4. UAC: What is it?
UAC == User Account Control
“UAC is meant to enable users to run with standard
user rights, as opposed to administrative rights”
If user == Local Administrator, two tokens are
assigned to the logon session (split-token admin)
If a user is not a local admin, UAC offers Over-the-
Shoulder (OTS) elevation
We will be focusing on the split-token admin
scenario 4
https://technet.microsoft.com/en-us/library/2007.06.uac.aspx?f=255&MSPPError=-2147217396
5. Who Cares?
Every organization has users in the Local
Administrators group
A common answer is “We have UAC set to Always
Notify”, so we are safe
Attackers encounter UAC all the time
Roadblock between them and their objective
Blue: Are you aware of all the users in your
environment that are running as Local
Administrators?
5
6. ““Attackers don’t care about
security boundaries” - Jessica
Payne at MSIgniteNZ
(@jepayneMSFT)
6
https://twitter.com/jepayneMSFT/status/791702594309677056
10. Integrity Levels
An Integrity Level is assigned to a security access
token
Defined by SID; assists in Access Control for various
OS components
Mandatory access token policies
TOKEN_MANDATORY_NO_WRITE_UP,
TOKEN_MANDATORY_NEW_PROCESS_MIN
The Security Reference Monitor compares the
user/group SIDs in the security access token with
the ACL on an object to determine access 10
12. Integrity Levels
When researching UAC, we are mostly interested
in 2 integrity levels:
High Integrity (HI) security access tokens ==
Administrator
Medium Integrity (MI) security access token ==
Normal user
Split-Token admin processes are assigned a MI
security access token
Elevation via UAC == granted HI security access
token 12
13. UAC Levels
UAC level determines the notification level
Technically 4 levels: Always Notify, Notify (Secure
Desktop), Notify (No Secure Desktop), Never
Notify
Realistically, there are only 2 we care about
Always Notify and the Default (Notify w/ Secure
Desktop)
13
16. Purpose
Silently obtain a HI security access token without
raising suspicion to the user
Often executed from an agent (Meterpreter, Empire,
Beacon, etc.)
You aren’t bypassing anything if you elevate while
logged in via the GUI
At that point, you can just click “Yes” on the UAC
prompt...
16
18. Elevation Objects
Identify objects that silently elevate
Scheduled Tasks, Auto-Elevate Windows Binaries,
COM interfaces, etc.
Take these objects and trace their various
execution behavior
Determine any locations these objects interact with
that a MI process can manipulate
Can be registry keys, files, folders, etc.
18
21. Abusing These Objects
After identifying an object that reads from a
location you can modify, determine how to abuse
it
Registry key additions
Environment variable manipulation
Winning a race condition
After modifying, these elevating objects should
read and pull your payload 21
24. Disclaimer
There are many public UAC bypasses that
currently exist
Most definitive source for all bypasses is @hfireF0x’s
UACME project: https://github.com/hfiref0x/UACME
This section only highlights the evolution of
bypass tradecraft, not specific techniques.
I will not cover every bypass nor every technique (we
would be here for hours)
24
25. IFileOperation
Leo Davidson released PoC code in 2009
One of the first UAC bypasses to publically be
released
IFileOperation::CopyItem()
Has to be invoked from inside a Microsoft signed
binary (can be spoofed)
A privilege file copy opens up the possibility for a
DLLHijack
Fixed in Windows 10 RS2 (15007)
25
27. WUSA
Original Finder: Vozzie
Windows Update Standalone Installer
Auto-Elevating Windows binary
Pre-Windows 10, has an “/extract” flag
Allows extraction of a cab from one location to another
Cab a payload using makecab and perform a
privileged file copy using: wusa <path> /extract
<path> 27
29. Registry Modification (eventvwr.exe)
Abuses Registry verb handlers
Shellopencommand, isolatedCommand, etc
These values determine the binary and parameters for
a specified verb
Many binaries can be used here
More: https://enigma0x3.net/2016/08/15/fileless-
uac-bypass-using-eventvwr-exe-and-registry-hijacking/
29
34. Registry Modification (eventvwr.exe)
◈ Microsoft actually issued a fix in Windows 10 RS2 (15031)
34http://www.winhelponline.com/blog/microsoft-fixes-eventvwr-exe-uac-bypass-exploit-windows-10-
creators-update/
35. Race Condition (Disk Cleanup)
Found by @mattifestation/@enigma0x3
Windows 10 Scheduled Task with “Run with
Highest Privileges” set
Creates a folder in %localappdata%Temp<guid>
Executes dismhost.exe in a HI context
Dismhost.exe loads DLLs from the temp directory
Fixed in Windows 10 RS2 (15031)
35
40. Environment Variables (Disk
Cleanup)
Discovered by James Forshaw (@tiraniddo)
Same Scheduled Task as the Race Condition
Utilizes an environment variable in its action
These environment variables can be modified
without elevation
HKEY_CURRENT_USEREnvironment
40
42. Environment Variables (Disk
Cleanup)
Hijacking the %windir% environment variable can
lead to silent elevation when the task is ran
reg add hkcuEnvironment /v windir /d "cmd /K reg
delete hkcuEnvironment /v windir /f && REM “
More:
https://tyranidslair.blogspot.com/2017/05/exploitin
g-environment-variables-in.html
42
44. COM Hijacking
Finders: @FuzzySec/@enigma0x3
Hijack InProcServer32, Server or LocalServer32 &
invoke an auto-elevating binary that instantiates
that COM object
Our malicious binary loads
44
45. COM Hijacking
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareClassesCLSI
D{0A29FF9E-7F9C-4437-8B11-F424491E3931}]
[HKEY_CURRENT_USERSoftwareClassesCLSI
D{0A29FF9E-7F9C-4437-8B11-
F424491E3931}Server]
@="C:UsersMattDesktopMessageBox64.dll
" 45
47. Token Manipulation
Discovered by James Forshaw (@tiraniddo):
https://tyranidslair.blogspot.com/2017/05/reading-
your-way-around-uac-part-1.html
Weaponized by Ruben Boonen (@fuzzysec)
Forget auto-elevating objects…
Uses DuplicateTokenEx() to duplicate a HI token &
calls CreateProcessWithLogonW() with that new token
Results in an Always Notify bypass without any
OS modifications :-) 47
50. Token Manipulation
50
Re-implemented via PSReflect
https://github.com/enigma0x3/Misc-PowerShell-
Stuff/blob/master/Invoke-TokenDuplication.ps1
Enumerates process list and checks for a process
with a HI security access token
When one is found, uses that ProcID to elevate
If one is not, starts one via the RunAs verb
52. Local Admin Accounts
◈ Every environment I have ever operated in had a
percentage of users that were local administrators
on their own host...
52
53. Stop Running as a Local
Administrator
Why do users need to be local administrators?
Stop it.
Seriously.
Practice real least privilege
pls.
53
54. CREDITS
Special Thanks:
James Forshaw (@tiraniddo)
Ruben Boonen (@FuzzySec)
Matt Graeber (@mattifestation)
@hfiref0x
& many more for their great research!
54
Note that we are focusing on split-token admins (AAM) mode
OTW exploitation is likely possible
Split-token == user is a LA, UAC gives user a normal token and then elevation occurs that grants the process an administrative token
Note that we are focusing on split-token admins (AAM) mode
OTW exploitation is likely possible
Split-token == user is a LA, UAC gives user a normal token and then elevation occurs that grants the process an administrative token
Blue:
Do you know how many users are Local Admins on their own host?
Lee & Jeffery Derby 2016 keynote: “What do you have and what do you get?”
One user should not be able to read or modify the data of another user, nor be able to cause other users to execute code, without the permission of the other user.
Mark Russonivich Windows Vista User Account Control Internals
TOKEN_MANDATORY_NO_WRITE_UP: The default policy that is assigned to all access tokens. The policy restricts write access by this subject to any object at a higher integrity level.
Won’t outline all IFileOperation Dll Hijack bypasses, just cover the IFileOperation technique
Requires injection into explorer.exe to call the method
OpenProcess, OpenProcessToken, DuplicateTokenEx, AllocateAndInitializeSid, ntSetInformationToken (lower the token IL level), ntFilterToken (creates a new restricted token), DuplicateTokenEx, ImpersonateLoggedOnUser and then CreateProcesswithLogonW
