T1548.002: Bypass User Account Control
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box. An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.
Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
eventvwr.exe
can auto-elevate and execute a specified binary or script.
Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_privilege_escalation: PT-CR-843: AutoElevate_UAC_Bypass: A child process of the AutoElevate utility is run to bypass User Account Control (UAC). UAC allows a program to escalate privileges to perform a task with administrator-level permissions, possibly prompting the user for confirmation.
mitre_attck_privilege_escalation: PT-CR-844: DelegateExecute_UAC_Bypass: A user escalated privileges using one of the system utilities, the manifests of which contain the "autoElevate" element that allows for the privilege escalation without a prompt from User Account Control (UAC). To obtain a local administrator token with a high integrity level, attackers create the "DelegateExecute" key in the registry and add the payload to the "(Default)" key of the same branch. Then they start a system utility that accesses the "(Default)" key and always runs with a high integrity level, which allows attackers to execute the added payload with the highest permission level. For these purposes, system utilities fodhelper.exe and ComputerDefaults.exe are usually used.
mitre_attck_privilege_escalation: PT-CR-854: RPC_Abuse_UAC_Bypass: UAC is bypassed by exploiting an RPC vulnerability
mitre_attck_privilege_escalation: PT-CR-856: Subrule_AutoElevate_Process_Run: A process for which the AutoElevate flag has been set is run
mitre_attck_privilege_escalation: PT-CR-858: Subrule_Full_Elevation_Token_Steal: The High Integrity token of another process is used
hacking_tools: PT-CR-753: Cobalt_Strike_RunAs_Escalate: Execution of RunAS using Cobalt Strike for privilege escalation is detected
mitre_attck_privilege_escalation: PT-CR-1853: Byeintegrity_UAC_Bypass: An escalated process was run bypassing UAC via the MMC WF snap-in
mitre_attck_privilege_escalation: PT-CR-1910: Subrule_AutoElevate_Process_Parent_Run: A process is running through an intermediary process, for which the AutoElevate flag is set
mitre_attck_privilege_escalation: PT-CR-1931: ICMLuaUtil_UAC_Bypass: An escalated process was run bypassing UAC via the ICMLuaUtil COM interface
active_directory_attacks: PT-CR-838: ShadowCred_Used: The use of the msds-keycredentiallink attribute to authorize a machine account in a domain without using a password was detected. This is a sign of using KrbRelayUp to locally elevate privileges using Shadow Credentials. An attacker can use this to obtain the credentials of other users and horizontally move to other infrastructure nodes
Detection
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:
UAC Bypass is an interesting technique in that new implementations are regularly found and existing implementations may be fixed (i.e., patched) by Microsoft in new builds of Windows. Therefore, it is important to validate than detections for UAC Bypass are still relevant (i.e., they target non-patched implementations). Note: Sysmon Event ID 12 (Registry Key Create/Delete), Sysmon Event ID 13 (Registry Value Set), and Sysmon Event ID 14 (Registry Key and Value Rename) are useful for creating detections around Registry Key Modification in the context of UAC Bypass. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may bypass UAC mechanisms to elevate process privileges on system. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes, such as Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using “reg.exe”, a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system. Analytic 1 - UAC Bypass
Analytic 2 - Disable UAC
|
---|
ID | DS0009 | Data source and component | Process: Process Metadata | Description | Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may bypass UAC mechanisms to elevate process privileges on system. |
---|
Mitigation
ID | M1051 | Name | Update Software | Description | Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass. |
---|
ID | M1047 | Name | Audit | Description | Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate. |
---|
ID | M1052 | Name | User Account Control | Description | Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Remove users from the local administrator group on systems. |
---|