Exploring Windows UAC bypasses: Techniques and detection strategies

Readers Note :

This is a summarized post of a detailed write up by the Elastic Security Intelligence and Analytics team. A deep dive on UAC Bypass is available to read here.

The Elastic Security Research team has identified new detection strategies to overcome the bypass methodologies used by adversaries to silently deploy malware onto an endpoint and elevate privileges without the end-user knowing. Malware often requires full administrative privileges on a machine to perform more impactful actions, such as adding an antivirus exclusion, encrypting secured files, or injecting code into system processes. Even if the targeted user has administrative privileges, the prevalence of User Account Control (UAC) means that the malicious application will often default to medium integrity, preventing write access to resources with higher integrity levels. Mandatory Integrity Levels (MIC) provides a mechanism for controlling access to securable objects.

This work builds on the UAC research we’ve recently conducted.

To bypass this restriction, an attacker will need a way to elevate integrity levels silently without user interaction or a UAC prompt. This technique is known as a UAC bypass and relies on a variety of primitives and conditions, the majority of which are based on piggybacking elevated Windows features.

In the article, written by Samir Bousseaden, a few common evasion methodologies were discussed in detail, outlining the complex steps adversaries take when approaching this method of attack:

attack steps

His findings detailed these methods, and several detection mechanisms shared by other community members This highlights how effective Elastic Security is at detecting tactics leveraged by adversaries to compromise an endpoint. Further details are available in the article.

While much of this research has been sourced from adversarial observations provided by the community, Elastic’s unique vantage point provides incredible insights into common malware families that take advantage of these mechanisms. Below you can see a quick overview of the top commonly observed UAC bypass methods used by malware families, observed by Elastic Security:


Malware Family

UAC Bypass via ICMLuaUtil Elevated COM Interface

DarkSide, LockBit, TrickBot

UAC Bypass via ComputerDefaults Execution Hijack

ClipBanker, Quasar RAT

UAC Bypass via Control Panel Execution Hijack

AveMaria, Trojan.Mardom

UAC Bypass via DiskCleanup Scheduled Task Hijack

RedLine Stealer, Glupteba

UAC Bypass via FodHelper Execution Hijack

Glupteba, BitAT dropper

UAC Bypass Attempt via Windows Directory Masquerading

Remcos RAT

The complexity of adversarial behaviors is nothing to be ignored, and with the broader detections highlighted in this article, Elastic Security provides coverage extensively with 26 prebuilt endpoint behavior protections for UAC bypasses. Those that wish to investigate these capabilities can readily access these capabilities within the product.

If you’re new to Elastic Security, take a look at our Quick Start guides (bite-sized training videos to get you started quickly) or our free fundamentals training courses. You can always get started with a free 14-day trial of Elastic Cloud. Or download the self-managed version of the Elastic Stack for free.