UAC Bypass

User Account Control (UAC) is a crucial security feature in Windows operating systems designed to prevent unauthorized changes by requiring administrative approval for certain tasks. Despite its security benefits, attackers have developed various methods to bypass UAC, enabling them to execute malicious code with elevated privileges without user consent.

Techniques

Auto-Elevating Binaries

Certain Windows binaries are designed to auto-elevate, meaning they run with administrative privileges without prompting the user. Attackers exploit these binaries by tricking them into executing malicious code. For example, sdclt.exe, fodhelper.exe, and other system binaries can be manipulated. By modifying environment variables, registry keys, or command-line arguments, attackers can hijack these auto-elevating binaries to execute their payloads. One common method involves creating a registry key at HKCU\Software\Classes\ms-settings\shell\open\command and setting its default value to the path of a malicious executable. When fodhelper.exe is executed, it reads the registry key and runs the attacker’s code with elevated privileges.

DLL Hijacking

DLL hijacking involves attackers exploiting the way Windows loads Dynamic Link Libraries (DLLs) by placing a malicious DLL in a location where an auto-elevating binary or a high-privileged process will load it instead of the legitimate DLL. For instance, with SystemPropertiesAdvanced.exe, an attacker can place a malicious srrstr.dll in the WindowsApps folder. When SystemPropertiesAdvanced.exe runs, it loads the attacker’s DLL with elevated privileges, allowing the attacker to execute arbitrary code.

Fileless UAC Bypass

Fileless methods avoid writing executable files to disk, thereby reducing the chance of detection by antivirus software. These methods often involve manipulating registry keys or using built-in Windows tools. For example, attackers can create a registry key HKCU\Software\Classes\mscfile\shell\open\command and set it to execute a command. When eventvwr.exe is executed, it runs the command from the registry key with elevated privileges, effectively bypassing UAC without leaving a trace on the file system.

Environment Variable Manipulation

Certain environment variables can influence the behavior of elevated processes. Attackers can set these variables to control how these processes execute code. For example, by setting environment variables such as COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH to load a malicious DLL, an auto-elevating .NET application can be tricked into loading the DLL and executing the malicious code with elevated privileges. This method exploits the .NET Framework's loading mechanisms to achieve UAC bypass.

Exploiting Scheduled Tasks

The Windows Task Scheduler allows tasks to run with elevated privileges. Attackers can create or manipulate scheduled tasks to execute their payloads. One technique involves the SilentCleanup task, which runs with elevated privileges when triggered by a standard user. Attackers exploit this by placing a malicious executable in a location accessed by SilentCleanup, leading to the execution of the payload with elevated privileges. This method takes advantage of the elevated execution context of scheduled tasks.

COM Interface Abuse

Certain Component Object Model (COM) interfaces allow processes to be created with elevated privileges without triggering UAC prompts. Attackers manipulate these interfaces to execute their payloads. For example, using the IFileOperation COM object, attackers can perform file operations with elevated privileges without a UAC prompt. This method involves creating a COM object and invoking methods to execute code with elevated privileges, bypassing standard UAC controls.

Token Manipulation

Attackers can manipulate access tokens to impersonate elevated users or processes, thereby bypassing UAC prompts. One method involves duplicating the token of an elevated process, setting its integrity level to medium, and using it to spawn a new process with administrative privileges. By manipulating tokens, attackers can gain elevated privileges without user consent, exploiting the way Windows handles process tokens and their associated privileges.

Shimming

The Windows Application Compatibility Framework (Shim Engine) allows for the application of compatibility fixes (shims) that can include executing arbitrary code with elevated privileges. Attackers can create custom shim databases that include a fix to run a malicious executable. The shim is applied to an application, causing the executable to run with elevated privileges. This method exploits the design of the Shim Engine to achieve UAC bypass and execute malicious code with elevated permissions.

Indicators of Compromise

Unusual Changes in Registry Keys

One of the primary indicators of a UAC bypass attempt is unexpected changes in registry keys, especially those associated with auto-elevating binaries and environment variables. Regular audits and real-time monitoring of these registry paths can help detect unauthorized modifications indicative of UAC bypass techniques. Key locations to monitor include:

HKCU\Software\Classes\ms-settings\shell\open\command
HKCU\Software\Classes\mscfile\shell\open\command
HKCU\Environment
HKCU\Software\Classes\exefile\shell\runas\command\isolatedCommand 

Creation of Suspicious Scheduled Tasks

Scheduled tasks that are created or modified without clear justification can be a sign of UAC bypass. Specifically, tasks configured to run with elevated privileges, such as the SilentCleanup task, should be closely monitored. Look for new tasks created in the Task Scheduler that do not correspond to legitimate administrative operations or software installations.

Unexpected Executions of Known Auto-Elevating Binaries

Auto-elevating binaries such as sdclt.exe, fodhelper.exe, eventvwr.exe, SystemPropertiesAdvanced.exe, and other similar executables should be monitored for unexpected executions. The sudden invocation of these binaries, especially if triggered by non-administrative processes, can indicate an attempt to exploit their auto-elevate capabilities to bypass UAC.

Unusual Process Relationships

Examine process trees for abnormal parent-child relationships, such as a low-privilege process spawning a high-privilege process. Tools like Process Monitor and Process Explorer can be useful in identifying these unusual relationships. For example, if a standard user process spawns cmd.exe or powershell.exe with elevated privileges, it is a strong indicator of a UAC bypass.

