Currently viewing ATT&CK v7.2 which was live between July 8, 2020 and October 26, 2020. Learn more about the versioning system or see the live site.
Register to stream the next session of ATT&CKcon Power Hour November 12

Abuse Elevation Control Mechanism: Bypass User Access Control

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. [1]

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box. [2] [3] An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.[4]

Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods[5] that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:

  • eventvwr.exe can auto-elevate and execute a specified binary or script.[6][7]

Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.[8]

ID: T1548.002
Sub-technique of:  T1548
Tactics: Privilege Escalation, Defense Evasion
Platforms: Windows
Permissions Required: Administrator, User
Effective Permissions: Administrator
Data Sources: Process command-line parameters, Process monitoring, Windows Registry
Defense Bypassed: Windows User Account Control
Contributors: Casey Smith; Stefan Kanthak
Version: 1.0
Created: 30 January 2020
Last Modified: 25 June 2020

Procedure Examples

Name Description
APT29

APT29 has bypassed UAC.[33]

APT37

APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.[38]

AutoIt backdoor

AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.[17]

BlackEnergy

BlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.[18]

BRONZE BUTLER

BRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.[31][32]

Cobalt Group

Cobalt Group has bypassed UAC.[34]

Cobalt Strike

Cobalt Strike can use a number of known techniques to bypass Windows UAC.[10]

Downdelph

Downdelph bypasses UAC to escalate privileges by using a custom "RedirectEXE" shim database.[16]

Empire

Empire includes various modules to attempt to bypass UAC for escalation of privileges.[13]

FinFisher

FinFisher performs UAC bypass.[22][23]

H1N1

H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).[25]

Honeybee

Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking.[30]

InvisiMole

InvisiMole can bypass UAC and create an elevated COM object to escalate privileges.[20]

Koadic

Koadic has 2 methods for elevating integrity. It can bypass UAC through eventvwr.exe and sdclt.exe.[12]

KONNI

KONNI bypassed UAC with the "AlwaysNotify" settings.[27]

MuddyWater

MuddyWater uses various techniques to bypass UAC.[35]

Patchwork

Patchwork bypassed User Access Control (UAC).[37]

PLAINTEE

An older variant of PLAINTEE performs UAC bypass.[19]

PoshC2

PoshC2 can utilize multiple methods to bypass UAC.[14]

Pupy

Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.[9]

Ramsay

Ramsay can use UACMe for privilege escalation.[29]

Remcos

Remcos has a command for UAC bypassing.[11]

RTM

RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.[24]

Sakula

Sakula contains UAC bypass code for both 32- and 64-bit systems.[26]

Shamoon

Shamoon attempts to disable UAC remote restrictions by modifying the Registry.[15]

ShimRat

ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.[28]

Threat Group-3390

A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.[36]

UACMe

UACMe contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.[5]

ZeroT

Many ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.[21]

Mitigations

Mitigation Description
Audit

Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.[5]

Privileged Account Management

Remove users from the local administrator group on systems.

Update Software

Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.[5]

User Account Control

Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking.

Detection

There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of Process Injection and unusual loaded DLLs through DLL Search Order Hijacking, which indicate attempts to gain access to higher privileged processes.

Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:

  • The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command Registry key.[6]

  • The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe and [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand Registry keys.[39][40]

Analysts should monitor these Registry settings for unauthorized changes.

References

  1. Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.
  2. Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.
  3. Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016.
  4. Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014.
  5. UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.
  6. Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016.
  7. Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.
  8. Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016.
  9. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  10. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  11. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  12. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  13. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  14. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  15. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  16. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  17. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  18. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  19. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  20. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  1. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  2. FinFisher. (n.d.). Retrieved December 20, 2017.
  3. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  4. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  5. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  6. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  7. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
  8. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  9. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  10. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  11. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  12. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  13. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  14. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  15. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  16. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  17. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  18. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  19. Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017.
  20. Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017.