ID | Name |
---|---|
T1548.001 | Setuid and Setgid |
T1548.002 | Bypass User Account Control |
T1548.003 | Sudo and Sudo Caching |
T1548.004 | Elevated Execution with Prompt |
T1548.005 | Temporary Elevated Cloud Access |
T1548.006 | TCC Manipulation |
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.[1]
If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box.[2][3] An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.[4]
Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods[5] that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.[8]
ID | Name | Description |
---|---|---|
S0584 | AppleJeus |
AppleJeus has presented the user with a UAC prompt to elevate privileges while installing.[9] |
G0016 | APT29 | |
G0067 | APT37 |
APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.[11] |
S0129 | AutoIt backdoor |
AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.[12] |
S0640 | Avaddon | |
S0606 | Bad Rabbit |
Bad Rabbit has attempted to bypass UAC and gain elevated administrative privileges.[14] |
S1081 | BADHATCH |
BADHATCH can utilize the CMSTPLUA COM interface and the SilentCleanup task to bypass UAC.[15] |
S0570 | BitPaymer |
BitPaymer can suppress UAC prompts by setting the |
S1068 | BlackCat | |
S0089 | BlackEnergy |
BlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.[18] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.[19][20] |
S1039 | Bumblebee |
Bumblebee has the ability to bypass UAC to deploy post exploitation tools with elevated privileges.[21] |
S0660 | Clambling |
Clambling has the ability to bypass UAC using a |
G0080 | Cobalt Group |
Cobalt Group has bypassed UAC.[24] |
S0154 | Cobalt Strike |
Cobalt Strike can use a number of known techniques to bypass Windows UAC.[25][26] |
S0527 | CSPY Downloader |
CSPY Downloader can bypass UAC using the SilentCleanup task to execute the binary with elevated privileges.[27] |
S1111 | DarkGate |
DarkGate uses two distinct User Account Control (UAC) bypass techniques to escalate privileges.[28] |
S0134 | Downdelph |
Downdelph bypasses UAC to escalate privileges by using a custom "RedirectEXE" shim database.[29] |
G1006 | Earth Lusca |
Earth Lusca has used the Fodhelper UAC bypass technique to gain elevated privileges.[30] |
S0363 | Empire |
Empire includes various modules to attempt to bypass UAC for escalation of privileges.[31] |
G0120 | Evilnum | |
S0182 | FinFisher | |
S0666 | Gelsemium |
Gelsemium can bypass UAC to elevate process privileges on a compromised host.[35] |
S0531 | Grandoreiro |
Grandoreiro can bypass UAC by registering as the default handler for .MSC files.[36] |
S0132 | H1N1 |
H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).[37] |
S0260 | InvisiMole |
InvisiMole can use fileless UAC bypass and create an elevated COM object to escalate privileges.[38][39] |
S0250 | Koadic |
Koadic has 2 methods for elevating integrity. It can bypass UAC through |
S0669 | KOCTOPUS |
KOCTOPUS will perform UAC bypass either through fodhelper.exe or eventvwr.exe.[41] |
S0356 | KONNI |
KONNI has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypassing UAC set to "AlwaysNotify".[42][43] |
S0447 | Lokibot | |
G0069 | MuddyWater |
MuddyWater uses various techniques to bypass UAC.[45] |
C0006 | Operation Honeybee |
During Operation Honeybee, the threat actors used the malicious NTWDBLIB.DLL and |
G0040 | Patchwork | |
S0501 | PipeMon |
PipeMon installer can use UAC bypass techniques to install the payload.[48] |
S0254 | PLAINTEE | |
S0378 | PoshC2 | |
S0192 | Pupy |
Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.[51] |
S0262 | QuasarRAT |
QuasarRAT can generate a UAC pop-up Window to prompt the target user to run a command as the administrator.[52] |
S0458 | Ramsay | |
S0662 | RCSession | |
S0332 | Remcos | |
S0148 | RTM |
RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.[56] |
S1018 | Saint Bot |
Saint Bot has attempted to bypass UAC using |
S0074 | Sakula |
Sakula contains UAC bypass code for both 32- and 64-bit systems.[58] |
S0140 | Shamoon |
Shamoon attempts to disable UAC remote restrictions by modifying the Registry.[59] |
S0444 | ShimRat |
ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.[60] |
S0692 | SILENTTRINITY |
SILENTTRINITY contains a number of modules that can bypass UAC, including through Window's Device Manager, Manage Optional Features, and an image hijack on the |
G0027 | Threat Group-3390 |
A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.[62] |
S0116 | UACMe |
UACMe contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.[5] |
S0670 | WarzoneRAT |
WarzoneRAT can use |
S0612 | WastedLocker |
WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later.[65] |
S0141 | Winnti for Windows |
Winnti for Windows can use a variant of the sysprep UAC bypass.[66] |
S0230 | ZeroT |
Many ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.[67] |
ID | Mitigation | Description |
---|---|---|
M1047 | Audit |
Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.[5] |
M1026 | Privileged Account Management |
Remove users from the local administrator group on systems. |
M1051 | Update Software |
Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.[5] |
M1052 | User Account Control |
Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may bypass UAC mechanisms to elevate process privileges on system. |
DS0009 | Process | Process Creation |
Monitor newly executed processes, such as Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using "reg.exe", a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system. Analytic 1 - UAC Bypass
Analytic 2 - Disable UAC
|
Process Metadata |
Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may bypass UAC mechanisms to elevate process privileges on system. |
||
DS0024 | Windows Registry | Windows Registry Key Modification |
Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:* The UAC Bypass is an interesting technique in that new implementations are regularly found and existing implementations may be fixed (i.e., patched) by Microsoft in new builds of Windows. Therefore, it is important to validate than detections for UAC Bypass are still relevant (i.e., they target non-patched implementations). Note: Sysmon Event ID 12 (Registry Key Create/Delete), Sysmon Event ID 13 (Registry Value Set), and Sysmon Event ID 14 (Registry Key and Value Rename) are useful for creating detections around Registry Key Modification in the context of UAC Bypass. |