Bypass User Account Control
Bypass User Account Control [T1548.002]
Information
Name: Bypass User Account Control
ID: T1548.002
Technique: T1548
Introduction
The MITRE ATT&CK sub-technique T1548.002, "Bypass User Account Control," involves adversaries circumventing the Windows User Account Control (UAC) mechanism. UAC is a security feature designed to prevent unauthorized changes to the operating system by prompting the user for consent or administrative credentials. Attackers aim to bypass UAC to elevate privileges silently, enabling them to execute malicious commands, install malware, or access sensitive system resources without alerting the user or triggering security prompts.
Deep Dive Into Technique
User Account Control (UAC) is a security measure in Windows designed to prevent unauthorized privilege escalation. It prompts users for confirmation or administrative credentials whenever actions requiring elevated privileges are attempted. To bypass UAC, adversaries typically exploit vulnerabilities or use legitimate Windows features in unintended ways. Common methods include:
DLL Hijacking: Attackers place malicious DLL files in directories searched by trusted Windows executables, causing the trusted executable to load and execute malicious code with elevated privileges.
Registry Manipulation: Attackers modify registry keys such as
HKCU\Software\Classes\ms-settings\shell\open\commandorHKCU\Software\Classes\exefile\shell\runas\commandto trigger elevated execution without prompt.Abuse of Trusted Windows Processes: Attackers utilize trusted Windows executables (e.g.,
fodhelper.exe,eventvwr.exe,sdclt.exe, orcomputerdefaults.exe) that auto-elevate privileges without prompting the user. By manipulating these processes' registry configurations, adversaries can launch malicious payloads silently.COM Interface Abuse: Certain Component Object Model (COM) interfaces allow elevation of privileges without UAC prompts. Attackers exploit these interfaces to execute commands or scripts at higher privileges.
Scheduled Tasks: Attackers may create scheduled tasks configured to run with elevated privileges, bypassing UAC prompts entirely.
Typically, these techniques do not involve exploiting software vulnerabilities; instead, they rely on abusing legitimate Windows functionality and configuration weaknesses.
When this Technique is Usually Used
Attackers commonly use UAC bypass techniques during multiple stages of an intrusion, particularly:
Privilege Escalation: After initial access, attackers bypass UAC to elevate privileges from standard user to administrator level, enabling further exploitation and lateral movement.
Persistence: Attackers establish persistence by silently installing malware or configuring system changes without user awareness or prompts.
Defense Evasion: Attackers bypass UAC to discreetly execute malicious commands and tools, avoiding detection and minimizing user suspicion.
Scenarios include:
Targeted attacks against corporate environments where standard user accounts are prevalent.
Malware infections aiming to escalate privileges silently and install persistent backdoors or remote access trojans.
Advanced Persistent Threat (APT) actors seeking stealthy command execution and lateral movement within compromised networks.
How this Technique is Usually Detected
Detection of UAC bypass techniques typically involves monitoring system behavior, configuration changes, and suspicious process activities. Common detection methods include:
Process Monitoring and Analysis:
Monitor execution of known auto-elevating Windows executables (e.g.,
fodhelper.exe,eventvwr.exe,sdclt.exe,computerdefaults.exe) spawning unexpected child processes.Detect unusual parent-child process relationships (e.g.,
explorer.exespawning elevated processes).
Registry Monitoring:
Monitor and alert on suspicious modifications to registry keys associated with UAC bypass (e.g.,
HKCU\Software\Classes\ms-settings\shell\open\command).Detect unauthorized registry modifications that trigger auto-elevation or silent execution.
File System Monitoring:
Detect suspicious DLL files placed in directories commonly targeted for DLL hijacking.
Monitor creation or modification of scheduled tasks with elevated privileges.
Event Log Analysis:
Review Windows Security Event Logs for events related to privilege escalation or unusual process execution.
Monitor scheduled task creation events and unusual task executions.
Endpoint Detection and Response (EDR) Solutions:
Employ EDR tools capable of identifying and alerting on suspicious privilege escalation behaviors and anomalous process executions.
Indicators of Compromise (IoCs):
Unexpected registry key additions or modifications related to auto-elevation.
Unusual DLL files placed in system directories.
Scheduled tasks configured without user knowledge or legitimate business need.
Processes executing from unexpected locations or with unexpected command-line parameters.
Why it is Important to Detect This Technique
Detecting UAC bypass techniques early is critical due to their significant impact on security posture and operational integrity. The importance of early detection includes:
Preventing Privilege Escalation: Early detection prevents attackers from gaining administrative privileges, limiting their ability to execute further malicious actions.
Reducing Attack Surface: Identifying and mitigating UAC bypass attempts reduces the overall attack surface and minimizes exposure to further exploitation.
Avoiding Persistence and Lateral Movement: Early detection disrupts attackers' attempts to establish persistence and move laterally through the network.
Protecting Sensitive Data: Prompt detection and response prevent unauthorized access to sensitive information, intellectual property, and critical system resources.
Maintaining System Integrity: Early identification of unauthorized privilege escalation attempts helps maintain the integrity and reliability of systems and networks.
Compliance and Regulatory Requirements: Timely detection and response to privilege escalation attempts support compliance with security standards and regulatory frameworks (e.g., PCI DSS, HIPAA, GDPR).
Examples
Real-world examples of UAC bypass techniques include:
Use of fodhelper.exe:
Attackers manipulate the registry key
HKCU\Software\Classes\ms-settings\shell\open\commandto execute malicious commands whenfodhelper.exeruns.Impact: Silent privilege escalation, enabling further malware installation and lateral movement.
Event Viewer (
eventvwr.exe) Abuse:Attackers exploit registry keys associated with
eventvwr.exeto execute malicious payloads silently with elevated privileges.Impact: Attackers gain administrative privileges without user consent, facilitating persistence and data exfiltration.
DLL Hijacking via sdclt.exe:
Attackers place malicious DLLs in directories searched by
sdclt.exe, a trusted executable, causing silent execution of malicious code.Impact: Malicious code runs with elevated privileges, enabling stealthy malware installation and persistence.
COM Interface Exploitation:
Attackers leverage COM interfaces such as
ICMLuaUtilto execute malicious payloads with elevated privileges without triggering UAC prompts.Impact: Attackers gain administrative control, enabling further exploitation and lateral movement.
Scheduled Tasks Exploitation:
Attackers create scheduled tasks configured to run elevated commands silently, bypassing UAC prompts entirely.
Impact: Persistent administrative access, enabling long-term control and stealthy malicious operations.
Commonly used tools in real-world scenarios include:
UACMe: An open-source tool containing multiple UAC bypass methods, often used by penetration testers and attackers.
Metasploit Framework: Contains modules specifically designed to bypass UAC and escalate privileges silently.
Empire: PowerShell-based post-exploitation framework with built-in modules for UAC bypass and privilege escalation.
These examples illustrate the real-world impacts of UAC bypass techniques, emphasizing the necessity for robust detection, monitoring, and response capabilities to protect organizational assets and data.
Last updated
Was this helpful?