Changes in Environment Variables

Monitor environment variables, especially those related to the .NET profiling settings (COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH). Any changes to these variables should be investigated, particularly if they point to non-standard or suspicious DLL paths. Such changes are often used to exploit .NET auto-elevating applications to load malicious profilers.

Execution of Unsigned or Unexpected DLLs

The presence and execution of unsigned or unexpected DLLs in directories typically reserved for system or trusted binaries can be a red flag. For example, DLLs appearing in C:\Windows\System32, C:\Program Files, or WindowsApps that are not signed by trusted entities should be scrutinized. This is indicative of DLL hijacking attempts to exploit auto-elevating binaries.

Anomalous Network Connections and File Transfers

Detecting unusual network connections, especially if they involve transferring or loading DLLs from remote locations, can be indicative of a UAC bypass attempt. Fileless UAC bypass techniques might involve loading malicious components from network shares or over the internet. Monitoring for such network activity can help identify potential bypass attempts.

Use of High-Integrity Tokens by Standard Users

Identify instances where standard user accounts are found to be using high-integrity tokens. This can be indicative of token manipulation techniques. Tools that audit and log token usage and integrity levels across processes can highlight suspicious elevation of privileges.

Modifications in Shim Databases

Modifications to the Application Compatibility Shim databases (sdb files) or the creation of new custom shims should be closely monitored. Unauthorized changes in these databases can be a sign of attackers attempting to exploit shim mechanisms to achieve elevated execution of malicious code.

Unusual Activity in Log Files

Review log files from various Windows security tools and event logs for anomalies. This includes the Security, Application, and System logs, which might contain entries about unexpected privilege elevations, new process creations with administrative rights, or changes to registry keys. Consistent review of these logs can uncover patterns that indicate a UAC bypass attempt.

High Number of UAC Prompts or Elevations

A sudden increase in UAC prompts or administrative elevations could indicate repeated attempts to bypass UAC. While not every prompt is malicious, an unusual spike in frequency, especially from processes or applications that do not typically require elevation, warrants further investigation.

Preventing UAC Bypass

Enforce Strict Parent-Process Verification

To enhance security, the operating system should verify the parent process of a whitelisted executable. When a whitelisted executable is set to auto-elevate, the system should ensure that its parent process is a legitimate Windows executable. If the parent process is a third-party program instead of a Windows executable, the auto-elevation procedure should be aborted. This step would prevent unauthorized applications from exploiting auto-elevating processes to gain elevated privileges.

Restrict DLL Module Loading

One of the key vulnerabilities in the UAC mechanism is that it allows elevated processes to load untrusted DLL modules. The operating system should prevent auto-elevated processes from loading DLLs that lack a valid signature or are stored outside secure directories. By enforcing strict checks on the DLL’s signature and file path, the system can abort the elevation process if any untrusted modules are detected, thereby mitigating the risk of DLL hijacking.

Redesign Privilege Inheritance

The current design of privilege inheritance allows a whitelisted process to create child processes with administrative privileges, even if the child process is not a Windows executable. To prevent this, the operating system should be redesigned so that if a child process created by a whitelisted executable is not a Windows executable, it should be granted only standard user rights instead of administrator privileges. This would limit the impact of any unauthorized child processes initiated by whitelisted executables.

Disable Auto-Elevate Property for Vulnerable COM Objects

COM objects with the auto-elevate property pose a significant risk as they can be exploited to bypass UAC. Disabling the auto-elevate property for these objects in the registry is a critical step. Administrators should review and modify the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList to disable auto-elevation for known vulnerable COM objects, thus preventing their exploitation.

Monitor and Audit Changes to UAC-Related Registry Keys

Regularly monitoring and auditing changes to registry keys associated with UAC can help detect and prevent unauthorized modifications that could lead to a UAC bypass. Key registry paths to monitor include HKCU\Software\Classes, HKCU\Environment, and any entries under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC. Implementing real-time alerts for changes in these paths can help identify potential attacks early.

Implement and Enforce Code Signing Policies

Enforcing strict code signing policies for all executables and DLLs is essential. By ensuring that only signed and trusted code can execute, the risk of malicious code being run with elevated privileges is significantly reduced. Administrators should configure the system to reject any unsigned code from being executed, particularly in sensitive directories like System32 and Program Files.

Use Non-Administrator Accounts for Daily Tasks

Encouraging users to operate under non-administrator accounts for daily activities can reduce the risk of UAC bypasses. Administrator accounts should be used only when necessary and for tasks that explicitly require elevated privileges. This practice limits the exposure of elevated privileges to potential exploitation.

Configure UAC to "Always Notify"

Setting UAC to "Always Notify" ensures that users are prompted for confirmation before any process is granted elevated privileges, including those that might otherwise auto-elevate silently. This configuration provides an additional layer of security by requiring user interaction for all elevation attempts, thereby preventing automatic bypasses.

Regularly Update and Patch Systems

Keeping the operating system and all software up to date with the latest patches and updates is crucial. Many UAC bypass vulnerabilities are addressed through security updates. Ensuring that all systems are regularly patched reduces the risk of known vulnerabilities being exploited.