User Account Control (UAC) Bypass is a clever method that can be used for privilege escalation either manually or via scripts and can be exploited using various methods. This video covers the Registry Key Modification method, one that abuses registry keys by creating or modifying values that some trusted Windows executables look for during their process execution. The goal of this technique is to bypass the 'sometimes annoying' User Account Control pop up that stops users from doing what they wanted to do, by targeting the executables that are designed to run at an elevated privilege level.
According to researchers, the best way to mitigate is to set the User Account Control settings to "Always Notify" which we will test in the video. But how much can this really protect the machine? Especially if the adversary can modify the UAC settings to hide their tracks!
This episode will provide you with a demonstration on how this looks as well as some detections and basic queries that you can use in your own environment!
https://youtu.be/U45hJN2dPgo
Process Create:
(EventCode=4688 (WineventLog) OR EventCode=1 (Sysmon)) AND (RegistryKeyPath="Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" OR RegistryKeyPath="Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe")
Registry Key Modification:
EventCode=4657 (WineventLog) OR EventCode=13 (Sysmon) AND (RegistryKeyPath="Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" OR RegistryKeyPath="Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe")
Powershell Script Logging:
EventCode=4104 (Powershell Logging) AND (RegistryKeyPath="Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" OR RegistryKeyPath="Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe")
Technical Blogs:
https://pentestlab.blog/2017/06/09/uac-bypass-sdclt/
https://www.fortinet.com/blog/threat-research/offense-and-defense-a-tale-of-two-sides-bypass-uac
Blogs:
https://cqureacademy.com/cqure-labs/cqlabs-how-uac-bypass-methods-really-work-by-adrian-denkiewicz
Guided Threat Hunts offers a library of Pivot Queries for hundreds of hunt packages that enable your threat hunters and analysts to overcome uncertainty and boost productivity. Guided Threat Hunts is a set of packages that assists users modify their result set to decide their next step and filter out noise from extraneous results.
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
After compromising a system, attackers seek ways to maintain persistence. Here's how to threat hunt for a common persistence method used by attackers including DragonForce.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.