In this article series, we will look at the UAC feature and learn/refresh about famous UAC bypass techniques. Although there are many techniques that have been discovered by the researchers in the past, we are going to investigate those techniques which have been used more often by the malware authors. In this part, we will look at the basics of UAC, Elevated Privileges, auto elevate features (exe, mmc.exe and com objects), etc.
What is UAC?
User Account Control (UAC) was introduced in Vista to inform users before any system level changes are made to the system. In other words, without user consent, any system level change cannot happen. Also, the user must have sufficient rights to perform that action. How good will that be if it cannot be bypassed? Well, researchers over a period have devised so many techniques that eliminate this feature from the process. This feature protects admins by giving them a prompt that some system level change is asking for consent whereas normal users need to provide admin creds to elevate themselves to perform such action. The Elevation prompt appears on a Secure Desktop (in Vista and default option in Win 7) to halts any background tasks. Below are the settings in Win 7 and these continue to feature in Windows 10 as well.
Below are the main benefits of UAC just to get an idea as to what all is lost when the feature is bypassed.
- It allows having more control over users’ actions on systems which require elevated privileges.
- It reduces the programs to run with elevated privileges thus inherently preventing any unknown modification to the underlying system.
Before we start looking into the techniques used by malware authors to bypass the UAC feature, let’s take a very simple example to see what all changes when the privileges are elevated. Below are the 2 screenshots from a cmd.exe opened with a normal user as compared to an admin level user.
- Below are the attributes of a normal cmd.exe process. Look at the integrity level.
Below are the privileges assigned to this process.
- Below are the attributes of an elevated cmd.exe process. Look at the integrity level.
- Below are the privileges assigned to this process.
So, one can see the difference between the privileges between a normal and an elevated process and thus what can be done if a process has maliciously elevated itself.
Like we have seen above the different level the UAC prompt can appear, it must be noted that there is a feature of auto-elevation which auto-elevates the Windows executable wherein an executable is classified to be windows if it is signed by Microsoft and is in a secure directory like System32. There are also some rules with the auto-elevation to the type of object being referenced. For example, for:
- Looking at an exe (except mmc.exe) for elevated privileges (taskmgr in this example with sigcheck tool), we can see the auto-elevate privilege set in the exe manifest file.
- MMC.exe auto-elevate depends on the snapins it will load. When running from a protected Admin account, windows will ask for admin rights to verify the mmc.exe. Once the mmc.exe is verified, then the supplied argument for respective msc file will be checked for auto-elevation.
- For COM object auto-elevation, it must be Windows exe and must be instantiated by Windows exe. Also, COM objects can specify the admin rights by specifying the subkey ‘Elevation’ with Value Enabled. Also, another COM object which is worth mentioning here is IFileOperation which is often used by attackers to do file operations on file like copying the file to secure directory.
Another important concept to be aware of the sequence of order of finding a file when invoked through ShellExecuteEx function. Files are searches in the following order:
- Current Working Directory
- Windows Directory Only.
- WindowsSystem32 subdirectory.
- Directories contained in the PATH variable
- Registered Path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp Paths
So, in this article, we have a look at some of the very basic concepts which need to be understood before we dive deep into the bypassing techniques. In the next part of this article series, we will look at the techniques which exploit all the features explained in this article.