Closed malwareninja closed 1 year ago
jcwilliamsATmitre
commented
2 years ago @malwareninja even though UAC is set to never notify (so we don't have to go into the victim and accept the prompt), we still emulate the behavior + generate the telemetry of elevating to a higher process integrity level.
malwareninja
commented
2 years ago But what about the original scenario where the adversary won't be able to make never notify manually?
jcwilliamsATmitre
commented
2 years ago Setting UAC to Never Notify is part of the infrastructure setup to facilitate execution of the emulated scenario, not something we are including in the behaviors of the adversary
malwareninja
commented
2 years ago So, basically in a real world situation the Never Notify could be a weak measure applied by the domain admins right? And that's what we are simulating by Never Notify?
jcwilliamsATmitre
commented
2 years ago The Never Notify setting isn't really part of this scenario/storyline (just something we set to help execution flow smoothly), though yes this setting may vary in production and may also be a good place to provide feedback for assessment customers 👍
What is the use of UAC Bypass step if the infrastructure already needs: UAC to be set to Never Notify?