Windows 11 UAC bypass methods used by modern malware are overviewed, including COM interface exploitation with Auto-Elevate, registry-based bypass via the ms-settings/DelegateExecute keys, and an Infinite UAC Prompt Loop driven by social engineering. The post cites Formbook and LockBit as examples and provides detection tips and strategic takeaways. #Formbook #LockBit #BlankGrabber #cmstplua #colorui #wscui_cpl #DelegateExecute #fodhelper #UACBypass
Keypoints
- Three main UAC bypass methods are highlighted: exploitation of COM interfaces with Auto-Elevate, modification of the ms-settings registry branch, and an Infinite UAC Prompt Loop.
- COM-based bypass relies on elevated COM objects; specific GUIDs and objects are identified as commonly leveraged vectors.
- COM objects mentioned include cmstplua.dll, colorui.dll, and wscui.cpl, tied to elevated execution paths.
- The registry bypass relies on writing to HKCU:SoftwareClassesms-settingsshellopencommand and leveraging DelegateExecute to reach HKCR:ms-settingsshellopencommand.
- fodhelper is cited as a trigger for bypass via registry modification, enabling elevation without prompts in some setups.
- An Infinite UAC Prompt Loop is described as a social-engineering tactic that forces user interaction to approve a payload.
- Detection recommendations include Sigma rules for COM object exploitation and registry-based bypass (proc_creation_win_uac_bypass_icmluautil.yml and registry_set_bypass_uac_using_delegateexecute.yml).
MITRE Techniques
- [T1548.002] Bypass User Account Control – Exploitation of COM interfaces with the Auto-Elevate property. Quote: ‘Elevation Enable (cmstplua COM-object)’ and ‘This means that the given object runs with elevated privileges without the UAC window appearing.’
- [T1112] Modify Registry – Modifying the ms-settings Registry Branch and DelegateExecute Key. Quote: ‘This method works because some programs (like fodhelper) start with elevated privileges and access the non-existent HKCU:SoftwareClassesms-settingsshellopencommand registry branch, and only then the existing HKCR:ms-settingsshellopencommand branch. Also, the first branch is writable with the current user’s rights.’
- [T1218] Signed Binary Proxy Execution – fodhelper-based bypass used to facilitate elevation. Quote: ‘some programs (like fodhelper) start with elevated privileges and access the non-existent HKCU:SoftwareClassesms-settingsshellopencommand…’
- [T1204] User Execution – Infinite UAC Prompt Loop. Quote: ‘In this method, the UAC window repeatedly prompts the user to open an application. It’s impossible to close, so the user has no choice but to agree to run the application.’
Indicators of Compromise
- [Registry] HKCU and HKCR registry keys used for UAC bypass – examples: HKCU:SoftwareClassesms-settingsshellopencommand, HKCR:ms-settingsshellopencommand
- [COM GUID] COM object identifiers used for elevated execution – examples: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}, {D2E7041B-2927–42fb-8E9F-7CE93B6DC937}, {E9495B87-D950–4AB5–87A5-FF6D70BF3E90}
- [Process] CommandLine indicators showing COM object usage – examples: CommandLine:”Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}”, CommandLine:”Processid:{D2E7041B-2927–42fb-8E9F-7CE93B6DC937}”
- [URL] Threat intelligence lookup and analysis links referenced for context – examples: https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=windows11_uac_bypass&utm_term=210524&utm_content=linktolookuplanding
- [URL] Article/landing page links used for context – examples: https://any.run/cybersecurity-blog/cybersecurity-blog/windows11-uac-bypass/ (original post source)
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/windows11-uac-bypass/