T1548.002: Bypass User Account Control
| View on MITRE ATT&CK | T1548.002 |
|---|---|
| Tactic(s) | Defense Evasion, Privilege Escalation |
Data from MITRE ATT&CK®:
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)
Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
eventvwr.execan auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)
Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Update Software
Perform regular software updates to mitigate exploitation risk.User Account Control
Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.How to detect this technique
MITRE ATT&CK Data Components
Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Windows Registry Key Modification (Windows Registry)
Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)Process Metadata (Process)
Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
WinPwn - UAC Bypass DiskCleanup technique
UACME Bypass Method 61
UACME Bypass Method 33
Bypass UAC by Mocking Trusted Directories
Disable UAC notification via registry keys
Disable UAC using reg.exe
Bypass UAC using Fodhelper
Disable UAC - Switch to the secure desktop when prompting for elevation via registry key
UACME Bypass Method 23
UACME Bypass Method 59
UACME Bypass Method 34
WinPwn - UAC Bypass DccwBypassUAC technique
Bypass UAC using ComputerDefaults (PowerShell)
Bypass UAC using Fodhelper - PowerShell
Bypass UAC using Event Viewer (cmd)
WinPwn - UAC Bypass ccmstp technique
UACME Bypass Method 39
UACME Bypass Method 31
Disable ConsentPromptBehaviorAdmin via registry keys
UAC Bypass with WSReset Registry Modification
Bypass UAC using sdclt DelegateExecute
UACME Bypass Method 56
WinPwn - UAC Magic
Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key
Bypass UAC using Event Viewer (PowerShell)
Bypass UAC using SilentCleanup task
Sigma Detections for this Technique
Disable UAC Using Registry
TrustedPath UAC Bypass Pattern
UAC Bypass Using .NET Code Profiler on MMC
Bypass UAC Using DelegateExecute
UAC Bypass With Fake DLL
UAC Bypass Abusing Winsat Path Parsing - File
UAC Bypass Using Consent and Comctl32 - File
HackTool - WinPwn Execution
UAC Bypass Tools Using ComputerDefaults
Function Call From Undocumented COM Interface EditionUpgradeManager
Explorer NOUACCHECK Flag
HackTool - UACMe Akagi Execution
UAC Bypass Using PkgMgr and DISM
UAC Bypass Via Wsreset
UAC Bypass Using IEInstal - File
Potentially Suspicious Event Viewer Child Process
UAC Bypass Using Windows Media Player - Process
UAC Bypass Using DismHost
UAC Bypass Using IEInstal - Process
UAC Bypass Using IDiagnostic Profile - File
UAC Bypass via ICMLuaUtil
UAC Bypass Abusing Winsat Path Parsing - Process
UAC Bypass Using Consent and Comctl32 - Process
UAC Bypass Using NTFS Reparse Point - File
HackTool - WinPwn Execution - ScriptBlock
Sdclt Child Processes
UAC Bypass Using IDiagnostic Profile
UAC Bypass Using NTFS Reparse Point - Process
UAC Bypass Using WOW64 Logger DLL Hijack
Always Install Elevated Windows Installer
UAC Bypass Using Windows Media Player - File
Bypass UAC via WSReset.exe
UAC Bypass Abusing Winsat Path Parsing - Registry
UAC Bypass Using MSConfig Token Modification - File
Shell Open Registry Keys Manipulation
UAC Bypass via Sdclt
CMSTP UAC Bypass via COM Object Access
UAC Bypass Using Disk Cleanup
Bypass UAC via CMSTP
UAC Bypass Using ChangePK and SLUI
HackTool - Empire PowerShell UAC Bypass
UAC Bypass Using MSConfig Token Modification - Process
UAC Bypass WSReset
UAC Bypass Using Iscsicpl - ImageLoad
Potential UAC Bypass Via Sdclt.EXE
Always Install Elevated MSI Spawned Cmd And Powershell
Bypass UAC Using SilentCleanup Task
UAC Bypass via Event Viewer
UAC Bypass Using Windows Media Player - Registry
Bypass UAC via Fodhelper.exe
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.