We covered the concept of user account control and how it works on Windows operating systems. We also covered various working methods to bypass UAC such as using AutoElevate, Scheduled tasks in addition to automated methods. This was part of TryHackMe Bypassing UAC, red team pathway.
User Account Control (UAC) is a Windows security feature that forces any new process to run in the security context of a non-privileged account by default. This policy applies to processes started by any user, including administrators themselves. The idea is that we can’t solely rely on the user’s identity to determine if some actions should be authorized.
Although this may seem counterintuitive, imagine the case where user BOB unknowingly downloads a malicious application from the Internet. If BOB is a part of the Administrators group, any application he launches will inherit its access token privileges. So if BOB decides to launch the malicious application and UAC is disabled, the malicious application would gain administrator privileges instantly. Instead, the malicious application will be restricted to a non-administrative access token when UAC is enabled.
If an administrator is required to perform a privileged task, UAC provides a way to elevate privileges. Elevation works by presenting a simple dialogue box to the user to confirm that they explicitly approve running the application in an administrative security context.
UAC is a Mandatory Integrity Control (MIC), which is a mechanism that allows differentiating users, processes and resources by assigning an Integrity Level (IL) to each of them. In general terms, users or processes with a higher IL access token will be able to access resources with lower or equal ILs. MIC takes precedence over regular Windows DACLs, so you may be authorized to access a resource according to the DACL, but it won’t matter if your IL isn’t high enough.
Depending on our security requirements, UAC can be configured to run at four different notification levels:
- Always notify: Notify and prompt the user for authorization when making changes to Windows settings or when a program tries to install applications or make changes to the computer.
- Notify me only when programs try to make changes to my computer: Notify and prompt the user for authorization when a program tries to install applications or make changes to the computer. Administrators won’t be prompted when changing Windows settings.
- Notify me only when programs try to make changes to my computer (do not dim my desktop): Same as above, but won’t run the UAC prompt on a secure desktop.
- Never notify: Disable UAC prompt. Administrators will run everything using a high privilege token.
An excellent tool is available to test for UAC bypasses without writing your exploits from scratch. Created by @hfiref0x, UACME provides an up to date repository of UAC bypass techniques that can be used out of the box. The tool is available for download at its official repository on:
What is the IL associated with an administrator’s elevated token?
What is the full name of the service in charge of dealing with UAC elevation requests?
What flag is returned by running the azman.msc exploit?