Exploring Windows UAC bypasses: Techniques and detection strategies

Click for: original source

Malware often requires full administrative privileges on a machine to perform more impactful actions such as adding an antivirus exclusion, encrypting secured files, or injecting code into interesting system processes. By @sbousseaden.

Even if the targeted user has administrative privileges, the prevalence of User Account Control (UAC) means that the malicious application will often default to Medium Integrity, preventing write access to resources with higher integrity levels. To bypass this restriction, an attacker will need a way to elevate integrity level silently and with no user interaction (no UAC prompt). This technique is known as a User Account Control bypass and relies on a variety of primitives and conditions, the majority of which are based on piggybacking elevated Windows features.

The article then makes a good job explaining:

  • UAC Bypass methods
  • Registry Key manipulation
  • DLL hijack
  • Elevated COM interface
  • Token security attributes
  • Most common UAC bypasses

Designing detections by focusing on key building blocks of an offensive technique is much more cost-effective than trying to cover the endless variety of implementations and potential evasion tunings. In this post, we covered the main methods used for UAC bypass and how to detect them as well as how enriching process execution events with token security attributes enabled us to create a broader detection logic that may match unknown bypasses. In the article you will also find links to further reading. Good one!

[Read More]

Tags cio infosec miscellaneous analytics