2024-12-14 –, Rookie track 1
Abstract:
What if the technology designed to protect your Windows System could be used against it?
In this session, we will dwell deep into the journey of a hidden world of Use Access Control (UAC) and Component Object Model (COM), uncovering how attackers can turn these essential security features into weaponization for privilege escalation.
Join me as we pull back the curtain on the often-overlooked vulnerabilities within UAC and COM, revealing how crafty an adversary exploits elevated COM interfaces to bypass UAC consent prompts without user interaction through live demonstration and real-world examples from prolific Ransomware (BlackCat).
This is not all about bad news. It also equips you with the knowledge and tools to detect, prevent, and defend against these sophisticated techniques.
Whether you’re a cybersecurity veteran or a curious newcomer, this talk promises to deepen your understanding of Windows Internal and elevate your defense strategies against UAC Elevated COM-Bypass exploits.
Key Takeaways:
1. Intersection of COM and UAC: COM objects are used by various applications in Windows to perform tasks. Some of these objects run with elevated privileges. UAC is designed to prevent unauthorized elevation, but if a COM object is improperly configured, it can be exploited to bypass UAC.
2. Exploitation Method: This bypass typically involves identifying a vulnerable COM object that does not trigger a UAC prompt when instantiated. An attacker can execute their payload through this object, gaining elevated privileges without user consent.
3. Live Demo: Examples from prolific Ransomware, BlackCat, and skeleton code.
4. Threat Hunt Use Case: Detection Logic/Tools and actionable IOCs for UAC Bypass.
Description:
The Elevated COM (Component Object Model) UAC (User Account Control) bypass is a technique used by attackers to escalate privileges on a Windows system without triggering a UAC prompt. UAC is a security feature in Windows that helps prevent unauthorized changes to the operating system by requiring user consent or administrator-level approval for certain actions. The bypass demonstrated in this talk leverages elevated COM objects identified by the CLSID {3E5FC7F9-9A51-4367-9063-A120244FBEC7} that run with higher privileges to execute malicious code, thereby circumventing UAC protections.
Key Points
1. Overview of UAC
2. Overview of COM
3. UAC and COM: Security Intersection
4. Abusing UAC Elevate COM Interfaces
5. Case Study
• BlackCat - Ransomware
6. Live Demo
7. Monitoring and Detection
• Threat Hunt, Detection Logic\Tool
8. Q&A
Yes
Amankumar Badhel is a passionate threat researcher with a sharp focus on detection engineering. He brings deep insights from the frontlines of offensive security. Blends cutting-edge research with practical detection strategies to help organizations stay ahead of evolving threats.