34 is supposed to work with always notify and is not fixed. Last time, there was also only 1 method which was working with always notify, must have been either 34 or 35, I don't remember. But in any case, when I tested it, the exe simply crashed and did nothing every time, or the calculator was launched normally. I could not launch an elevated calculator no matter what, I used akagi64 on v1803
You found the article I was looking for one of my previous post where I mentioned SUA. UAC's "bonus security" is a consequence of using SUA. It is not a security feature by itself.
As far as method 35 goes, it is the bypass I posted in reply #37. I am interpreting this: to mean that AlwaysNotify is not a mitigation. Also this has to be done via WMI in Win 10 pre-RS5 ver., so consumer or command event creation is required or via Secondary Logon Service : -EDIT- I was wrong about WMI event creation. He is doing the bypass programmatically using C/C++ which will allow you to bypass most of Win's security mechanisms: https://tyranidslair.blogspot.com/2017/05/reading-your-way-around-uac-part-3.html
Another informative article on UAC: How User Account Control Works Partially true, yes. But mainly because I run, as most people probably should, in a Standard User account, but I want to be able to perform administrative tasks from within my SUA by simply entering my credentials from the UAC-generated secure desktop. However, if I'm going to run numerous administrative tasks in a short time, i will log out of my SUA and into my Administrative account to perform those tasks, because I need only to prompt for consent rather than for credentials.
That is how Windows should be used, it is simple safe practice. You don't do admin/critical stuff on your daily account...
Most of the administrative stuff I'm doing is simply elevating MS apps such as event viewer, group policy editor, process explorer, and so forth. I'm also the only one using my laptop, so I don't need to worry about others such as is the case in corporate environments.
I'm not sure yet, but seems like UAC alerts have changed a bit on Win 10. But isn't it true that once you allow some app to run it can do whatever it wants? So it's not like a behavior blocker which is able to block certain stuff even when some app is already running in memory. If you run in SUA, then you don't have a choice of course. But for me it wouldn't make any sense to enable UAC. Why deal with hundreds of expected UAC alerts (installing apps, running Process Explorer) when system is already protected? I mean, how big is the risk that some super exploit will blast true all defenses, and even if it does, if the malware doesn't require admin rights, UAC won't even pop up.
Why people still think UAC is a full-fledged security feature. It is not and never will, it is not a BB or whatever. UAC just prevents UNWANTED elevation, that is it, so stop mentioning WANTED elevation... This has no place in the discussion. When you talk about an AV, you talk about what you want block, not what you allow. If some can't handle a click or two a day, (basic users must be insane to do more than 2-3 admin task a day... Even me, i don't.) I wonder how can they handle any HIPS that requires 10+ prompts in less than a second for just one app HIPS detect every system modifications, legit or not, it is even worst than UAC... It is such an hassle that they had to implement cloud lookup and whitelisting... Apps like Process Explorer doesn't need to be ran as admin to perform properly, it does in the case the admin needs deeper infos or do some admin tasks with it that need elevation, which will trigger an UAC prompt. Also it is not because people here uses anti-malware solutions that Average Joe does the same, most aren't, so UAC is still affording some security. After all, when watching a movie, you get a elevation prompt out-of-the-blue, the natural reflex would be to deny it. UAC is all about elevation and denying processes/users to get admin privileges. Nothing more nothing less. Talking about anything else is erroneous. Security forums members' config are niches, they don't reflect Average Joe ones, so discussing about the effectiveness of a features with such config is pointless. To evaluate things, it must be done on an "out of the box" system. Tester 101.
If you've got an already elevated process, then yes, obviously it won't ask you when it needs to do stuff that requires it to be elevated, such as all those tasks in the UAC wiki link, because it's already elevated
This is very bad if true. How are we going to play Forza Motorsport 7, for example? (great game btw, if you like racing on tracks you need to try it)
The things is, you make it sound like UAC informs you about why a certain process needs admin rights, while it doesn't. And do you really think that Average Joe knows and cares about this? He/she simply knows that if he doesn't click on yes, then the app won't run or install. That's why I say that all of those expected UAC alerts are pretty pointless. Nobody thinks this. The point is, that according to me it's not worth the trouble. And you can't compare it to alerts from HIPS, because you will get to see them only at first app run/install, after that you make rules (allow or deny) and you won't see those alerts again. And again, those alerts are there to inform you about possible malicious behavior. UAC simply informs you about some process wanting to elevate, that doesn't tell anything about some app intentions.
