Abuse Elevation Control Mechanism: Bypass User Account Control

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.[1]

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box.[2][3] An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.[4]

Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods[5] that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:

  • eventvwr.exe can auto-elevate and execute a specified binary or script.[6][7]

Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.[8]

ID: T1548.002
Sub-technique of:  T1548
Platforms: Windows
Permissions Required: Administrator, User
Effective Permissions: Administrator
Defense Bypassed: Windows User Account Control
Contributors: Casey Smith; Stefan Kanthak
Version: 2.1
Created: 30 January 2020
Last Modified: 21 April 2023

Procedure Examples

ID Name Description
S0584 AppleJeus

AppleJeus has presented the user with a UAC prompt to elevate privileges while installing.[9]

G0016 APT29

APT29 has bypassed UAC.[10]

G0067 APT37

APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.[11]

S0129 AutoIt backdoor

AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.[12]

S0640 Avaddon

Avaddon bypasses UAC using the CMSTPLUA COM interface.[13]

S0606 Bad Rabbit

Bad Rabbit has attempted to bypass UAC and gain elevated administrative privileges.[14]

S1081 BADHATCH

BADHATCH can utilize the CMSTPLUA COM interface and the SilentCleanup task to bypass UAC.[15]

S0570 BitPaymer

BitPaymer can suppress UAC prompts by setting the HKCU\Software\Classes\ms-settings\shell\open\command registry key on Windows 10 or HKCU\Software\Classes\mscfile\shell\open\command on Windows 7 and launching the eventvwr.msc process, which launches BitPaymer with elevated privileges.[16]

S1068 BlackCat

BlackCat can bypass UAC to escalate privileges.[17]

S0089 BlackEnergy

BlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.[18]

G0060 BRONZE BUTLER

BRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.[19][20]

S1039 Bumblebee

Bumblebee has the ability to bypass UAC to deploy post exploitation tools with elevated privileges.[21]

S0660 Clambling

Clambling has the ability to bypass UAC using a passuac.dll file.[22][23]

G0080 Cobalt Group

Cobalt Group has bypassed UAC.[24]

S0154 Cobalt Strike

Cobalt Strike can use a number of known techniques to bypass Windows UAC.[25][26]

S0527 CSPY Downloader

CSPY Downloader can bypass UAC using the SilentCleanup task to execute the binary with elevated privileges.[27]

S0134 Downdelph

Downdelph bypasses UAC to escalate privileges by using a custom "RedirectEXE" shim database.[28]

G1006 Earth Lusca

Earth Lusca has used the Fodhelper UAC bypass technique to gain elevated privileges.[29]

S0363 Empire

Empire includes various modules to attempt to bypass UAC for escalation of privileges.[30]

G0120 Evilnum

Evilnum has used PowerShell to bypass UAC.[31]

S0182 FinFisher

FinFisher performs UAC bypass.[32][33]

S0666 Gelsemium

Gelsemium can bypass UAC to elevate process privileges on a compromised host.[34]

S0531 Grandoreiro

Grandoreiro can bypass UAC by registering as the default handler for .MSC files.[35]

S0132 H1N1

H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).[36]

S0260 InvisiMole

InvisiMole can use fileless UAC bypass and create an elevated COM object to escalate privileges.[37][38]

S0250 Koadic

Koadic has 2 methods for elevating integrity. It can bypass UAC through eventvwr.exe and sdclt.exe.[39]

S0669 KOCTOPUS

KOCTOPUS will perform UAC bypass either through fodhelper.exe or eventvwr.exe.[40]

S0356 KONNI

KONNI has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypassing UAC set to "AlwaysNotify".[41][42]

S0447 Lokibot

Lokibot has utilized multiple techniques to bypass UAC.[43]

G0069 MuddyWater

MuddyWater uses various techniques to bypass UAC.[44]

C0006 Operation Honeybee

During Operation Honeybee, the threat actors used the malicious NTWDBLIB.DLL and cliconfig.exe to bypass UAC protections.[45]

G0040 Patchwork

Patchwork bypassed User Access Control (UAC).[46]

S0501 PipeMon

PipeMon installer can use UAC bypass techniques to install the payload.[47]

S0254 PLAINTEE

An older variant of PLAINTEE performs UAC bypass.[48]

S0378 PoshC2

PoshC2 can utilize multiple methods to bypass UAC.[49]

S0192 Pupy

Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.[50]

S0262 QuasarRAT

QuasarRAT can generate a UAC pop-up Window to prompt the target user to run a command as the administrator.[51]

