Description
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)
Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)
Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)
Platforms
Mitigations (4)
Update SoftwareM1051
Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.(Citation: Github UACMe)
AuditM1047
Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.(Citation: Github UACMe)
User Account ControlM1052
Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL.
Privileged Account ManagementM1026
Remove users from the local administrator group on systems.
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used the legitimate application `ieinstal.exe` to bypass UAC.(Citation: 1 - appv) |
| G0120 | Evilnum | [Evilnum](https://attack.mitre.org/groups/G0120) has used PowerShell to bypass UAC.(Citation: ESET EvilNum July 2020) |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with h... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.(Citation: ... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) uses various techniques to bypass UAC.(Citation: ClearSky MuddyWater Nov 2018)(Citation: NaumaanPr... |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has bypassed UAC.(Citation: Group IB Cobalt Aug 2017) |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has used the Fodhelper UAC bypass technique to gain elevated privileges.(Citation: TrendMicro Ear... |
| G0027 | Threat Group-3390 | A [Threat Group-3390](https://attack.mitre.org/groups/G0027) tool can use a public UAC bypass method to elevate privileges.(Citation: Nccgroup Emissar... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) bypassed User Access Control (UAC).(Citation: Cymmetria Patchwork) |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has attempted to bypass UAC using Component Object Model (COM) interface.(Citation: Intel471 Med... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has bypassed UAC.(Citation: Mandiant No Easy Breach) |
Associated Software (51)
| ID | Name | Type | Context |
|---|---|---|---|
| S0089 | BlackEnergy | Malware | [BlackEnergy](https://attack.mitre.org/software/S0089) attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatib... |
| S0148 | RTM | Malware | [RTM](https://attack.mitre.org/software/S0148) can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass pro... |
| S1202 | LockBit 3.0 | Malware | [LockBit 3.0](https://attack.mitre.org/software/S1202) can bypass UAC to execute code with elevated privileges through an elevated Component Object Mo... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can use a number of known techniques to bypass Windows UAC.(Citation: cobaltstrike manual)(Ci... |
| S0666 | Gelsemium | Malware | [Gelsemium](https://attack.mitre.org/software/S0666) can bypass UAC to elevate process privileges on a compromised host.(Citation: ESET Gelsemium June... |
| S0230 | ZeroT | Malware | Many [ZeroT](https://attack.mitre.org/software/S0230) samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.(Citation: Proo... |
| S1018 | Saint Bot | Malware | [Saint Bot](https://attack.mitre.org/software/S1018) has attempted to bypass UAC using `fodhelper.exe` to escalate privileges.(Citation: Palo Alto Uni... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) uses two distinct User Account Control (UAC) bypass techniques to escalate privileges.(Citation: E... |
| S0670 | WarzoneRAT | Malware | [WarzoneRAT](https://attack.mitre.org/software/S0670) can use `sdclt.exe` to bypass UAC in Windows 10 to escalate privileges; for older Windows versio... |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.(Citation: GitHub Pupy) |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) can utilize multiple methods to bypass UAC.(Citation: GitHub PoshC2) |
| S0356 | KONNI | Malware | [KONNI](https://attack.mitre.org/software/S0356) has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypa... |
| S0074 | Sakula | Malware | [Sakula](https://attack.mitre.org/software/S0074) contains UAC bypass code for both 32- and 64-bit systems.(Citation: Dell Sakula) |
| S0444 | ShimRat | Malware | [ShimRat](https://attack.mitre.org/software/S0444) has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Ac... |
| S1068 | BlackCat | Malware | [BlackCat](https://attack.mitre.org/software/S1068) can bypass UAC to escalate privileges.(Citation: Microsoft BlackCat Jun 2022) |
| S1199 | LockBit 2.0 | Malware | [LockBit 2.0](https://attack.mitre.org/software/S1199) can bypass UAC through creating the Registry key `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Micr... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can bypass standard user access controls by using stolen tokens to launch processes at an elevated se... |
| S0129 | AutoIt backdoor | Malware | [AutoIt backdoor](https://attack.mitre.org/software/S0129) attempts to escalate privileges by bypassing User Access Control.(Citation: Forcepoint Mons... |
| S0182 | FinFisher | Malware | [FinFisher](https://attack.mitre.org/software/S0182) performs UAC bypass.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018) |
| S0606 | Bad Rabbit | Malware | [Bad Rabbit](https://attack.mitre.org/software/S0606) has attempted to bypass UAC and gain elevated administrative privileges.(Citation: Secure List B... |
References
- Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014.
- Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.
- Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016.
- Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016.
- Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016.
- Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.
- Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.
- UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.
Frequently Asked Questions
What is T1548.002 (Bypass User Account Control)?
T1548.002 is a MITRE ATT&CK technique named 'Bypass User Account Control'. It belongs to the Privilege Escalation tactic(s). Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from l...
How can T1548.002 be detected?
Detection of T1548.002 (Bypass User Account Control) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1548.002?
There are 4 documented mitigations for T1548.002. Key mitigations include: Update Software, Audit, User Account Control, Privileged Account Management.
Which threat groups use T1548.002?
Known threat groups using T1548.002 include: APT38, Evilnum, APT37, BRONZE BUTLER, MuddyWater, Cobalt Group, Earth Lusca, Threat Group-3390.