Common techniques to bypass UAC for red team trade-craft
Learn about different techniques to bypass UAC during red team engagements.
UAC bypass techniques can be grouped based on their underlying mechanisms.
Auto-Elevated Applications
One of the most common categories is exploiting auto-elevated applications, which leverages Windows executables that run with administrative privileges without triggering a UAC prompt. Red team operators can manipulate these executables to execute arbitrary code with elevated rights. For example, fodhelper.exe can be used to execute payload by modifying specific registries under HKCU\Software\Classes\ms-settings\shell\open\command. Similarly, eventvwr.exe can be abused by changing its registry association with .msc files to run malicious commands.
COM Interface Abuse
This technique involves leveraging COM objects that automatically elevate processes when called. Red team operators can invoke these objects to execute arbitrary commands without user consent. For instance, the ICMLuaUtil COM interface provides the ShellExec method, which can be used to run commands with elevated privileges.
Registry Hijacking and Environment Variable Manipulation
These methods involve modifying registry keys or environment variables to trick privileged processes into executing malicious payloads. For example, in ms-settings protocol hijack, red team operators modify HKCU\Software\Classes\ms-settings\shell\open\command to execute arbitrary commands. Similarly, they can alter environment variables such as windir or systemroot, to force system processes to reference malicious executables instead of legitimate ones.
DLL Hijacking
Another widely used technique is DLL hijacking and binary planting, which abuses how Windows loads DLLs. Some auto-elevated applications search for dependencies in specific directories, allowing red team operators to place malicious DLLs in those locations. When the application is executed, it loads the attacker's DLL with elevated privileges. Binary planting follows a similar approach, where they create fake directories mimicking system paths and place their malicious executables or DLLs inside them.
Scheduled Tasks
Task scheduler techniques rely on modifying scheduled tasks that run elevated processes. The SilentCleanup scheduled task, for example, runs automatically with administrative privileges. Red team operators can modify its execution path or script to launch their own malicious code.
Token Impersonation
Another method involves token impersonation, where attackers duplicate tokens of elevated processes and use them for elevated execution without triggering a UAC prompt.
Application Path Abuse
This technique involves manipulating Windows' handling of executable paths. Some applications use registry-defined paths to locate their executables, and attackers can modify these paths to point to their own payloads. Another example is fileless UAC bypass using App Paths, where attackers modify the App Paths registry key to execute their payload whenever a specific application is launched.
Red Team Notes
Techniques to bypass User Access Control (UAC) can be boradly categorized into following categories:
- Auto-Elevated Applications - Abuses Windows executables that run with high privileges without triggering a UAC prompt.
- COM Interface Abuse - Leverages privileged COM objects to execute arbitrary commands with elevated rights.
- Registry Hijacking & Environment Variables - Modifies registry keys or environment variables to trick privileged processes into executing malicious code.
- DLL Hijacking - Places malicious DLLs in directories where elevated applications load them automatically.
- Scheduled Tasks - Modifies scheduled tasks to execute malicious payloads.
- Token Impersonation - Impersonates the token of an elevated process to bypass UAC prompt.
- Application Path Abuse - Alters application paths to force execution of malicious code with admin privileges.Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
References