Not a Security Boundary:
New Methods for
Bypassing User Account
Control
Matt Nelson (@enigma0x3)
SpecterOps

@enigma0x3
 Job: Red Teamer and Security
Researcher at @SpecterOps
 Trainer: BlackHat 2016, ATRTO
 Blogger: enigma0x3.net
 Speaker: Various BSides, DerbyCon,
ShmooCon, OPCDE
 Other: Multiple CVEs for Device
Guard research, plenty of UAC
bypasses & COM lover
2

tl;dr
 UAC/Integrity Level Overview
 Bypass Research Overview
 Bypass Evolution
 Mitigations
 Demos throughout!
3

UAC: What is it?
 UAC == User Account Control
 “UAC is meant to enable users to run with standard
user rights, as opposed to administrative rights”
 If user == Local Administrator, two tokens are
assigned to the logon session (split-token admin)
 If a user is not a local admin, UAC offers Over-the-
Shoulder (OTS) elevation
 We will be focusing on the split-token admin
scenario 4
https://technet.microsoft.com/en-us/library/2007.06.uac.aspx?f=255&MSPPError=-2147217396

Who Cares?
 Every organization has users in the Local
Administrators group
 A common answer is “We have UAC set to Always
Notify”, so we are safe
 Attackers encounter UAC all the time
 Roadblock between them and their objective
 Blue: Are you aware of all the users in your
environment that are running as Local
Administrators?
5

““Attackers don’t care about
security boundaries” - Jessica
Payne at MSIgniteNZ
(@jepayneMSFT)
6
https://twitter.com/jepayneMSFT/status/791702594309677056

Security Boundary?
7
https://blogs.technet.microsoft.com/markrussinovich/2007/02/12/psexec-user-account-control-and-
security-boundaries/
“What’s a security boundary? It’s a wall
through which code and data can’t pass
without the authorization of a security
policy. “ - Mark Russinovich

Security Boundary?
8
https://web.archive.org/web/20070303183621/http://microsofttech.fr.edgesuite.net/msexp/downloa
d/0370/0370_pres.zip

1.
UAC/Integrity
Level Overview
How these tie together
9

Integrity Levels
 An Integrity Level is assigned to a security access
token
 Defined by SID; assists in Access Control for various
OS components
 Mandatory access token policies
 TOKEN_MANDATORY_NO_WRITE_UP,
TOKEN_MANDATORY_NEW_PROCESS_MIN
 The Security Reference Monitor compares the
user/group SIDs in the security access token with
the ACL on an object to determine access 10

Integrity Levels
11
https://msdn.microsoft.com/en-us/library/bb625963.aspx

Integrity Levels
 When researching UAC, we are mostly interested
in 2 integrity levels:
 High Integrity (HI) security access tokens ==
Administrator
 Medium Integrity (MI) security access token ==
Normal user
 Split-Token admin processes are assigned a MI
security access token
 Elevation via UAC == granted HI security access
token 12

UAC Levels
 UAC level determines the notification level
 Technically 4 levels: Always Notify, Notify (Secure
Desktop), Notify (No Secure Desktop), Never
Notify
 Realistically, there are only 2 we care about
 Always Notify and the Default (Notify w/ Secure
Desktop)
13

14

2.
Bypass Research
Overview
A Quick Example
15

Purpose
 Silently obtain a HI security access token without
raising suspicion to the user
 Often executed from an agent (Meterpreter, Empire,
Beacon, etc.)
 You aren’t bypassing anything if you elevate while
logged in via the GUI
 At that point, you can just click “Yes” on the UAC
prompt...
16

Don’t be this guy....
17

Elevation Objects
 Identify objects that silently elevate
 Scheduled Tasks, Auto-Elevate Windows Binaries,
COM interfaces, etc.
 Take these objects and trace their various
execution behavior
 Determine any locations these objects interact with
that a MI process can manipulate
 Can be registry keys, files, folders, etc.
18

Elevation Objects
19

Elevation Objects
20

Abusing These Objects
 After identifying an object that reads from a
location you can modify, determine how to abuse
it
 Registry key additions
 Environment variable manipulation
 Winning a race condition
 After modifying, these elevating objects should
read and pull your payload 21

Abusing These Objects
22

3.
Bypass Evolution
Then there was light
23

Disclaimer
 There are many public UAC bypasses that
currently exist
 Most definitive source for all bypasses is @hfireF0x’s
UACME project: https://github.com/hfiref0x/UACME
 This section only highlights the evolution of
bypass tradecraft, not specific techniques.
 I will not cover every bypass nor every technique (we
would be here for hours)
24

IFileOperation
 Leo Davidson released PoC code in 2009
 One of the first UAC bypasses to publically be
released
 IFileOperation::CopyItem()
 Has to be invoked from inside a Microsoft signed
binary (can be spoofed)
 A privilege file copy opens up the possibility for a
DLLHijack
 Fixed in Windows 10 RS2 (15007)
25

IFileOperation
26
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Bypass-UAC/Bypass-UAC.ps1
https://youtu.be/HPozzQHJez0

WUSA
 Original Finder: Vozzie
 Windows Update Standalone Installer
 Auto-Elevating Windows binary
 Pre-Windows 10, has an “/extract” flag
 Allows extraction of a cab from one location to another
 Cab a payload using makecab and perform a
privileged file copy using: wusa <path> /extract
<path> 27

