Jump to content

Blocking UAC Bypass attacks


digip
 Share

Recommended Posts

So I lost my USB rubber ducky(bought at Derbycon 1, not sure where I put it after moving few times) but was wondering with all these UAC bypass attacks these days, can it be blocked. I don't have a ducky to test, but even just manually typing common ducky scripts for testing, I haven't been able to bypass UAC after making some changes to beef it up a bit. Most of the time the bypass seems to work is because of admin level not, by default, required to use a password for UAC, and instead, only click ok for the pop-up. However, you can change this in the Local Security Policies settings. 

What I'd like to see, and maybe someone already posted this, so I could be making a duplicate point already given and I apologize, is someone test this and show me that you can bypass the following settings.

 

Hit the windows key, and in search type "Local Security Policy"

Now drill down to  "local policies" > security options > UAC: Behavior on prompt (for both admin & normal users) > Change to prompt for credentials on both. Now try your rubber ducky. Does it still bypass UAC? (It shouldn't be able to, but I haven't tested this extensively).

 

Post your thoughts, and any ducky script if you find a way to bypass UAC with the above settings turned on. These are things I am going to start turning on for all machines I own and setup for others in the future since I can't see a way to bypass short of remote/elevated attack channels, this should stop all HID based UAC Bypass attacks that don't run executables, and work solely on keystrokes alone.

Link to comment
Share on other sites

I got the same results as you. There are, of course, plenty of payloads that can be ran on a non-administrator level of PowerShell/CMD and certain privilege escalation attacks that can be done, but this does provide a very big deterrent to many of the ducky payloads you see out there right now.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...