UAC 0day, all day!

Instructor: Ruben Boonen

Pre-Requisites - None

Abstract - This workshop is available to attendees of all levels, however, a basic familiarity with Process Monitor and the Windows API are recommended. The workshop will provide the required knowledge to find, analyze and exploit process workflows which allow an attacker to elevate their privileges from Medium to High integrity. The workshop is divided into the following sections.

This workshop is available to attendees of all levels, however, a basic familiarity with Process Monitor and the Windows API are recommended. The workshop will provide the required knowledge to find, analyze and exploit process workflows which allow an attacker to elevate their privileges from Medium to High integrity. The workshop is divided into the following sections.

Auto-Elevation:

• Identifying auto-elevating processes

• Analyzing process workflows

• Finding UAC bypass targets

Elevated File Operations:

• Using the IFileOperation COM object

• Tricking the Process Status API (PSAPI)

Getting UAC 0day (Pre Windows RS2):

• Analysis of known UAC bypasses

• Understanding the Windows Side-By-Side Assembly

• Creating proxy DLL's

• Using the Bypass-UAC framework (https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC)

• Dropping 0day(s)!

Triaging Windows RS2:

• Environment variables

• Registry abuse

• COM objects

• Process tokens

The workshop has intense hands-on labs where attendees will put the theory into practice. After attending, you will immediately be able to apply this knowledge in the field. The next time someone tells you the default UAC settings are sufficient you will be able to set them straight!

Required Materials - To participate in the hands-on sections, attendees need to bring a laptop with 2 GB RAM which can be dedicated to a virtual machine. Both VirtualBox and VMware player can be obtained for free. Two virtual machines and all necessary tools will be provided during the workshop!