Bypass User Account Control

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact of the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box. An example of this is of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.

Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional methods are regularly discovered and some used in the wild, such as:

· Eventvwr.exe can auto-elevate and execute a specified binary or script.

Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.

Examples:

In the first example, why not DisableUAC for its entirety??. We can do this by changing the EnableUA Key and we won't receive prompts no more on anything that is executed with high privileges!!.

Warning: This will need Administrator Permissions. And this will prompt the user a warning that UAC will need a restart to turn it off

Once we apply the key we can simply restart the target machine and have it disabled

And that's it anytime we execute a payload or anything that enables a prompt it won't use UAC it will simply execute. But this is a very noticeable feature, just demonstrating as it is very simple to use.

Let's try another attack

Fodhelper the great about this one is that we can work with User privileges and have it execute our payload. In this example I will have it execute cmd with Administrator Privileges

Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened.