Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Обход контроля учетных записей
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Обход контроля учетных записей
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Abuse Elevation Control Mechanism:  Обход контроля учетных записей

ID Название
.001 Setuid и Setgid
.002 Обход контроля учетных записей
.003 Sudo и кэширование sudo
.004 Запрос пароля суперпользователя для повышения привилегий

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works) If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows) Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as: * eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit) Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)

ID: T1548.002
Относится к технике:  T1548
Тактика(-и): Defense Evasion, Privilege Escalation
Платформы: Windows
Требуемые разрешения: Administrator, User
Источники данных: Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Версия: 2.0
Дата создания: 30 Jan 2020
Последнее изменение: 19 Apr 2022

Примеры процедур
Название Описание
BlackEnergy

BlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.(Citation: F-Secure BlackEnergy 2014)
RTM

RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.(Citation: ESET RTM Feb 2017)
Cobalt Strike

Cobalt Strike can use a number of known techniques to bypass Windows UAC.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)
Honeybee

Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking.(Citation: McAfee Honeybee)
Gelsemium

Gelsemium can bypass UAC to elevate process privileges on a compromised host.(Citation: ESET Gelsemium June 2021)
ZeroT

Many ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.(Citation: Proofpoint ZeroT Feb 2017)
Saint Bot

Saint Bot has attempted to bypass UAC using `fodhelper.exe` to escalate privileges.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
WarzoneRAT

WarzoneRAT can use `sdclt.exe` to bypass UAC in Windows 10 to escalate privileges; for older Windows versions WarzoneRAT can use the IFileOperation exploit to bypass the UAC module.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)
Pupy

Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.(Citation: GitHub Pupy)
PoshC2

PoshC2 can utilize multiple methods to bypass UAC.(Citation: GitHub PoshC2)
KONNI

KONNI has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypassing UAC set to “AlwaysNotify".(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)
Sakula

Sakula contains UAC bypass code for both 32- and 64-bit systems.(Citation: Dell Sakula)
ShimRat

ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.(Citation: FOX-IT May 2016 Mofang)
Evilnum

Evilnum has used PowerShell to bypass UAC.(Citation: ESET EvilNum July 2020)
APT37

APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.(Citation: Securelist ScarCruft May 2019)
BRONZE BUTLER

BRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)
AutoIt backdoor

AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.(Citation: Forcepoint Monsoon)
FinFisher

FinFisher performs UAC bypass.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)
Bad Rabbit

Bad Rabbit has attempted to bypass UAC and gain elevated administrative privileges.(Citation: Secure List Bad Rabbit)
Downdelph

Downdelph bypasses UAC to escalate privileges by using a custom “RedirectEXE” shim database.(Citation: ESET Sednit Part 3)
Koadic

Koadic has 2 methods for elevating integrity. It can bypass UAC through `eventvwr.exe` and `sdclt.exe`.(Citation: Github Koadic)
Cobalt Strike

Cobalt Strike can use a number of known techniques to bypass Windows UAC.(Citation: cobaltstrike manual)
Avaddon

Avaddon bypasses UAC using the CMSTPLUA COM interface.(Citation: Arxiv Avaddon Feb 2021)

QuasarRAT

QuasarRAT can generate a UAC pop-up Window to prompt the target user to run a command as the administrator.(Citation: CISA AR18-352A Quasar RAT December 2018)
Winnti for Windows

Winnti for Windows can use a variant of the sysprep UAC bypass.(Citation: Novetta Winnti April 2015)
WastedLocker

WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later.(Citation: NCC Group WastedLocker June 2020)
MuddyWater

MuddyWater uses various techniques to bypass UAC.(Citation: ClearSky MuddyWater Nov 2018)
PipeMon

PipeMon installer can use UAC bypass techniques to install the payload.(Citation: ESET PipeMon May 2020)
Lokibot

Lokibot has utilized multiple techniques to bypass UAC.(Citation: Talos Lokibot Jan 2021)
H1N1

H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).(Citation: Cisco H1N1 Part 2)
Cobalt Group

Cobalt Group has bypassed UAC.(Citation: Group IB Cobalt Aug 2017)
PLAINTEE

An older variant of PLAINTEE performs UAC bypass.(Citation: Rancor Unit42 June 2018)
Remcos

Remcos has a command for UAC bypassing.(Citation: Fortinet Remcos Feb 2017)
Ramsay

Ramsay can use UACMe for privilege escalation.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

BitPaymer

BitPaymer can suppress UAC prompts by setting the HKCU\Software\Classes\ms-settings\shell\open\command registry key on Windows 10 or HKCU\Software\Classes\mscfile\shell\open\command on Windows 7 and launching the eventvwr.msc process, which launches BitPaymer with elevated privileges.(Citation: Crowdstrike Indrik November 2018)
Earth Lusca

Earth Lusca has used the Fodhelper UAC bypass technique to gain elevated privileges.(Citation: TrendMicro EarthLusca 2022)

During Operation Honeybee, the threat actors used the malicious NTWDBLIB.DLL and `cliconfig.exe` to bypass UAC protections.(Citation: McAfee Honeybee)
CSPY Downloader

CSPY Downloader can bypass UAC using the SilentCleanup task to execute the binary with elevated privileges.(Citation: Cybereason Kimsuky November 2020)
Bumblebee

Bumblebee has the ability to bypass UAC to deploy post exploitation tools with elevated privileges.(Citation: Cybereason Bumblebee August 2022)
Threat Group-3390

A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.(Citation: Nccgroup Emissary Panda May 2018)
Grandoreiro

Grandoreiro can bypass UAC by registering as the default handler for .MSC files.(Citation: ESET Grandoreiro April 2020)
Clambling

Clambling has the ability to bypass UAC using a `passuac.dll` file.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)
Shamoon

Shamoon attempts to disable UAC remote restrictions by modifying the Registry.(Citation: Palo Alto Shamoon Nov 2016)
SILENTTRINITY

SILENTTRINITY contains a number of modules that can bypass UAC, including through Window's Device Manager, Manage Optional Features, and an image hijack on the `.msc` file extension.(Citation: GitHub SILENTTRINITY Modules July 2019)

AppleJeus

AppleJeus has presented the user with a UAC prompt to elevate privileges while installing.(Citation: CISA AppleJeus Feb 2021)
InvisiMole

InvisiMole can use fileless UAC bypass and create an elevated COM object to escalate privileges.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
KOCTOPUS

KOCTOPUS will perform UAC bypass either through fodhelper.exe or eventvwr.exe.(Citation: MalwareBytes LazyScripter Feb 2021)
Patchwork

Patchwork bypassed User Access Control (UAC).(Citation: Cymmetria Patchwork)
UACMe

UACMe contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.(Citation: Github UACMe)
Empire

Empire includes various modules to attempt to bypass UAC for escalation of privileges.(Citation: Github PowerShell Empire)
RCSession

RCSession can bypass UAC to escalate privileges.(Citation: Trend Micro DRBControl February 2020)
APT29

APT29 has bypassed UAC.(Citation: Mandiant No Easy Breach)

Контрмеры
Контрмера Описание
Update Software

Perform regular software updates to mitigate exploitation risk.
Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
User Account Control

Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.
Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Обнаружение

There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of Process Injection and unusual loaded DLLs through DLL Search Order Hijacking, which indicate attempts to gain access to higher privileged processes. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example: * The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command Registry key.(Citation: enigma0x3 Fileless UAC Bypass) * The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe and [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand Registry keys.(Citation: enigma0x3 sdclt app paths)(Citation: enigma0x3 sdclt bypass) Analysts should monitor these Registry settings for unauthorized changes.

Ссылки

  1. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  2. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  3. UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.
  4. Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.
  5. Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.
  6. Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017.
  7. Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017.
  8. Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016.
  9. Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016.
  10. Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016.
  11. Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.
  12. Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014.
  13. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  14. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  15. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  16. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  17. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
  18. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  19. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  20. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  21. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  22. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  23. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  24. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  25. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  26. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
  27. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  28. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  29. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  30. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  31. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  32. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  33. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  34. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  35. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  36. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  37. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  38. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  39. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  40. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  41. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  42. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  43. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  44. FinFisher. (n.d.). Retrieved December 20, 2017.
  45. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  46. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  47. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  48. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  49. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  50. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  51. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  52. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  53. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  54. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  55. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
  56. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  57. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  58. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  59. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  60. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  61. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  62. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  63. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  64. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  65. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  66. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  67. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
Навигация

Каталоги

БДУ ФСТЭК:
УБИ.031 Угроза использования механизмов авторизации для повышения привилегий
Угроза заключается в возможности получения нарушителем доступа к данным и функциям, предназначенным для учётных записей с более...
УБИ.122 Угроза повышения привилегий
Угроза заключается в возможности осуществления нарушителем деструктивного программного воздействия на дискредитируемый процесс (...

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.