https://feed.craftedsignal.io/tags/uac-bypass/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 24 Jan 2024 10:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-uac-bypass-winfw-mmc/Wed, 24 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-uac-bypass-winfw-mmc/Attackers bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in to execute code with elevated permissions, potentially leading to system compromise.This threat involves the exploitation of a User Account Control (UAC) bypass technique on Windows systems. Attackers leverage the Microsoft Management Console (MMC) and its Windows Firewall snap-in (WF.msc) to execute arbitrary code with elevated privileges. By hijacking this trusted process, malicious actors can circumvent security measures designed to restrict unauthorized access and modifications to the system. This UAC bypass method allows attackers to stealthily execute code, potentially leading to privilege escalation, malware installation, or data exfiltration. The technique is relevant to defenders because it enables attackers to bypass standard security controls, increasing the risk of successful compromise. This activity has been observed in various forms and can be adapted to deliver a range of malicious payloads.

Attack Chain

1. User executes a seemingly benign application or script.
2. The application triggers the execution of mmc.exe with the WF.msc argument, launching the Windows Firewall snap-in.
3. A malicious process is spawned as a child process of mmc.exe. This is the key indicator of compromise.
4. The malicious process exploits a vulnerability or misconfiguration within the MMC snap-in or related components.
5. The exploited process gains elevated privileges, bypassing UAC restrictions.
6. The attacker uses these elevated privileges to perform malicious actions, such as installing malware or modifying system settings.
7. The attacker achieves persistence through registry modifications or scheduled tasks.
8. The final objective is achieved, such as data exfiltration, system compromise, or lateral movement within the network.

Impact

A successful UAC bypass can lead to a significant compromise of the targeted system. Attackers can install persistent backdoors, escalate privileges, and gain control over critical system functions. This can result in data theft, system instability, or complete system takeover. The impact is amplified in environments where UAC is relied upon as a primary security control, potentially affecting a large number of systems across an organization.

Recommendation

• Deploy the Sigma rule “UAC Bypass via Windows Firewall MMC Snap-In Hijack” to your SIEM to detect suspicious processes spawned by mmc.exe with the “WF.msc” argument.
• Monitor process creation events for unexpected child processes of mmc.exe using process monitoring tools and tune the Sigma rule accordingly.
• Enable process auditing and Sysmon event logging (Event ID 1) to capture detailed information about process creations, as specified in the setup instructions of the original rule.
• Investigate any alerts generated by the Sigma rule, focusing on the parent process chain and the actions performed by the spawned process.
• Refer to the references provided for more information on UAC bypass techniques and mitigation strategies.

]]>mediumadvisoryuac-bypassprivilege-escalationwindows-firewallmmchttps://feed.craftedsignal.io/briefs/2024-01-uac-bypass-diskcleanup/Thu, 04 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-uac-bypass-diskcleanup/Attackers bypass User Account Control (UAC) by hijacking the DiskCleanup Scheduled Task to stealthily execute code with elevated permissions on Windows systems.This rule identifies User Account Control (UAC) bypass attempts via hijacking the DiskCleanup Scheduled Task. Attackers exploit this method to execute code with elevated privileges, bypassing standard security controls. The technique involves leveraging the cleanmgr.exe or taskhostw.exe executables with specific arguments (/autoclean and /d) outside of their expected paths. This allows attackers to run malicious code under the guise of a legitimate system process, making detection more challenging. This technique is used to gain elevated privileges on a compromised system, allowing for further malicious activities.

Attack Chain

1. An attacker gains initial access to the system (e.g., via phishing or exploiting a software vulnerability).
2. The attacker modifies or creates a scheduled task to execute cleanmgr.exe or taskhostw.exe with the /autoclean and /d arguments.
3. The modified scheduled task is triggered, executing the specified executable with the supplied arguments.
4. The executable, such as cleanmgr.exe, attempts to run Disk Cleanup.
5. If the executable path is outside the standard locations (e.g., C:\\Windows\\System32 or C:\\Windows\\SysWOW64), it indicates a potential hijack.
6. Malicious code is executed with elevated privileges due to the UAC bypass.
7. The attacker uses these elevated privileges to install malware, modify system settings, or perform other malicious activities.

Impact

Successful exploitation allows attackers to bypass User Account Control (UAC) and execute code with elevated privileges. This can lead to the installation of malware, modification of system settings, data theft, and other malicious activities. While the exact number of victims is unknown, this technique is effective on systems where UAC is enabled but misconfigured or vulnerable.

Recommendation

• Deploy the Sigma rule “UAC Bypass via DiskCleanup with Suspicious Path” to your SIEM and tune for your environment to detect UAC bypass attempts.
• Deploy the Sigma rule “UAC Bypass via DiskCleanup and Taskhostw” to your SIEM to detect UAC bypass attempts.
• Monitor process creation events for cleanmgr.exe and taskhostw.exe with the /autoclean and /d arguments, focusing on executions outside the standard system directories.
• Review and harden scheduled tasks to prevent unauthorized modifications.
• Ensure that UAC settings are properly configured and enforced across the organization.

]]>mediumadvisoryuac-bypassprivilege-escalationwindowsdiskcleanupscheduled-taskhttps://feed.craftedsignal.io/briefs/2024-01-03-uac-bypass-ieinstal/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-uac-bypass-ieinstal/This threat brief details a UAC bypass technique leveraging the Internet Explorer Add-On Installer (ieinstal.exe) and Component Object Model (COM) to execute arbitrary code with elevated privileges.This detection rule identifies a User Account Control (UAC) bypass technique that abuses the Internet Explorer Add-On Installer (ieinstal.exe) to launch malicious programs with elevated privileges. Attackers exploit elevated COM interfaces to circumvent UAC, allowing for stealthy code execution. The specific behavior involves executing a program from a temporary directory using ieinstal.exe with the -Embedding argument. This bypass can be utilized to perform various malicious activities, including installing malware, modifying system settings, or establishing persistence. The targeted systems are Windows endpoints where UAC is enabled. This technique matters because it allows attackers to gain unauthorized access with elevated permissions, undermining standard Windows security controls.

Attack Chain

1. The attacker gains initial access to the system, possibly through phishing or other means.
2. The attacker drops a malicious executable into a temporary directory, such as C:\Users\<user>\AppData\Local\Temp\IDC*.tmp\.
3. The attacker invokes ieinstal.exe with the -Embedding argument, specifying the path to the malicious executable.
4. ieinstal.exe, running with elevated privileges, launches the malicious executable due to COM object handling.
5. The malicious executable executes with elevated privileges, bypassing UAC prompts.
6. The attacker leverages elevated privileges to perform malicious activities, such as installing malware or modifying system settings.
7. The attacker establishes persistence to maintain elevated access across system reboots.

Impact

Successful exploitation of this UAC bypass technique allows attackers to execute arbitrary code with elevated privileges, bypassing security controls designed to prevent unauthorized system modifications. This can lead to the installation of malware, data theft, or complete system compromise. The severity of the impact is high, as it grants attackers significant control over the affected system.

Recommendation

• Deploy the Sigma rule “UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer” to your SIEM to detect potential UAC bypass attempts.
• Enable Sysmon process creation logging to capture the necessary events for the Sigma rule to function correctly.
• Monitor process execution from temporary directories, specifically those matching the pattern C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe.
• Investigate any instances of ieinstal.exe being executed with the -Embedding argument, as this is a key indicator of the UAC bypass attempt.
• Implement application whitelisting to prevent unauthorized executables from running, particularly those in temporary directories.

]]>mediumadvisoryuac-bypassprivilege-escalationcomieinstal