Threat Hunt Deep Dives: User Account Control Bypass Via Registry Modification

Lee Archinal|June 3, 2021
Blog

User Account Control (UAC) Bypass is a clever method that can be used for privilege escalation either manually or via scripts and can be exploited using various methods. This video covers the Registry Key Modification method, one that abuses registry keys by creating or modifying values that some trusted Windows executables look for during their process execution. The goal of this technique is to bypass the ‘sometimes annoying’ User Account Control pop up that stops users from doing what they wanted to do, by targeting the executables that are designed to run at an elevated privilege level.

New call-to-action

According to researchers, the best way to mitigate is to set the User Account Control settings to “Always Notify” which we will test in the video. But how much can this really protect the machine? Especially if the adversary can modify the UAC settings to hide their tracks!

This episode will provide you with a demonstration on how this looks as well as some detections and basic queries that you can use in your own environment!

 

Sample Queries

Process Create:

(EventCode=4688 (WineventLog) OR EventCode=1 (Sysmon)) AND (RegistryKeyPath=”Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command” OR RegistryKeyPath=”Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe”)

Registry Key Modification:

EventCode=4657 (WineventLog) OR EventCode=13 (Sysmon) AND (RegistryKeyPath=”Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command” OR RegistryKeyPath=”Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe”)

Powershell Script Logging:

EventCode=4104 (Powershell Logging) AND (RegistryKeyPath=”Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command” OR RegistryKeyPath=”Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe”)

Resources

https://cqureacademy.com/cqure-labs/cqlabs-how-uac-bypass-methods-really-work-by-adrian-denkiewicz

New call-to-action

Blog

Lee Archinal

Senior Threat Hunter
Follow Cyborg
  • Twitter
  • linked in

DISCOVER EVEN MORE

White Paper

June 3, 2021

Threat Hunt Deep Dives: User Account Control Bypass Via Registry Modification
Read more
White Paper

May 6, 2021

Ransomware: Hunting for Inhibiting System Backup or Recovery
Read more
White Paper

March 23, 2021

Living off the Land (LotL) – RDP Hijacking
Read more

SUBSCRIBE TO OUR NEWSLETTER

Continue the Hunt
No thanks, maybe later.