44CON 2017 has ended
Back To Schedule
Thursday, September 14 • 10:30 - 12:29
Ruben Boonen - UAC 0day, all day pt 1

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

This workshop is available to attendees of all levels, however, a basic familiarity with Process Monitor and the Windows API are recommended. The workshop will provide the required knowledge to find, analyze and exploit process workflows which allow an attacker to elevate their privileges from Medium to High integrity. The workshop is divided into the following sections.


Identifying auto-elevating processes
Analyzing process workflows
Finding UAC bypass targets
Elevated File Operations:

Using the IFileOperation COM object
Tricking the Process Status API (PSAPI)
Getting UAC 0day (Pre RS2):

Analysis of known UAC bypasses
Understanding the Windows Side-By-Side Assembly + Creating proxy DLL’s
Using the Bypass-UAC framework (https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC) + Dropping 0day(s)!
Looking forward:

Triaging Windows 10 Redstone 2
Leaving IFileOperation behind
COM objects & Fileless elevation​
The workshop has intense hands-on labs where attendees will put the theory into practice. After attending you will immediately be able to apply this knowledge in the field. The next time someone tells you the default UAC settings are sufficient you will be able to set them straight!


Thursday September 14, 2017 10:30 - 12:29 BST
*Track 3*