—User Account Control (T1548.002)

Written By Jeremy Pickett

Technical History of User Account Control Attacks (T1548.002)

Overview of User Account Control:

User Account Control (UAC) is a Windows security feature designed to prevent unauthorized changes to the operating system. It does this by prompting the user for confirmation or administrative credentials before allowing access to changes that could affect system security. UAC aims to limit malware and attackers from operating with elevated privileges. However, various threat actors have found ways to bypass UAC, gaining elevated privileges without user consent.

MITRE ATT&CK Technique: T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control

This technique involves adversaries bypassing or evading the Windows UAC feature to execute code with elevated permissions. Methods include leveraging automatic-elevation programs, exploiting vulnerabilities, or using direct commands.

Noted Attacks, Timelines, People, and Groups Associated with UAC Bypass:

1. Stuxnet (2010)

  • Attack/Apt Group: Stuxnet

  • Timeline: Discovered in 2010

  • Details: Stuxnet targeted Iranian nuclear facilities, exploiting UAC bypass techniques to gain higher privileges on Windows systems.

  • Public Interest Detail: Stuxnet aimed to damage centrifuges at the Natanz uranium enrichment plant, leading to widespread public and governmental interest in cybersecurity.

2. APT28 (Fancy Bear, Sofacy Group)

  • Attack/Apt Group: APT28

  • Timeline: Active since the mid-2000s, notable activities from 2014 onwards

  • Details: APT28, linked to Russian military intelligence, uses UAC bypass techniques in cyber-espionage campaigns.

  • Public Interest Detail: Associated with attacks on political entities such as the DNC during the 2016 U.S. elections and various European organizations.

3. Carbanak / FIN7 (2013 - Present)

  • Attack/Apt Group: Carbanak / FIN7

  • Timeline: First identified in 2013; operations continue

  • Details: Carbanak uses UAC bypass techniques for large-scale financial theft from banks, facilitated by spear-phishing emails.

  • Public Interest Detail: Responsible for stealing over $1 billion, leading to multiple law enforcement operations.

4. Cobalt Group

  • Attack/Apt Group: Cobalt Group

  • Timeline: Active from 2016, notable up until around 2019-2020

  • Details: Cobalt Group employs UAC bypass techniques for initial infection and internal movement within financial networks.

  • Public Interest Detail: Their activities prompted international cooperation and multiple arrests.

5. TA505

  • Attack/Apt Group: TA505

  • Timeline: Active since at least 2014

  • Details: Known for exploiting UAC bypass techniques in large-scale phishing campaigns and distributing banking trojans and ransomware.

  • Public Interest Detail: Affects sectors from retail to financial services globally.

Methods of UAC Bypass:

  • Application Compatibility Shims: Exploiting Windows features for backward compatibility to launch malicious executables with elevated privileges.

  • Registry Hijacks: Modifying registry settings to auto-elevate specific applications without user prompts.

  • DLL Hijacking: Planting malicious DLLs in directories scanned first by the system.

  • COM Interfaces: Exploiting Component Object Model (COM) interfaces that run with administrative rights by default.

Notable Individuals:

  • James Forshaw: Security researcher noted for discovering privilege escalation vulnerabilities, including UAC bypass methods.

  • Casey Smith (subTee): Key researcher identifying novel UAC bypass techniques and highlighting security shortcomings in administrative tools.

Defense and Mitigation:

Strategies to mitigate UAC bypass techniques include regularly updating and patching systems to close vulnerabilities.

Windows Environments

  1. Audit Existing UAC Settings: Use `secpol.msc` to navigate to `Local Policies > Security Options`, ensure UAC is enabled.

  2. Configure Group Policy Settings: Open `gpmc.msc` to adjust UAC settings like "Run all administrators in Admin Approval Mode" to `Enabled`.

  3. Implement Application Control: Configure `AppLocker` or `Software Restriction Policies` to prevent unauthorized applications.

  4. Monitor UAC Bypasses: Use `Event Viewer` to monitor event ID 4672.

  5. Regular Updates: Enable `Windows Update` to apply critical updates.

macOS

  1. Review and Enable SIP: Check SIP status with `csrutil status`. Enable it using `csrutil enable` in Recovery Mode.

  2. Enforce Gatekeeper Settings: Set Gatekeeper to allow apps from identified developers/App Store in `System Preferences > Security & Privacy`.

  3. Enable FileVault Encryption: Turn on FileVault in `System Preferences > Security & Privacy`.

  4. Monitor Admin Access Attempts: Review system logs using `Console.app`.

  5. Regular Software Updates: Enable automatic updates in `System Preferences > Software Update`.

Linux

  1. Utilize sudo for Privileged Actions: Configure `/etc/sudoers` using `visudo`.

  2. Monitor and Restrict Root Access: Review `/var/log/auth.log`; disable direct root login in `/etc/ssh/sshd_config`.

  3. Restrict Sudo Access: Limit sudo access by configuring `/etc/sudoers` with command-specific rules.

  4. AppArmor/SELinux: Implement security policies using AppArmor or SELinux.

  5. Apply System Updates: Regularly update using package managers like `apt`, `yum`, `dnf`, or `zypper`.

Amazon AWS

  1. IAM User and Role Policies: Define minimal IAM policies adhering to the principle of least privilege.

  2. Monitor IAM Activity: Enable AWS CloudTrail and use CloudWatch for sensitive actions.

  3. MFA on IAM Accounts: Enable MFA for all IAM users.

  4. Segmentation and Network Access Control: Use VPC security groups and NACLs for network segmentation.

  5. Keep Services Updated: Regularly update EC2 instances and other services.

Google Cloud Platform

  1. IAM Policies: Regularly review IAM roles and permissions, using predefined roles.

  2. Audit Logs: Monitor Google Cloud Audit Logs and set up alerts for suspicious activity.

  3. Enable MFA: Require MFA for accessing the Google Cloud Console.

  4. VPC Segmentation: Use VPC Service Controls for resource isolation.

  5. Regular Updates: Maintain and utilize automatic updates for Google-provided and custom software.

Microsoft Azure

  1. Role-Based Access Control (RBAC): Implement Azure RBAC, regularly reviewing roles for least privilege.

  2. Activity Logs: Enable Azure Monitor, review permissions changes and set alerts for high-severity actions.

  3. MFA for Azure AD: Enforce MFA for Azure AD accounts with administrative privileges.

  4. Network Security Groups (NSG): Define and enforce segmentation and traffic rules using NSGs.

  5. Patch Management: Use Azure Update Management for regular patching of all VMs and services.

Jeremy Pickett
Previous

Usage-Triggered Execution (T1546.015)
Next

AUTOMATED COLLECTION (T1119)