{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/uac-bypass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["uac-bypass","privilege-escalation","windows-firewall","mmc"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat involves the exploitation of a User Account Control (UAC) bypass technique on Windows systems. Attackers leverage the Microsoft Management Console (MMC) and its Windows Firewall snap-in (WF.msc) to execute arbitrary code with elevated privileges. By hijacking this trusted process, malicious actors can circumvent security measures designed to restrict unauthorized access and modifications to the system. This UAC bypass method allows attackers to stealthily execute code, potentially leading to privilege escalation, malware installation, or data exfiltration. The technique is relevant to defenders because it enables attackers to bypass standard security controls, increasing the risk of successful compromise. This activity has been observed in various forms and can be adapted to deliver a range of malicious payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser executes a seemingly benign application or script.\u003c/li\u003e\n\u003cli\u003eThe application triggers the execution of \u003ccode\u003emmc.exe\u003c/code\u003e with the \u003ccode\u003eWF.msc\u003c/code\u003e argument, launching the Windows Firewall snap-in.\u003c/li\u003e\n\u003cli\u003eA malicious process is spawned as a child process of \u003ccode\u003emmc.exe\u003c/code\u003e. This is the key indicator of compromise.\u003c/li\u003e\n\u003cli\u003eThe malicious process exploits a vulnerability or misconfiguration within the MMC snap-in or related components.\u003c/li\u003e\n\u003cli\u003eThe exploited process gains elevated privileges, bypassing UAC restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses these elevated privileges to perform malicious actions, such as installing malware or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence through registry modifications or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as data exfiltration, system compromise, or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful UAC bypass can lead to a significant compromise of the targeted system. Attackers can install persistent backdoors, escalate privileges, and gain control over critical system functions. This can result in data theft, system instability, or complete system takeover. The impact is amplified in environments where UAC is relied upon as a primary security control, potentially affecting a large number of systems across an organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass via Windows Firewall MMC Snap-In Hijack\u0026rdquo; to your SIEM to detect suspicious processes spawned by \u003ccode\u003emmc.exe\u003c/code\u003e with the \u0026ldquo;WF.msc\u0026rdquo; argument.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected child processes of \u003ccode\u003emmc.exe\u003c/code\u003e using process monitoring tools and tune the Sigma rule accordingly.\u003c/li\u003e\n\u003cli\u003eEnable process auditing and Sysmon event logging (Event ID 1) to capture detailed information about process creations, as specified in the setup instructions of the original rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process chain and the actions performed by the spawned process.\u003c/li\u003e\n\u003cli\u003eRefer to the references provided for more information on UAC bypass techniques and mitigation strategies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T10:00:00Z","date_published":"2024-01-24T10:00:00Z","id":"/briefs/2024-01-uac-bypass-winfw-mmc/","summary":"Attackers bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in to execute code with elevated permissions, potentially leading to system compromise.","title":"UAC Bypass via Windows Firewall MMC Snap-In Hijack","url":"https://feed.craftedsignal.io/briefs/2024-01-uac-bypass-winfw-mmc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["uac-bypass","privilege-escalation","windows","diskcleanup","scheduled-task"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule identifies User Account Control (UAC) bypass attempts via hijacking the DiskCleanup Scheduled Task. Attackers exploit this method to execute code with elevated privileges, bypassing standard security controls. The technique involves leveraging the \u003ccode\u003ecleanmgr.exe\u003c/code\u003e or \u003ccode\u003etaskhostw.exe\u003c/code\u003e executables with specific arguments (\u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e) outside of their expected paths. This allows attackers to run malicious code under the guise of a legitimate system process, making detection more challenging. This technique is used to gain elevated privileges on a compromised system, allowing for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., via phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or creates a scheduled task to execute \u003ccode\u003ecleanmgr.exe\u003c/code\u003e or \u003ccode\u003etaskhostw.exe\u003c/code\u003e with the \u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e arguments.\u003c/li\u003e\n\u003cli\u003eThe modified scheduled task is triggered, executing the specified executable with the supplied arguments.\u003c/li\u003e\n\u003cli\u003eThe executable, such as \u003ccode\u003ecleanmgr.exe\u003c/code\u003e, attempts to run Disk Cleanup.