search

hfiref0x / UACME

Defeating Windows User Account Control
BSD 2-Clause "Simplified" License
6.08k stars 1.3k forks source link

UAC bypass mitigation #110

Closed abulyaev closed 2 years ago

abulyaev commented 2 years ago

Hi I'm wondering if there is some way to mitigate elevated COM objects uac bypass? For example methods 65 and 66.

hfiref0x commented 2 years ago
  1. Remove those interfaces from COMAutoApprovalList. This will trigger UAC window at elevation attempt
  2. Set UAC level to AlwaysNotify
  3. Account without administrator privileges
ghost commented 2 years ago

Out of curiosity, would a separate admin account without a password suffice? Testing it seems to confirm it is, but I wonder if it could be circumvented with the account not having a pw

hfiref0x commented 2 years ago

Yes. Separate non-admin account you mean.

ghost commented 2 years ago

Yes. Separate non-admin account you mean.

No, separate admin account without password. Technically with that setup uacme doesn't work, stuff like tasks requiring admin break, and the UAC asks for a password, which happens to be empty, but again I wonder if the password being empty is an issue or what matters is only the separation