ATT&CK v16 has been released! Check out the blog post for more information.

User Account Control

Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.

ID: M1052

Version: 1.1

Created: 11 June 2019

Last Modified: 31 March 2020

Version Permalink

Live Version

Techniques Addressed by Mitigation

Domain	ID		Name	Use
Enterprise	T1548		Abuse Elevation Control Mechanism	Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking.
		.002	Bypass User Account Control	Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking.
Enterprise	T1546	.011	Event Triggered Execution: Application Shimming	Changing UAC settings to "Always Notify" will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions.
Enterprise	T1574		Hijack Execution Flow	Turn off UAC's privilege elevation for standard users `[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]` to automatically deny elevation requests, add: `"ConsentPromptBehaviorUser"=dword:00000000`. Consider enabling installer detection for all users by adding: `"EnableInstallerDetection"=dword:00000001`. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: `"EnableInstallerDetection"=dword:00000000`. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged. ^[1]
		.005	Executable Installer File Permissions Weakness	Turn off UAC's privilege elevation for standard users `[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]` to automatically deny elevation requests, add: `"ConsentPromptBehaviorUser"=dword:00000000`. Consider enabling installer detection for all users by adding: `"EnableInstallerDetection"=dword:00000001`. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: `"EnableInstallerDetection"=dword:00000000`. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged. ^[1]
		.010	Services File Permissions Weakness	Turn off UAC's privilege elevation for standard users `[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]`to automatically deny elevation requests, add: `"ConsentPromptBehaviorUser"=dword:00000000`. Consider enabling installer detection for all users by adding: `"EnableInstallerDetection"=dword:00000001`. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: `"EnableInstallerDetection"=dword:00000000`. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.^[1]
Enterprise	T1550	.002	Use Alternate Authentication Material: Pass the Hash	Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy`. Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons.^[2]

References

Stefan Kanthak. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved December 4, 2014.

NSA IAD. (2017, January 24). MS Security Guide. Retrieved December 18, 2017.