Bypass User Account Control
Bypass User Account Control [T1548.002]
Last updated
Bypass User Account Control [T1548.002]
Last updated
Name: Bypass User Account Control
ID: T1548.002
Tactics: ,
Technique:
The MITRE ATT&CK sub-technique T1548.002, "Bypass User Account Control," involves adversaries circumventing the Windows User Account Control (UAC) mechanism. UAC is a security feature designed to prevent unauthorized changes to the operating system by prompting the user for consent or administrative credentials. Attackers aim to bypass UAC to elevate privileges silently, enabling them to execute malicious commands, install malware, or access sensitive system resources without alerting the user or triggering security prompts.
User Account Control (UAC) is a security measure in Windows designed to prevent unauthorized privilege escalation. It prompts users for confirmation or administrative credentials whenever actions requiring elevated privileges are attempted. To bypass UAC, adversaries typically exploit vulnerabilities or use legitimate Windows features in unintended ways. Common methods include:
DLL Hijacking: Attackers place malicious DLL files in directories searched by trusted Windows executables, causing the trusted executable to load and execute malicious code with elevated privileges.
Registry Manipulation: Attackers modify registry keys such as HKCU\Software\Classes\ms-settings\shell\open\command or HKCU\Software\Classes\exefile\shell\runas\command to trigger elevated execution without prompt.
Abuse of Trusted Windows Processes: Attackers utilize trusted Windows executables (e.g., fodhelper.exe, eventvwr.exe, sdclt.exe, or computerdefaults.exe) that auto-elevate privileges without prompting the user. By manipulating these processes' registry configurations, adversaries can launch malicious payloads silently.
COM Interface Abuse: Certain Component Object Model (COM) interfaces allow elevation of privileges without UAC prompts. Attackers exploit these interfaces to execute commands or scripts at higher privileges.
Scheduled Tasks: Attackers may create scheduled tasks configured to run with elevated privileges, bypassing UAC prompts entirely.
Typically, these techniques do not involve exploiting software vulnerabilities; instead, they rely on abusing legitimate Windows functionality and configuration weaknesses.
Attackers commonly use UAC bypass techniques during multiple stages of an intrusion, particularly:
Privilege Escalation: After initial access, attackers bypass UAC to elevate privileges from standard user to administrator level, enabling further exploitation and lateral movement.
Persistence: Attackers establish persistence by silently installing malware or configuring system changes without user awareness or prompts.
Defense Evasion: Attackers bypass UAC to discreetly execute malicious commands and tools, avoiding detection and minimizing user suspicion.
Scenarios include:
Targeted attacks against corporate environments where standard user accounts are prevalent.
Malware infections aiming to escalate privileges silently and install persistent backdoors or remote access trojans.
Advanced Persistent Threat (APT) actors seeking stealthy command execution and lateral movement within compromised networks.
Detection of UAC bypass techniques typically involves monitoring system behavior, configuration changes, and suspicious process activities. Common detection methods include:
Process Monitoring and Analysis:
Monitor execution of known auto-elevating Windows executables (e.g., fodhelper.exe, eventvwr.exe, sdclt.exe, computerdefaults.exe) spawning unexpected child processes.
Detect unusual parent-child process relationships (e.g., explorer.exe spawning elevated processes).
Registry Monitoring:
Monitor and alert on suspicious modifications to registry keys associated with UAC bypass (e.g., HKCU\Software\Classes\ms-settings\shell\open\command).
Detect unauthorized registry modifications that trigger auto-elevation or silent execution.
File System Monitoring:
Detect suspicious DLL files placed in directories commonly targeted for DLL hijacking.
Monitor creation or modification of scheduled tasks with elevated privileges.
Event Log Analysis:
Review Windows Security Event Logs for events related to privilege escalation or unusual process execution.
Monitor scheduled task creation events and unusual task executions.
Endpoint Detection and Response (EDR) Solutions:
Employ EDR tools capable of identifying and alerting on suspicious privilege escalation behaviors and anomalous process executions.
Indicators of Compromise (IoCs):
Unexpected registry key additions or modifications related to auto-elevation.
Unusual DLL files placed in system directories.
Scheduled tasks configured without user knowledge or legitimate business need.
Processes executing from unexpected locations or with unexpected command-line parameters.
Detecting UAC bypass techniques early is critical due to their significant impact on security posture and operational integrity. The importance of early detection includes:
Preventing Privilege Escalation: Early detection prevents attackers from gaining administrative privileges, limiting their ability to execute further malicious actions.
Reducing Attack Surface: Identifying and mitigating UAC bypass attempts reduces the overall attack surface and minimizes exposure to further exploitation.
Avoiding Persistence and Lateral Movement: Early detection disrupts attackers' attempts to establish persistence and move laterally through the network.
Protecting Sensitive Data: Prompt detection and response prevent unauthorized access to sensitive information, intellectual property, and critical system resources.
Maintaining System Integrity: Early identification of unauthorized privilege escalation attempts helps maintain the integrity and reliability of systems and networks.
Compliance and Regulatory Requirements: Timely detection and response to privilege escalation attempts support compliance with security standards and regulatory frameworks (e.g., PCI DSS, HIPAA, GDPR).
Real-world examples of UAC bypass techniques include:
Use of fodhelper.exe:
Attackers manipulate the registry key HKCU\Software\Classes\ms-settings\shell\open\command to execute malicious commands when fodhelper.exe runs.
Impact: Silent privilege escalation, enabling further malware installation and lateral movement.
Event Viewer (eventvwr.exe) Abuse:
Attackers exploit registry keys associated with eventvwr.exe to execute malicious payloads silently with elevated privileges.
Impact: Attackers gain administrative privileges without user consent, facilitating persistence and data exfiltration.
DLL Hijacking via sdclt.exe:
Attackers place malicious DLLs in directories searched by sdclt.exe, a trusted executable, causing silent execution of malicious code.
Impact: Malicious code runs with elevated privileges, enabling stealthy malware installation and persistence.
COM Interface Exploitation:
Attackers leverage COM interfaces such as ICMLuaUtil to execute malicious payloads with elevated privileges without triggering UAC prompts.
Impact: Attackers gain administrative control, enabling further exploitation and lateral movement.
Scheduled Tasks Exploitation:
Attackers create scheduled tasks configured to run elevated commands silently, bypassing UAC prompts entirely.
Impact: Persistent administrative access, enabling long-term control and stealthy malicious operations.
Commonly used tools in real-world scenarios include:
UACMe: An open-source tool containing multiple UAC bypass methods, often used by penetration testers and attackers.
Metasploit Framework: Contains modules specifically designed to bypass UAC and escalate privileges silently.
Empire: PowerShell-based post-exploitation framework with built-in modules for UAC bypass and privilege escalation.
These examples illustrate the real-world impacts of UAC bypass techniques, emphasizing the necessity for robust detection, monitoring, and response capabilities to protect organizational assets and data.