UAC Bypass via Event Viewer


What is UAC (User Account Control) ?
User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows 10 protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
In order to better understand how this process happens, let's look at the Windows logon process.


all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token.


Overview
In July 2016 , Matt Graeber and Matt Nelson disclosed a Windows 10 UAC bypass method that involved Disk Cleanup, the utility that allows users to free up space on their hard drives.
A new method found by the experts also doesn’t leverage any code injections or privileged file copying operations. The new technique, which the researchers say can be used for a “fileless” UAC bypass, involves the Windows Registry and the Event Viewer tool.
If your UAC Level is not “Always Notify” and you do not avoid using accounts with administrative privileges for regular tasks , maybe you are in danger.

What Can Do You For Protecting From These Type Attacks ?
This particular technique can be remediated or fixed by setting the UAC level to “Always Notify” or by removing the current user from the Local Administrators group. Further, if you would like to monitor for this attack, you could utilize methods/signatures to look for and alert on new registry entries in HKCU\Software\Classes\.

How Can Hackers Using That Vulnerability ?
Event Viewer, which allows Windows users to view event logs on a local or remote machine, is one of the binaries signed by Microsoft that are auto-elevated if UAC is configured with the "Notify me only when programs/apps try to make changes to my computer" settings (the two middle settings).
Researchers discovered that Event Viewer (eventvwr.exe) queries a couple of registry keys in the HKEY_CLASSES_ROOT (HKCR) and HKEY_CURRENT_USER (HKCU) hives. The goal is to load the Microsoft Management Console (mmc.exe), which is used to load saved console files (.msc).
When eventvwr.exe (shell)executes eventvwr.msc file, Windows, rather than using file association info under HKEY_LOCAL_MACHINE\Software\Classes\mscfile, queries the branch here:

HKEY_CLASSES_ROOT\mscfile

FYI, HKEY_CLASSES_ROOT is just a merged view that contains keys, subkeys and values from these two locations:

HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\Software\Classes

And if identical keys and values exist under both, the ones under HKEY_CURRENT_USER take precedence. So, you can hijack HKEY_CLASSES_ROOT\mscfile by creating the following key:

HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command


A malicious program or script can set the (default) value data accordingly, so that a PowerShell command/script can be executed with full administrative privileges / high integrity, without even the user knowing.


Thus, by hijacking HKEY_CLASSES_ROOT, eventvwr.exe can be effectively used as a launcher program to execute any program arbitrarily — even download ransomware payload from a remote server and run it using PowerShell.exe, under admin privileges.


References






DETECTION WITH CRYPTOSIM

CSIM-ID: 83202
Title: UAC Bypass via Event Viewer
Description:  Detects UAC bypass method using Windows event viewer
Author: Burak Çayır
Reference: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
Date: 2.8.2018
Logsource:
    Type: 
firewall
    Type: 
webserver
    Product: 
windows
    Service: 
sysmon
    Description:
Detection:
    Timeframe:
    Keywords:
        - 'UAC ByPass'
    Filter:
    methregistry:
        # Requires Windows Sysmon Logs
        EventID: 
13
        TargetObject:
            - 'HKEY_USERS\*\mscfile\shell\open\command'
    methprocess:
        # Requires Windows Sysmon Logs
        EventID: 
1
        ParentImage:
            - '*\eventvwr.exe'
   filterprocess:
 Image:
     - '*\mmc.exe'
    Condition: methregistry or ( methprocess and not filterprocess )



Burak Çayır
@CT-Zer0

Yorumlar

Bu blogdaki popüler yayınlar

1. Geleneksel Stajyer CTF Soru ve Cevapları

2. Geleneksel Stajyer CTF Soru ve Cevapları - 2017

B*-Tree (BTree, BPlusTree) Veri Yapısı ile Veri İndeksleme