Common Information
| Type | Value |
|---|---|
| Value |
Bypass User Account Control - T1548.002 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works) If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows) Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as: * <code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit) Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-04 | 35 | G700 : The Next Generation of Craxs RAT - CYFIRMA | ||
| Details | Website | 2024-11-01 | 9 | Malware Analysis: ValleyRAT TTPs and Defense Strategies | ||
| Details | Website | 2024-10-28 | 51 | CloudScout: Evasive Panda scouting cloud services | ||
| Details | Website | 2024-10-25 | 58 | HeptaX: Unauthorized RDP Connections For Cyberespionage Operations | ||
| Details | Website | 2024-10-24 | 40 | ValleyRAT Insights: Tactics, Techniques, and Detection Methods | Splunk | ||
| Details | Website | 2024-10-08 | 3 | Vilsa Stealer: New Python Malware With Heavy Encryption – | ||
| Details | Website | 2024-09-30 | 5 | Trouble in Da Hood: Malicious Actors Use Infected PyPI Packages to Target Roblox Cheaters | Imperva | ||
| Details | Website | 2024-09-30 | 6 | Trouble in Da Hood: Malicious Actors Use Infected PyPI Packages to Target Roblox Cheaters | ||
| Details | Website | 2024-09-28 | 0 | Today’s Top Cyber Intelligence Highlights — Sep 28, 2024 | ||
| Details | Website | 2024-09-26 | 22 | Avaddon Ransomware Analysis (EN) | ||
| Details | Website | 2024-09-20 | 29 | How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections | ||
| Details | Website | 2024-09-06 | 46 | Самые интересные киберинциденты в 2023 году: внутренние угрозы и многое другое | ||
| Details | Website | 2024-09-03 | 46 | Most interesting IR cases in 2023: insider threats and more | ||
| Details | Website | 2024-08-10 | 89 | Sidewinder APT – 针对巴基斯坦的网络钓鱼 | CTF导航 | ||
| Details | Website | 2024-05-06 | 27 | HijackLoader Updates | ||
| Details | Website | 2024-01-04 | 63 | ATT&CK을 이용해 스스로 평가하기(APT3, Second Scenario) | ||
| Details | Website | 2024-01-01 | 28 | Hide and Seek in Windows' Closet: Unmasking the WinSxS Hijacking Hideout | ||
| Details | Website | 2023-12-06 | 198 | Russia/Ukraine Update - December 2023 | ||
| Details | Website | 2023-11-17 | 80 | WinRAR CVE-2023-38831 Vulnerability: Malware Exploits & APT Attacks | ||
| Details | Website | 2023-11-02 | 2 | [updated] Atlassian: "Take immediate action" to patch your Confluence Data Center and Server instances | Malwarebytes | ||
| Details | Website | 2023-11-01 | 85 | Dark Pink | ||
| Details | Website | 2023-10-31 | 18 | More Than Just a RAT: Unveiling NjRAT's MBR Wiping Capabilities | ||
| Details | Website | 2023-10-23 | 273 | Red Team Tools | ||
| Details | Website | 2023-10-05 | 6 | APT Profile: Dark Pink APT Group | ||
| Details | Website | 2023-09-29 | 25 | The Thin Line: Educational Tools vs. Malicious Threats - A Focus on The-Murk-Stealer - CYFIRMA |