How to Detect Privilege Escalation Attacks and UAC Bypass on Windows

0

Privilege escalation involves gaining illicit access to elevated rights for a user or application. Adversaries use to gain higher-level permissions on a system or network in order to install and execute the malware on the target machine. The most common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.


What is Windows UAC ?

User Account Control is a mandatory access control enforcement feature introduced with Microsoft’s Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and Windows 10.

To understand how this attack works , Let us do a quick demo on it.

Privilege Escalation and UAC Bypass

There are plenty of system utilities in windows that can be used to bypass security controls and make sure to apply possible folder access policies and implement controls for a standard user who cannot access the system utilities to stop privilege escalation.

  • Opening the cmd.exe and checking my current Privilege with whoami /priv. It will list down the privilege names and the state.
Figure 1 : least privilege list for normal user
  • Some of the privileges are by default enabled or disabled for the normal user in this machine.
  • Netplwiz.exe is a tool used to manage user accounts in most of the Windows operating systems such as Windows 10, 7, 8, 8.1, some other versions. It is located in C:\Windows\System32
  • Let us try to use Netplwiz.exe to do privilege escalation, Netplwiz is a windows system utility that manages the user account.
Open the netplwiz

Note: Open netplwiz without admin privilege.

Navigate to Advanced option
Click Advanced option under Advanced user management

Click the help topics options
View the source code in the HTML page tab
  • Source codes opens up an original source code for help menu in notepad editor.
Click the option File >Open > on the current notepad
  • Open the notepad option , File > Open

  • Click the open and windows pops up , Select the file format as All files.
Right click the CMD.exe in the popup window and open it
CMD turns as Administrator with list of privileges and its state.
  • Now we could see the cmd turns as administrator which shows we have a higher privilege.
  • The above figure shows Normal user has gained higher-level permissions on a system to perform actions like installing malware and more.
  • Most of the privileged state is disabled, this can be turned on as we have the privilege now.
  • There are lots of similar system utilities which can be used by attackers to level up the privileges.
  • Limit access to standard user for the system utilites which is not in use. Ensure windows hardening best practices in place.

Also Read: Threat Hunting using Sysmon – Advanced Log Analysis for Windows

Detection in Logs

  • Hunt for event ID 4672: Special privileges assigned to new logon.
  • Event ID Event ID 4624, Successful logon followed by Event ID 4672 special logon.
  • Explore more uncommon processes and add it to your rule engine .file_path=\Windows\System32\sethc.exe OR Filesystem.file_path=\Windows\System32\utilman.exe OR Filesystem.file_path=\Windows\System32\osk.exe OR Filesystem.file_path=\Windows\System32\Magnify.exe OR Filesystem.file_path=\Windows\System32\Narrator.exe OR Filesystem.file_path=\Windows\System32\DisplaySwitch.exe OR Filesystem.file_path=*\Windows\System32\AtBroker.exe
  • Hunt for timeline investigation where Event ID 4657 Windows registry changes with Events IDs 4624 & 4672.


Previous articleTimeline Explorer – Tool For Incident Responders and Malware Analyst
Next articleGoogle Cloud Scale Threat Detection using Chronicle
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here