Exploring Windows UAC Bypasses: Techniques and Detection Strategies — Elastic Security Labs
Tags
cmtmf-attack-pattern: Masquerading
maec-delivery-vectors: Watering Hole
attack-pattern: Data Direct Control Panel - T1218.002 Installutil - T1218.004 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Msbuild - T1127.001 Mshta - T1218.005 Msiexec - T1218.007 Powershell - T1059.001 Regsvr32 - T1218.010 Rundll32 - T1218.011 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Software - T1592.002 Connection Proxy - T1090 Installutil - T1118 Masquerading - T1036 Mshta - T1170 Powershell - T1086 Regsvr32 - T1117 Rundll32 - T1085 Scheduled Task - T1053 Masquerading
Show in Graph
Common Information
Type Value
UUID 2051d1ff-9ad5-48e0-aab4-6b47607f8f65
Fingerprint de2f887e25e5c3cc
Analysis status DONE
Considered CTI value 0
Text language
Published May 15, 2023, midnight
Added to db Nov. 20, 2023, 12:59 a.m.
Last updated Nov. 17, 2024, 7:44 p.m.
Headline Exploring Windows UAC Bypasses: Techniques and Detection Strategies
Title Exploring Windows UAC Bypasses: Techniques and Detection Strategies — Elastic Security Labs
Detected Hints/Tags/Attributes 77/3/83
Source URLs
Redirection Url
Details Source https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies
URL Provider
Details Provider Source level domain
Details elastic.co www.elastic.co
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 306 Elastic Security Labs https://www.elastic.co/security-labs/rss/feed.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 17 
host.id
Details Domain 55 
process.name
Details Domain 18 
user.id
Details Domain 8 
process.pe
Details Domain 285 
microsoft.net
Details Domain 21 
process.parent.name
Details Domain 6 
registry.data
Details Domain 4127 
github.com
Details Domain 3 
swapcontext.blogspot.com
Details Domain 1 
tyranidslair.blogspot.no
Details Domain 4 
www.tiraniddo.dev
Details Domain 434 
medium.com
Details Domain 11 
enigma0x3.net
Details Domain 281 
docs.microsoft.com
Details Domain 36 
googleprojectzero.blogspot.com
Details File 155 
cscript.exe
Details File 2125 
cmd.exe
Details File 26 
taskhostw.exe
Details File 1 
npmproxy.dll
Details File 172 
dllhost.exe
Details File 49 
process.exe
Details File 6 
wow64log.dll
Details File 81 
werfault.exe
Details File 11 
dismhost.exe
Details File 1 
api-ms-win-core-kernel32-legacy-l1.dll
Details File 1 
target_program.exe
Details File 14 
consent.exe
Details File 30 
comctl32.dll
Details File 380 
notepad.exe
Details File 1018 
rundll32.exe
Details File 1208 
powershell.exe
Details File 456 
mshta.exe
Details File 149 
msbuild.exe
Details File 459 
regsvr32.exe
Details File 376 
wscript.exe
Details File 240 
wmic.exe
Details File 83 
installutil.exe
Details File 23 
msxsl.exe
Details File 10 
compiler.exe
Details File 7 
ieexec.exe
Details File 11 
iexpress.exe
Details File 103 
regasm.exe
Details File 72 
regsvcs.exe
Details File 44 
javaw.exe
Details File 165 
reg.exe
Details File 249 
schtasks.exe
Details File 118 
sc.exe
Details File 256 
net.exe
Details File 48 
net1.exe
Details File 345 
vssadmin.exe
Details File 105 
bcdedit.exe
Details File 43 
wbadmin.exe
Details File 269 
msiexec.exe
Details File 3 
devmgr.dll
Details File 1 
iesetup.dll
Details File 3 
servermanager.exe
Details File 12 
parent.exe
Details File 7 
registry.dat
Details File 2 
registry.key
Details File 1 
uacme-35-wd-and-ways-of-mitigation.html
Details File 1 
reading-your-way-around-uac-part-1.html
Details File 1 
reading-your-way-around-uac-part-2.html
Details File 1 
reading-your-way-around-uac-part-3.html
Details File 1 
exploiting-environment-variables-in.html
Details File 2 
calling-local-windows-rpc-servers-from.html
Details Github username 14 
hfiref0x
Details Github username 2 
azagarampur
Details Url 7 
https://github.com/hfiref0x/uacme
Details Url 1 
https://swapcontext.blogspot.com/2020/10/uacme-35-wd-and-ways-of-mitigation.html
Details Url 1 
https://tyranidslair.blogspot.no/2017/05/reading-your-way-around-uac-part-1.html
Details Url 1 
https://tyranidslair.blogspot.no/2017/05/reading-your-way-around-uac-part-2.html
Details Url 1 
https://tyranidslair.blogspot.no/2017/05/reading-your-way-around-uac-part-3.html
Details Url 1 
https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html
Details Url 3 
https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
Details Url 1 
https://github.com/azagarampur/byeintegrity5-uac
Details Url 1 
https://github.com/azagarampur/byeintegrity8-uac
Details Url 1 
https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup
Details Url 1 
https://docs.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
Details Url 1 
https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
Details Url 2 
https://googleprojectzero.blogspot.com/2019/12/calling-local-windows-rpc-servers-from.html
Details Windows Registry Key 3 
HKCU\Software\Classes
Details Windows Registry Key 1 
HKCU\Environment\windir
Details Windows Registry Key 1 
HKCU\Environment\systemroot