Windows 10 UAC Bypass Uses "Apps & Features" Utility

Although hinted at in some of the above posts, a Fun Fact for those not that familiar with UAC:

Although UAC can be set at Never Notify in all versions of Windows, using that setting on Windows 10 will still provide baseline proterction for system files whereas this is not the case in previous Windows versions. An important point as one can say that Win10 has native protection against script kiddie varieties of killdisk malware, and will also protect vssadmin from manipulation by ransomware. The latter is kind of important (assuming one has System Restore active) as Shadows deletion by scripty components of ransomware will be prevented.

 

Thanks for the insights. I think UAC even at default settings can protect against "Petya" ransomware and similars.

While UAC is not a security boundary, it can make the system safer, I dont see the need to disable it.

IMO the ideal is to run at a Standard User Account and use UAC for convenience.

 

You're right. UAC even at default settings can protect the user against "Petya" ransomware, along with all other types of ransomware which relies on modification to the Master Boot Record for its main payload; since Windows Vista you must have be executing code from within the context of an elevated process (being ran as administrator) when UAC is enabled to modify PhysicalDrive0 (where the MBR will be located).

Run a sample of Petya in a Virtual Machine with UAC enabled without elevating it and no matter how long it runs for it will fail without a UAC exploit.

 

Although the MBR/MFT encryptors would indeed need Privilege escalation to work (and thus an UAC popup), a user really should have no reasonable expectation of coming across this stuff, as there was so much initial paranoia about these types of malware that every vendor and their cat now protects against them. The game is no longer worth the candle for the Blackhat in releasing these.

Something better to concentrate on is the inability of UAC to alert to and/or stop the garden variety ransomware encryptors which are clear and present dangers. But even though UAC can help here by creating and saving Shadow Copies of files (so personal docs can be recovered in case of malware encryption) and UAC will prevent malware from deleting these copies, all too often a user will negate this protection by shutting off System Restore (I suppose the rationale here being to save space on Boot SSD drives). In the absence of a person using some other third party software for a backup/Imaging restore routine, the shutting off of Windows own System Restore (while actually having UAC active!) is not a good idea at all.

 

It's not always the fault of the user: System Restore is turned off by default on Windows 10. Not sure why MS thought it was a good idea. I had to do a full reset of a laptop once, just to get Edge working again. I thought SR was going to be my savior, but when I went there she was switched off. Bad MS.

 

Yes, but - as frequently mentioned - plus SRP. I think this site is still the best one to explain how it works.

 

Well, I'm also not afraid but you should never let your guard down. The thing is, in theory SUA sounds good, the "principle of least privileges" who doesn't want a peace of that. The practice however is another story, at least for me. Having to respond to those self triggered UAC alerts is not worth it. Besides, I doubt that SUA can protect against kernel exploits, and normally you will need kernel exploits to bypass all security tools on the system.

guest, this reply doesn't make any sense. Of course you need SUA to restrict other users, but that is not the discussion. And besides, even on SUA you still need AE, because users can still download and run portable apps, and some malware don't need admin rights.

Correct, but unwanted elevation can be useful to protect against malware in case of an exploit attack. That's why experts always advice to use SUA. But if you can block malware from running at all with a tool like VS, it doesn't matter if you're admin or a standard user.

 

My situation is different and SUA is just perfect for my computing.
SUA can't protect against exploits targeting kernel components but it can break malware operation. Well, nothing except a patch really can prevent those exploits. Even HIPS and similar can only break exploit implementation but it won't 100% protect against exploit. Not to mention that such tools are not appropriate for regular users but mostly for enthusiasts and researchers.

A while ago I stumbled on this thread: https://www.wilderssecurity.com/threads/securing-your-pc-and-data.252253/
It was written almost 8 years ago but basic security principles still stand today.

I specially liked this:

from this post: https://www.wilderssecurity.com/threads/securing-your-pc-and-data.252253/#post-1533494

So IMO people don't have to be paranoid neither about privacy nor security to be relatively safe. And we don't have to check if our security/privacy setup can protect us against everything we read in news.

 

It's true that SUA might come in handy in case security tools fail to protect, because without any admin rights lots of malware will fail to run correctly. But it probaly won't stop malware from getting admin or system privileges if kernel exploits are being used.

And of course results from the past don't give any guarantees, but based on what I've seen the last 13 years, I'm not too worried. In general, hackers aren't trying to bypass home user security tools and kernel exploits aren't being used on a large scale, at least not against consumers. Also, browsers and the Windows OS are now a lot harder to exploit than years ago.

 

Lot's of Wannacry speculation now about how that exploit was not meant to get bitcoins but rather boost the share price of bitcoin.
That makes sense then that they would target anybody they could get their grimy little hands on.

 

You don't need a kernel level exploit to escalate privileges. What these latest hacks are about are the use of valid system processes running as hidden to accomplish same as one of many other methods to do so.

 

Correct, but my latest comments about kernel exploits were not related to the article you posted about the UAC bypass. In general, kernel exploits will probably also bypass protection offered by SUA. Luckily M$ is doing a great job in making Windows harder to exploit.

 

so i let you continue

 

That's why I strongly suggest SUA + SRP (I know that I'm getting boring because I'm repeating it again and again). Malware that exploits kernel vulnerabilities must execute somehow. SRP stops that: Regardless if you get, e.g., an executable email attachment, a malicious script in an Excel or PDF file or malware on a USB stick - they are all not able to execute. It's that simple. And it doesn't increase the attack surface as all 3rd-party tools do (which consequently often introduce new vulnerabilities as Tavis Ormandy has repeatedly demonstrated).

Needless to say that this doesn't hold true for software which you deliberately install with admin rights. If you install dubious software from untrustworthy sources and without checking it with, e.g., Virustotal, SUA + SRP can't help you. Hence, SUA + SRP doesn't mean to blacklist brain.exe.

 

Exacly, that's why I keep saying that when experts advice to use SUA, it's basically about mitigating malware that is delivered via exploits. SUA won't help in case users run/install malware with admin rights. But at the end of the day, if malware can't run, it doesn't matter if you run as SUA or admin, that's a no brainer of course.

 

Case in point why UAC needs to be set to the max. level.

Someone over at the Eset forum posted this:

His issue was the only way he could detect fileless WMI malware was after-the-fact by employing a stand alone memory scanner.

A bit more about fileless WMI malware from the APT29 thread I recently posted per FireEye:

Notice what I underlined in bold text. The easiest and frankly only effective way of preventing WMI malware like this is to prevent it from being installed in the first place.

 

You pick off - like so many times before - what seems to confirm your view. But you fail to reference what I wrote in the first paragraph - and this was actually the important thing.

 

I searched on this and can't find anything definitive; some people say it's Off and others it's On. It was On when I got my latest computer which came with Windows 10 pre-installed. It also stayed On when I upgraded Windows 7 computers where SR was already On; the setting carried over.

 

I'm not following, I didn't disagree with anything that you said. I was just trying to explain that SUA is mainly useful to mitigate exploits. This means that if you're confident that you can block exploits/malware from running, you can easily stay safe as ADMIN. Luckily the tools that I'm using (AE/HIPS/Sandbox) are not that easy to exploit like AV's which have a large attack surface, so I'm not that worried.

Of course, kernel exploits will probably blast through all defenses including SUA. Actually, certain tools like AE and sandbox can even mitigate malware that tries to run and elevate via kernel exploits. This has been proven in the latest VoodooShield video about the DoublePulse backdoor and also in the Bromium report about bypassing Chrome and Sandboxie. Sandboxie would still contain malware even if it elevated to system privileges.