UAC bypass using auto-elevated binaries

  • Updated on Mar 11, 2024
  • Published on Jul 19, 2023
Prev Next

Attack technique

Technique name: Abuse elevation control mechanism: bypass user account control

MITRE ATT&CK
Tactic: Privilege Escalation, Defense Evasion
Technique: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)

Technique description
UAC is a built-in security feature in Windows operating systems that helps prevent unauthorized changes to the system by requesting user confirmation or administrative credentials for certain actions. UAC Bypass refers to the techniques employed by adversaries to circumvent the User Account Control (UAC) mechanisms in order to elevate process privileges on a system. In Windows, UAC enables a program to elevate its privileges, which are represented by integrity levels ranging from low to high. This allows the program to perform tasks with administrator-level permissions, typically by prompting the user for confirmation. The impact on the user can vary depending on the UAC configuration. It may involve denying the operation under high enforcement, allowing the user to proceed if they belong to the local administrators group and consent to the prompt, or permitting them to enter an administrator password to complete the action.

Insights from threat intelligence
UAC bypass techniques often exploit vulnerabilities or misconfigurations in Windows, allowing attackers to manipulate processes, registry keys, or file permissions to elevate their privileges. This can grant them unrestricted access to critical system resources, compromise sensitive data, or install persistent malware. UAC bypass attacks are particularly concerning as they can enable lateral movement within a network, escalating the impact of an initial compromise. Organizations must remain vigilant and keep their systems updated with the latest patches and security configurations to mitigate the risk of UAC bypass and regularly monitor for any signs of unauthorized privilege escalation.

Seen in the wild since: 2008

References
Elastic - Exploring Windows UAC bypasses techniques and detection strategies
Hijacking DLLs in Windows
Fileless UAC bypass using eventvwr exe and registry hijacking
Github
UAC bypass fodhelper
Windows 10 UAC bypass uses apps and features utility
First entry welcome and UAC bypass
Bumblebee zeros in on meterpreter


Threat hunting theses breakdown

Registry Manipulation and Auto-elevated Binaries Execution


Relevant data sources

  • EDR Registry Modifications Events
  • EDR Process Creation Events


Thesis explanation

Auto-elevated binaries are typically Windows executables (.exe files) that have been specifically identified and whitelisted by Microsoft. When these binaries are launched, they are executed with administrative privileges, granting them the ability to perform tasks that require elevated permissions, such as modifying system settings or accessing protected resources. The auto-elevation feature is designed to enhance the user experience by reducing the number of UAC prompts for trusted applications.

The most popular Auto-Elevated Lolbins that were seen in the wild in the context of UAC Bypass using payload planted in registry keys are:

  1. Fodhelper.exe
  2. Slui.exe
  3. WSreset.exe
  4. Eventvwr.exe

The registry keys associated with these executables are either located in HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER:

  1. *Classes\ms-settings\shell\open\command
  2. *Classes\ms-settings\curver
  3. *Classes\exefile\shell\open\command
  4. *Classes\exefile\curver
  5. *Classes\mscfile\shell\open\command
  6. *Classes\mscfile\curver

With these artifacts in mind, we will look for a registry event tied with any of the mentioned registry keys, and a process creation event of one of the mentioned Lolbins, up to 20 minutes after the registry event (technically, it is possible to extend the 20 minutes time range)


Blind spots

  1. The thesis only covers UAC bypassing attempts that are using Registry key manipulations and is limited to the Lolbins and keys as presented above. That leaves behind attempts that utilize other methods such as elevated COM interfaces, DLL sideload hijacking, and many more.
  2. The thesis does not cover UAC bypassing attempts that the time difference between the registry event and the process creation event is more than 20 minutes.
  3. The thesis is currently limited to 6 registry key formats that allow catching 3 classes (ms-settings, exefile, mscfile)
  4. It is possible that throughout time, UAC bypass techniques will evolve and will involve other registry keys in different formats. These will not be covered by this particular detection.


Recommended investigation flow
Under the Scope of Registry Key Manipulation techniques for UAC bypasses, the investigation flow will heavily rely on the 2 events that were suspected as malicious.

As also elaborated below in the Hunting thesis section, we will focus on 2 events that occur in a timeframe of up to 20 minutes from each other:

  1. Modified Registry Key
    1. What process initiated this event?
    2. What is the payload that was planted for execution by the Lolbin?
      1. Is it obfuscated?
      2. Does it execute a suspicious executable?
  2. Execution of a Lolbin
    1. Are there any suspicious activities that were spawned from the Lolbin?
      1. Child processes
      2. Network activities
      3. File events
      4. Registry modifications
      5. Services initiation or registration

Hunting queries

https://gist.github.com/axon-git/b1588412f3228b4f68085952a317ec8d