search

mandiant / flare-vm

A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
Apache License 2.0
6.22k stars 887 forks source link

Configuration: UAC promp only pop up #511

Open Ana06 opened 9 months ago

Ana06 commented 9 months ago

Details

The UAC promp is annoying/time consuming as we need to launch many of our tools in admin mode. Disabling it has the issue that we won't notice that malware want to get admin priviledges by UAC when launching it. I have heard there is a setting to stop it from darkening the screen and show the pop up, that may be a good solution for both cases. Alternatively we could just disable UAC promp only for apps like procmon (only if the other option is not possible).

Requires https://github.com/mandiant/flare-vm/issues/510

stevemk14ebr commented 8 months ago

Specific behaviors of UAC can be controlled via the local security policy. The dimming is caused by secure desktop which can be disabled in these settings while retaining the other prompts.

secpol.msc image

I'd recommend we disable 'switch to descure desktop when prompting for elevation' and setting 'behavior of the elevation prompt for standard users' to 'Prompt for consent'. This leave UAC enabled, but much less annoying, and is fine for a VM security wise.