Home » Security Bloggers Network » Threat Hunt Deep Dives: User Account Control Bypass via Registry Modification

Threat Hunt Deep Dives: User Account Control Bypass via Registry Modification

by cyborgsec3 on February 17, 2022

DEEP DIVE EPISODE 7

User Account Control (UAC) Bypass is a clever method that can be used for privilege escalation either manually or via scripts and can be exploited using various methods. This video covers the Registry Key Modification method, one that abuses registry keys by creating or modifying values that some trusted Windows executables look for during their process execution. The goal of this technique is to bypass the ‘sometimes annoying’ User Account Control pop up that stops users from doing what they wanted to do, by targeting the executables that are designed to run at an elevated privilege level.⟶ Click here to download our free Threat Hunting Framework to learn how to build and improve your organization’s threat hunting!

According to researchers, the best way to mitigate is to set the User Account Control settings to “Always Notify” which we will test in the video. But how much can this really protect the machine? Especially if the adversary can modify the UAC settings to hide their tracks!

This episode will provide you with a demonstration on how this looks as well as some detections and basic queries that you can use in your own environment!

SAMPLE QUIERIES

PROCESS CREATE:

(EventCode=4688 (WineventLog) OR EventCode=1 (Sysmon)) AND (RegistryKeyPath=”Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command” OR RegistryKeyPath=”Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe”)

REGISTER KEY MODIFICATION

EventCode=4657 (WineventLog) OR EventCode=13 (Sysmon) AND (RegistryKeyPath=”Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command” OR RegistryKeyPath=”Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe”)

POWERSHELGL SCRIPT LOGGING

EventCode=4104 (Powershell Logging) AND (RegistryKeyPath=”Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command” OR RegistryKeyPath=”Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe”)