Bypass User Account Control (T1088)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Bypass User Account Control

Associated Tactics

  • Defense Evasion
  • Privilege Escalation

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016. TechNet How UAC Works
Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016. TechNet Inside UAC
Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016. MSDN COM Elevation
Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014. Davidson Windows
UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016. Github UACMe
Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016. enigma0x3 Fileless UAC Bypass
Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016. Fortinet Fareit
Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016. SANS UAC Bypass
Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017. enigma0x3 sdclt app paths
Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017. enigma0x3 sdclt bypass