Closed malwareninja closed 1 year ago
@malwareninja even though UAC is set to never notify
(so we don't have to go into the victim and accept the prompt), we still emulate the behavior + generate the telemetry of elevating to a higher process integrity level.
But what about the original scenario where the adversary won't be able to make never notify manually?
Setting UAC to Never Notify
is part of the infrastructure setup to facilitate execution of the emulated scenario, not something we are including in the behaviors of the adversary
So, basically in a real world situation the Never Notify could be a weak measure applied by the domain admins right? And that's what we are simulating by Never Notify?
The Never Notify
setting isn't really part of this scenario/storyline (just something we set to help execution flow smoothly), though yes this setting may vary in production and may also be a good place to provide feedback for assessment customers 👍
What is the use of UAC Bypass step if the infrastructure already needs: UAC to be set to Never Notify?