top | item 30898509

(no title)

CSm1n | 3 years ago

The repositories shown on the first page of GitHub search are not actual exploits. They all expect to be run through an admin powershell/command line. Under normal conditions (default user and UAC on) you will get a warning before the script is able to gain administrative access. Try to run them again under a normal user and they won't be able to disable/bypass Defender.

It's the same as sudo'ing an unknown script you received in an email. At that point you're begging to be pwned.

discuss

p1peridine|3 years ago

Sort by Best match or Most stars. Those github repos are just examples. Pro malware creators wouldn't just copy and paste some code or else it would be detected fairly easily.

UAC is easily bypassed as well. In fact, the majority of wontfix exploits has something to do with UAC.

> They all expect to be run through an admin powershell/command line.

Admin rights will be acquired by using exploits (of which there are many) or by using built-in tools found in the Windows system directory, for example Wscript.exe. No internet connection required. No fetching of external files. You have no say in whether you can allow it to run or not.

> you will get a warning before the script is able to gain administrative access.

False. You wouldn't even know. Not a visible commandline window to be seen. It's all silent. A well-developed exploit will delete most of it's traces.

This is all pretty basic knowledge in the sec research community. Test it and verify it for yourself. I test hardening configurations using a Windows VM.

howinteresting|3 years ago

UAC is generally quite easy to bypass and not a real security boundary.