Sensors ingested a new UAC bypass that leverages the AutoElevate attribute for Microsoft signed binary, ComputerDefaults.exe. We tested the bypass against Microsoft for Endpoint in BlockMode which was ineffective. More worrisome, the EDR showed that the threat had been “Blocked” which was inaccurate, as we were even able to execute the exact same binary (UAC bypass) multiple times, that remained on disk. This goes to show, technology still can’t take the place of trained humans required for post-investigation response.
UAC Bypass: 0xyg3n/UAC_Exploit: Escalate as Administrator bypassing the UAC affecting administrator accounts only. (github.com) #cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam Comments are closed.
|