■■■■■ UAC bypass tactics research ends off with combining the use of trusted directories using trailing spaces “c:\windows \system32\” and a shellcode injector utilizing process fibers, inevitably resulting in a C2 channel with high integrity. What’s interesting about these trending UAC bypasses our CTI engine has been articulating is that MS doesn’t seem to consider them a security boundary. Users that are running with local admin privs (which happens quite a bit) are a big win for an adversary if combined with other evasion tradecraft such as process injection, which we show here. This tactic has a fairly easy detection which is to hunt for any directories with trailing spaces. None the less, it is an effective way to execute malicious code with high integrity, as shown by executing a Covenant implant.
HD Video: https://lnkd.in/emRHvcC