User Account Control / Uncontrol

User Account Control (UAC) is a security component in Windows operating systems that aims to limit application software to standard user privileges until an administrator authorizes an increase or elevation. However, various methods have been discovered and utilized to bypass UAC, exploiting system features and functionalities. This technical summary provides an overview of several such methods.

• UAC Bypass Using LOLBins (Living Off the Land Binaries) and Other Techniques:
  • Runas: This command-line tool allows users to execute programs with different permissions than the user’s current logon session. It can be manipulated to execute code with elevated privileges without triggering a UAC prompt.
  • Fodhelper.exe: A legitimate Windows binary used to manage optional features, which can be exploited to bypass UAC due to its auto-elevated status.
  • Slui.exe: Another auto-elevated binary that can be used to bypass UAC. It is typically responsible for handling Windows activation issues.
  • SilentCleanup Scheduled Task: This task runs with elevated privileges and can be hijacked to execute malicious code with high privileges.
  • Sdclt.exe IsolatedCommand and App Paths: These methods involve manipulating registry keys associated with sdclt.exe (System Restore) to execute arbitrary commands with elevated privileges.
  • Perfmon.exe: An executable for the Performance Monitor, which can be exploited similarly to other auto-elevated binaries for UAC bypass.

• Exploiting CMSTP for Arbitrary Privilege Elevation in Windows:
  • The Connection Manager Profile Installer (cmstp.exe) can be abused to execute commands with elevated privileges. This executable, when manipulated, can bypass UAC by invoking a COM interface to execute a command string.

• Exploiting Elevated COM Object (IFileOperation) for UAC Bypass in Windows:
  • The IFileOperation COM Interface, typically used for file operations, can be exploited to perform privileged actions without UAC prompts. Malicious DLLs can be injected into processes using this interface to execute code with elevated privileges.

• DLL Side-Loading:
  • This technique involves placing a malicious DLL in a directory from which a legitimate program loads its DLLs. If a high-privileged system program loads the malicious DLL, it can execute code with elevated privileges.

• ConsentUI:
  • ConsentUl.exe is part of the UAC mechanism that handles privilege elevation prompts. Exploiting ConsentU! involves manipulating the way it handles and processes elevation requests.

• RAiLaunchAdminProcess:
  • This function is used internally by Windows to execute processes with administrative privileges. By manipulating the parameters or the environment in which this function is called, it’s possible to bypass UAC.

Views: 0