S0458 Ramsay

Ramsay can use UACMe for privilege escalation.[52][53]

S0662 RCSession

RCSession can bypass UAC to escalate privileges.[22]

S0332 Remcos

Remcos has a command for UAC bypassing.[54]

S0148 RTM

RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.[55]

S1018 Saint Bot

Saint Bot has attempted to bypass UAC using fodhelper.exe to escalate privileges.[56]

S0074 Sakula

Sakula contains UAC bypass code for both 32- and 64-bit systems.[57]

S0140 Shamoon

Shamoon attempts to disable UAC remote restrictions by modifying the Registry.[58]

S0444 ShimRat

ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.[59]

S0692 SILENTTRINITY

SILENTTRINITY contains a number of modules that can bypass UAC, including through Window's Device Manager, Manage Optional Features, and an image hijack on the .msc file extension.[60]

G0027 Threat Group-3390

A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.[61]

S0116 UACMe

UACMe contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.[5]

S0670 WarzoneRAT

WarzoneRAT can use sdclt.exe to bypass UAC in Windows 10 to escalate privileges; for older Windows versions WarzoneRAT can use the IFileOperation exploit to bypass the UAC module.[62][63]

S0612 WastedLocker

WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later.[64]

S0141 Winnti for Windows

Winnti for Windows can use a variant of the sysprep UAC bypass.[65]

S0230 ZeroT

Many ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.[66]

Mitigations

ID Mitigation Description
M1047 Audit

Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.[5]

M1026 Privileged Account Management

Remove users from the local administrator group on systems.

M1051 Update Software

Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.[5]

M1052 User Account Control

Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may bypass UAC mechanisms to elevate process privileges on system.

DS0009 Process Process Creation

Monitor newly executed processes, such as eventvwr.exe and sdclt.exe, that may bypass UAC mechanisms to elevate process privileges on system.

Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using "reg.exe", a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system.

Analytic 1 : UAC Bypass

possible_uac_bypass = filter processes where ( integrity_level == "High" and (parent_image_path == "c:\windows\system32\fodhelper.exe") or (command_line == ".exe\"cleanmgr.exe /autoclean") or (image_path == "c:\program files\windows media player\osk.exe") or (parent_image_path == "c:\windows\system32\slui.exe") or (parent_command_line == '"c:\windows\system32\dism.exe""".xml"' and image_path != "c:\users*\appdata\local\temp*\dismhost.exe") or (command_line == '"c:\windows\system32\wusa.exe"/quiet*' and user != "NOT_TRANSLATED" and current_working_directory == "c:\windows\system32\" and parent_image_path != "c:\windows\explorer.exe") or (parent_image_path == "c:\windows*dccw.exe" and image_path != "c:\windows\system32\cttune.exe"))

Analytic 2 : Disable UAC

cmd_processes = filter processes where ( (parent_image = "C:\Windows\System32\cmd.exe") AND (command_line = "reg.exe%HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System%REG_DWORD /d 0%"))

Process Metadata

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may bypass UAC mechanisms to elevate process privileges on system.

DS0024 Windows Registry Windows Registry Key Modification

Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:* The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command Registry key.[6]* The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe and [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand Registry keys.[67][68]Analysts should monitor these Registry settings for unauthorized changes.

UAC Bypass is an interesting technique in that new implementations are regularly found and existing implementations may be fixed (i.e., patched) by Microsoft in new builds of Windows. Therefore, it is important to validate than detections for UAC Bypass are still relevant (i.e., they target non-patched implementations).

Note: Sysmon Event ID 12 (Registry Key Create/Delete), Sysmon Event ID 13 (Registry Value Set), and Sysmon Event ID 14 (Registry Key and Value Rename) are useful for creating detections around Registry Key Modification in the context of UAC Bypass.

References

  1. Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.
  2. Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.
  3. Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016.
  4. Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014.
  5. UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.
  6. Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016.
  7. Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.
  8. Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016.
  9. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  10. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  11. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  12. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  13. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  14. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  15. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  16. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  17. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  18. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  19. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  20. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  21. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
  22. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  23. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  24. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  25. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  26. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  27. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  28. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  29. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  30. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  31. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  32. FinFisher. (n.d.). Retrieved December 20, 2017.
  33. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  34. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  1. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  2. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  3. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  4. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  5. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  6. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  7. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
  8. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  9. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  10. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  11. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  12. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  13. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  14. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  15. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  16. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  17. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  18. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  19. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  20. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  21. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  22. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  23. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  24. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  25. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  26. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  27. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  28. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  29. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
  30. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  31. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  32. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  33. Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017.
  34. Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017.