UAC Bypass via Event Viewer
What
is UAC (User Account Control) ?
User Account Control
(UAC) is a fundamental component of Microsoft's overall security vision. UAC
helps mitigate the impact of malware.
Each app that requires
the administrator access token must prompt for consent. The one exception is
the relationship that exists between parent and child processes. Child
processes inherit the user's access token from the parent process. Both the
parent and child processes, however, must have the same integrity level.
Windows 10 protects processes by marking their integrity levels. Integrity
levels are measurements of trust. A "high" integrity application is
one that performs tasks that modify system data, such as a disk partitioning
application, while a "low" integrity application is one that performs
tasks that could potentially compromise the operating system, such as a Web
browser. Apps with lower integrity levels cannot modify data in applications
with higher integrity levels. When a standard user attempts to run an app that
requires an administrator access token, UAC requires that the user provide
valid administrator credentials.
In order to better
understand how this process happens, let's look at the Windows logon process.
all apps run as a standard user
unless a user provides consent or credentials to approve an app to use a full
administrative access token.
Overview
In July 2016 , Matt Graeber and Matt Nelson disclosed a Windows 10 UAC
bypass method that involved Disk Cleanup, the utility that allows users to free
up space on their hard drives.
A new method found by the
experts also doesn’t leverage any code injections or privileged file copying
operations. The new technique, which the researchers say can be used for a
“fileless” UAC bypass, involves the Windows Registry and the Event Viewer tool.
If your UAC Level is not
“Always Notify” and you do not avoid using accounts with administrative
privileges for regular tasks , maybe you are in danger.
What Can Do You For Protecting From
These Type Attacks ?
This particular technique
can be remediated or fixed by setting the UAC level to “Always Notify” or by
removing the current user from the Local Administrators group. Further, if you
would like to monitor for this attack, you could utilize methods/signatures to
look for and alert on new registry entries in HKCU\Software\Classes\.
How Can Hackers Using That
Vulnerability ?
Event
Viewer, which allows Windows users to view event logs on a
local or remote machine, is one of the binaries signed by Microsoft that are
auto-elevated if UAC is configured with the "Notify me only when
programs/apps try to make changes to my computer" settings (the two middle
settings).
Researchers discovered
that Event Viewer (eventvwr.exe) queries a couple of registry keys in the
HKEY_CLASSES_ROOT (HKCR) and HKEY_CURRENT_USER (HKCU) hives. The goal is to
load the Microsoft Management Console (mmc.exe), which is used to load saved
console files (.msc).
When eventvwr.exe
(shell)executes eventvwr.msc file, Windows, rather than using file association
info under HKEY_LOCAL_MACHINE\Software\Classes\mscfile, queries the branch
here:
HKEY_CLASSES_ROOT\mscfile
FYI, HKEY_CLASSES_ROOT is
just a merged view that contains keys, subkeys and values from these two
locations:
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\Software\Classes
And if identical keys and
values exist under both, the ones under HKEY_CURRENT_USER take precedence. So,
you can hijack HKEY_CLASSES_ROOT\mscfile
by creating the following key:
HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command
A malicious program or
script can set the (default) value data accordingly, so that a PowerShell
command/script can be executed with full administrative privileges / high
integrity, without even the user knowing.
Thus, by hijacking
HKEY_CLASSES_ROOT, eventvwr.exe can be effectively used as a launcher program
to execute any program arbitrarily — even download ransomware payload from a
remote server and run it using PowerShell.exe, under admin privileges.
References
DETECTION WITH CRYPTOSIM
CSIM-ID: 83202
Title: UAC Bypass via Event Viewer
Description: Detects UAC bypass method using Windows event viewer
Author: Burak Çayır
Reference: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
Date: 2.8.2018
Logsource:
Type: firewall
Type: webserver
Product: windows
Service: sysmon
Description:
Detection:
Timeframe:
Keywords:
- 'UAC ByPass'
Filter:
methregistry:
# Requires Windows Sysmon Logs
EventID: 13
TargetObject:
- 'HKEY_USERS\*\mscfile\shell\open\command'
methprocess:
# Requires Windows Sysmon Logs
EventID: 1
ParentImage:
- '*\eventvwr.exe'
Title: UAC Bypass via Event Viewer
Description: Detects UAC bypass method using Windows event viewer
Author: Burak Çayır
Reference: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
Date: 2.8.2018
Logsource:
Type: firewall
Type: webserver
Product: windows
Service: sysmon
Description:
Detection:
Timeframe:
Keywords:
- 'UAC ByPass'
Filter:
methregistry:
# Requires Windows Sysmon Logs
EventID: 13
TargetObject:
- 'HKEY_USERS\*\mscfile\shell\open\command'
methprocess:
# Requires Windows Sysmon Logs
EventID: 1
ParentImage:
- '*\eventvwr.exe'
filterprocess:
Image:
- '*\mmc.exe'
Condition: methregistry or ( methprocess and not filterprocess )
Image:
- '*\mmc.exe'
Condition: methregistry or ( methprocess and not filterprocess )
Burak Çayır
@CT-Zer0
Yorumlar
Yorum Gönder