Bypass User Account Control - veramine/Detections GitHub Wiki
Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box. An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected. Many methods have been discovered to bypass UAC. You can find an extensive list of methods that have been discovered and/or exploited by attackers as pointers from the Mitre ATT&CK webpage for this technique (https://attack.mitre.org/wiki/Technique/T1088).
The Veramine sensor tracks the state of each process token and reports any token changes to the server-side Veramine detection engine. In cases of an unexpected Integrity Level (IL) change from Medium to High, the detection engine reports a possible UAC bypass. (Other types of token changes are reported as potential local elevation of privilege attacks.) These Medium IL -> High IL detections are added as "Low" severity because these integrity level changes could also happen as a result of the user clicking through a UAC prompt. Here is an example of a legitimate case of an Administrator launching an elevated command prompt:
Here's what happens what the Veramine sensor reports in response to a user clicking the "Show Processes from All Users" button in the task manager. images/uac-7.png
At first glance, a true UAC bypass may look similar. Metasploit's windows/local/bypassuac_injection exploit, for example, launches a child notepad.exe and then starts a remote thread in that new process to perform the UAC bypass via the sysprep DLL hijack method described at https://github.com/hfiref0x/UACME. Here's an example of Veramine detecting that event:
However, the context presented in the Veramine portal surrounding that event gives enough clues to determine this one is different. First, we report the process injection into the notepad.exe process that initiated the UAC bypass:
You can also see from the notepad.exe and sysprep.exe process tree that this process sequence is suspicious:
We hope to enhance this detection in the future to reduce the types of false positives from legitimate UAC elevations and report only suspicious potential UAC bypasses.