WUSA
28
https://youtu.be/HPozzQHJez0

Registry Modification (eventvwr.exe)
 Abuses Registry verb handlers
 Shellopencommand, isolatedCommand, etc
 These values determine the binary and parameters for
a specified verb
 Many binaries can be used here
 More: https://enigma0x3.net/2016/08/15/fileless-
uac-bypass-using-eventvwr-exe-and-registry-hijacking/
29

Registry Modification (eventvwr.exe)
30

Registry Modification (eventvwr.exe)
31

Registry Modification (eventvwr.exe)
32
https://youtu.be/vauUN_vaL8I

33
https://twitter.com/JohnLaTwC/status/817010045464367111

Registry Modification (eventvwr.exe)
◈ Microsoft actually issued a fix in Windows 10 RS2 (15031)
34http://www.winhelponline.com/blog/microsoft-fixes-eventvwr-exe-uac-bypass-exploit-windows-10-
creators-update/

Race Condition (Disk Cleanup)
 Found by @mattifestation/@enigma0x3
 Windows 10 Scheduled Task with “Run with
Highest Privileges” set
 Creates a folder in %localappdata%Temp<guid>
 Executes dismhost.exe in a HI context
 Dismhost.exe loads DLLs from the temp directory
 Fixed in Windows 10 RS2 (15031)
35

Race Condition (Disk Cleanup)
36

Race Condition (Disk Cleanup)
37

Race Condition (Disk Cleanup)
38

Race Condition (Disk Cleanup)
39
https://youtu.be/tryZ_45kQOw

Environment Variables (Disk
Cleanup)
 Discovered by James Forshaw (@tiraniddo)
 Same Scheduled Task as the Race Condition
 Utilizes an environment variable in its action
 These environment variables can be modified
without elevation
 HKEY_CURRENT_USEREnvironment
40

Environment Variables (Disk
Cleanup)
41https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html

Environment Variables (Disk
Cleanup)
 Hijacking the %windir% environment variable can
lead to silent elevation when the task is ran
 reg add hkcuEnvironment /v windir /d "cmd /K reg
delete hkcuEnvironment /v windir /f && REM “
 More:
https://tyranidslair.blogspot.com/2017/05/exploitin
g-environment-variables-in.html
42

Environment Variables (Disk
Cleanup)
43
https://youtu.be/KQC7wAEMsTQ

COM Hijacking
 Finders: @FuzzySec/@enigma0x3
 Hijack InProcServer32, Server or LocalServer32 &
invoke an auto-elevating binary that instantiates
that COM object
 Our malicious binary loads
44

COM Hijacking
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareClassesCLSI
D{0A29FF9E-7F9C-4437-8B11-F424491E3931}]
[HKEY_CURRENT_USERSoftwareClassesCLSI
D{0A29FF9E-7F9C-4437-8B11-
F424491E3931}Server]
@="C:UsersMattDesktopMessageBox64.dll
" 45

COM Hijacking
46
https://youtu.be/0tD7wHvblmA

Token Manipulation
 Discovered by James Forshaw (@tiraniddo):
 https://tyranidslair.blogspot.com/2017/05/reading-
your-way-around-uac-part-1.html
 Weaponized by Ruben Boonen (@fuzzysec)
 Forget auto-elevating objects…
 Uses DuplicateTokenEx() to duplicate a HI token &
calls CreateProcessWithLogonW() with that new token
 Results in an Always Notify bypass without any
OS modifications :-) 47

Token Manipulation
48
https://youtu.be/xpbC9M2sGpM

Token Manipulation
49
 https://github.com/FuzzySecurity/PowerShell-
Suite/blob/master/UAC-TokenMagic.ps1 by
@fuzzysec
 Took @tiraniddo’s post and weaponized it
 Uses Add-Type to interface with the Win32 API
 Compiles and drops files to disk 

Token Manipulation
50
 Re-implemented via PSReflect 
 https://github.com/enigma0x3/Misc-PowerShell-
Stuff/blob/master/Invoke-TokenDuplication.ps1
 Enumerates process list and checks for a process
with a HI security access token
 When one is found, uses that ProcID to elevate
 If one is not, starts one via the RunAs verb

4.
Mitigations
Let’s Be Real
51

Local Admin Accounts
◈ Every environment I have ever operated in had a
percentage of users that were local administrators
on their own host...
52

Stop Running as a Local
Administrator
 Why do users need to be local administrators?
 Stop it.
 Seriously.
 Practice real least privilege
 pls.
53

CREDITS
 Special Thanks:
 James Forshaw (@tiraniddo)
 Ruben Boonen (@FuzzySec)
 Matt Graeber (@mattifestation)
 @hfiref0x
 & many more for their great research!
54

55
THANKS!
Any questions?
@enigma0x3
matt@specterops.io

Resources
 https://blogs.technet.microsoft.com/markrussinovich/2007/
02/12/psexec-user-account-control-and-security-
boundaries/
 https://github.com/FuzzySecurity/DefCon25
 https://github.com/hfiref0x/UACME
 https://github.com/enigma0x3/Misc-PowerShell-
Stuff/blob/master/Invoke-TokenDuplication.ps1 56