FalconFriday — Detecting UAC Bypasses — 0xFF16

Post-Image

FalconFriday — Detecting UAC Bypasses — 0xFF16

Attackers often require full administrative privileges on a machine to be able to use their full attack capabilities. Many attacks originate from a regular user account running with low or medium integrity. Therefore one of the first things an attacker needs to do is bypass User Account Control (UAC) to get access to a process running with high integrity. If the targeted user has administrative privileges this can be achieved by using social engineering techniques to have them approve a UAC prompt or by using a UAC bypass technique that bypasses the UAC prompt altogether. In this blog post we take a look at a collection of UAC bypasses published in the UACME Github repository and investigate how they can be detected using Microsoft Defender for Endpoint (MDE).

TL;DR for blue teams: Many publicly documented UAC bypasses exist that work against a fully patched Windows 10 machine. This blog post provides detection rules for several of these UAC bypasses that will allow detection of techniques that are not detected by default using MDE.

TL;DR for red teams: While many functional UAC bypass techniques are available, many of them allow for relatively easy detection. It might be beneficial to research your own techniques instead of relying on widely known techniques that can be easily detected.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday