Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)
Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1548.002 | Bypass User Account Control |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling faster, real-time detection of Bypass User Access Control (UAC) attempts. This integrated solution enhances CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
Bypass User Access Control (UAC) attacks involve adversaries attempting to circumvent security features like UAC, which is designed to prompt users for administrative permissions before allowing potentially risky actions. Attackers commonly exploit UAC weaknesses or misconfigurations to gain higher privileges on a system, enabling them to run malicious code with administrative rights without the user's consent. Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling quick detection of abnormal behaviors that indicate attempts to bypass UAC mechanisms.
Additionally, CAMS offloads the resource-intensive memory scanning tasks from the CPU to the Intel Integrated GPU, ensuring faster and more efficient detection of malicious activity while maintaining system performance. CAMS helps identify suspicious actions, such as the manipulation of UAC prompts or unauthorized privilege escalations, which are indicative of attempts to bypass User Access Control mechanisms.
References
|