digip Posted December 2, 2016 Posted December 2, 2016 So I lost my USB rubber ducky(bought at Derbycon 1, not sure where I put it after moving few times) but was wondering with all these UAC bypass attacks these days, can it be blocked. I don't have a ducky to test, but even just manually typing common ducky scripts for testing, I haven't been able to bypass UAC after making some changes to beef it up a bit. Most of the time the bypass seems to work is because of admin level not, by default, required to use a password for UAC, and instead, only click ok for the pop-up. However, you can change this in the Local Security Policies settings. What I'd like to see, and maybe someone already posted this, so I could be making a duplicate point already given and I apologize, is someone test this and show me that you can bypass the following settings. Hit the windows key, and in search type "Local Security Policy" Now drill down to "local policies" > security options > UAC: Behavior on prompt (for both admin & normal users) > Change to prompt for credentials on both. Now try your rubber ducky. Does it still bypass UAC? (It shouldn't be able to, but I haven't tested this extensively). Post your thoughts, and any ducky script if you find a way to bypass UAC with the above settings turned on. These are things I am going to start turning on for all machines I own and setup for others in the future since I can't see a way to bypass short of remote/elevated attack channels, this should stop all HID based UAC Bypass attacks that don't run executables, and work solely on keystrokes alone. Quote
Enzym3 Posted December 3, 2016 Posted December 3, 2016 I got the same results as you. There are, of course, plenty of payloads that can be ran on a non-administrator level of PowerShell/CMD and certain privilege escalation attacks that can be done, but this does provide a very big deterrent to many of the ducky payloads you see out there right now. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.