Bypass User Account Control

From ATT&CK
Jump to: navigation, search
Bypass User Account Control
Technique
ID T1088
Tactic Defense Evasion, Privilege Escalation
Platform Windows Server 2012, Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012 R2, Windows 8.1
Permissions Required User, Administrator
Effective Permissions Administrator
Data Sources System calls, Process monitoring, Authentication logs, Process command-line parameters
Defense Bypassed Windows User Account Control
Contributors Stefan KanthakCasey Smith

Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.1

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box.23 An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.4 Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected.

Many methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of methods5 that have been discovered and implemented within UACMe, but may not be a comprehensive list of bypasses. Additional methods have been discovered and are being used in the wild, such as using eventvwr.exe to auto-elevate and execute a specified binary or script.67

Another bypass is possible through some Lateral Movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on lateral systems and default to high integrity.8

Examples

  • APT29 has bypassed UAC.9
  • Patchwork bypassed User Access Control (UAC).10
  • Sakula contains UAC bypass code for both 32- and 64-bit systems.11
  • BlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.12
  • UACMe contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.5
  • AutoIt attempts to escalate privileges by bypassing User Access Control.13
  • H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).14
  • Downdelph bypasses UAC to escalate privileges by using a custom “RedirectEXE” shim database.15
  • Shamoon attempts to disable UAC remote restrictions by modifying the Registry.16
  • RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.17

Mitigation

Remove users from the local administrator group on systems. Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking.

Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.5

Detection

There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of DLL Injection and unusual loaded DLLs through DLL Search Order Hijacking, which indicate attempts to gain access to higher privileged processes.

References