\u003c/li\u003e\n\u003cli\u003eIf the executable path is outside the standard locations (e.g., \u003ccode\u003eC:\\\\Windows\\\\System32\u003c/code\u003e or \u003ccode\u003eC:\\\\Windows\\\\SysWOW64\u003c/code\u003e), it indicates a potential hijack.\u003c/li\u003e\n\u003cli\u003eMalicious code is executed with elevated privileges due to the UAC bypass.\u003c/li\u003e\n\u003cli\u003eThe attacker uses these elevated privileges to install malware, modify system settings, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass User Account Control (UAC) and execute code with elevated privileges. This can lead to the installation of malware, modification of system settings, data theft, and other malicious activities. While the exact number of victims is unknown, this technique is effective on systems where UAC is enabled but misconfigured or vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass via DiskCleanup with Suspicious Path\u0026rdquo; to your SIEM and tune for your environment to detect UAC bypass attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass via DiskCleanup and Taskhostw\u0026rdquo; to your SIEM to detect UAC bypass attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ecleanmgr.exe\u003c/code\u003e and \u003ccode\u003etaskhostw.exe\u003c/code\u003e with the \u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e arguments, focusing on executions outside the standard system directories.\u003c/li\u003e\n\u003cli\u003eReview and harden scheduled tasks to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eEnsure that UAC settings are properly configured and enforced across the organization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-uac-bypass-diskcleanup/","summary":"Attackers bypass User Account Control (UAC) by hijacking the DiskCleanup Scheduled Task to stealthily execute code with elevated permissions on Windows systems.","title":"UAC Bypass via DiskCleanup Scheduled Task Hijack","url":"https://feed.craftedsignal.io/briefs/2024-01-uac-bypass-diskcleanup/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["uac-bypass","privilege-escalation","com","ieinstal"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies a User Account Control (UAC) bypass technique that abuses the Internet Explorer Add-On Installer (ieinstal.exe) to launch malicious programs with elevated privileges. Attackers exploit elevated COM interfaces to circumvent UAC, allowing for stealthy code execution. The specific behavior involves executing a program from a temporary directory using ieinstal.exe with the \u003ccode\u003e-Embedding\u003c/code\u003e argument. This bypass can be utilized to perform various malicious activities, including installing malware, modifying system settings, or establishing persistence. The targeted systems are Windows endpoints where UAC is enabled. This technique matters because it allows attackers to gain unauthorized access with elevated permissions, undermining standard Windows security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, possibly through phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious executable into a temporary directory, such as \u003ccode\u003eC:\\Users\\\u0026lt;user\u0026gt;\\AppData\\Local\\Temp\\IDC*.tmp\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes \u003ccode\u003eieinstal.exe\u003c/code\u003e with the \u003ccode\u003e-Embedding\u003c/code\u003e argument, specifying the path to the malicious executable.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eieinstal.exe\u003c/code\u003e, running with elevated privileges, launches the malicious executable due to COM object handling.\u003c/li\u003e\n\u003cli\u003eThe malicious executable executes with elevated privileges, bypassing UAC prompts.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages elevated privileges to perform malicious activities, such as installing malware or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence to maintain elevated access across system reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this UAC bypass technique allows attackers to execute arbitrary code with elevated privileges, bypassing security controls designed to prevent unauthorized system modifications. This can lead to the installation of malware, data theft, or complete system compromise. The severity of the impact is high, as it grants attackers significant control over the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer\u0026rdquo; to your SIEM to detect potential UAC bypass attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary events for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor process execution from temporary directories, specifically those matching the pattern \u003ccode\u003eC:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eieinstal.exe\u003c/code\u003e being executed with the \u003ccode\u003e-Embedding\u003c/code\u003e argument, as this is a key indicator of the UAC bypass attempt.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized executables from running, particularly those in temporary directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-uac-bypass-ieinstal/","summary":"This threat brief details a UAC bypass technique leveraging the Internet Explorer Add-On Installer (ieinstal.exe) and Component Object Model (COM) to execute arbitrary code with elevated privileges.","title":"UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer","url":"https://feed.craftedsignal.io/briefs/2024-01-03-uac-bypass-ieinstal/"}],"language":"en","title":"CraftedSignal Threat Feed — Uac-Bypass","version":"https://jsonfeed.org/version/1.1"}