Explore the intricacies of User Account Control (UAC) and its vulnerabilities in this 49-minute conference talk from Derbycon 7. Delve into the concept of UAC as a non-security boundary, understanding integrity levels and the security reference monitor. Examine bypass research techniques, including registry manipulation and file operations. Learn about the AlwaysNotify bypass and its associated PowerShell script. Gain insights into potential mitigations and use this talk as a starting point for further exploration of UAC security implications.
Overview
Syllabus
Intro
Presentation Overview
What is UAC
Not a security boundary
Integrity level
Security reference monitor
AlwaysNotify
Default isNotify
Bypass Research
The Ideal Situation
Process Monitor
Registry Manipulation
Other Primitives
Old IFile Operation
Registry Verb Handling Modification
John Lambert
Event Viewer
AlwaysNotify Bypass
PowerShell Script
Original POC
Mitigation
Starting Point
