Threat Hunt Deep Dives: User Account Control Bypass Via Registry Modification

User Account Control (UAC) Bypass is a clever method that can be used for privilege escalation either manually or via scripts and can be exploited using various methods. This video covers the Registry Key Modification method, one that abuses registry keys by creating or modifying values that some trusted Windows executables look for during their process execution. The goal of this technique is to bypass the 'sometimes annoying' User Account Control pop up that stops users from doing what they wanted to do, by targeting the executables that are designed to run at an elevated privilege level.

According to researchers, the best way to mitigate is to set the User Account Control settings to "Always Notify" which we will test in the video. But how much can this really protect the machine? Especially if the adversary can modify the UAC settings to hide their tracks!

This episode will provide you with a demonstration on how this looks as well as some detections and basic queries that you can use in your own environment!

https://youtu.be/U45hJN2dPgo

Sample Queries

Process Create:

(EventCode=4688 (WineventLog) OR EventCode=1 (Sysmon)) AND (RegistryKeyPath="Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" OR RegistryKeyPath="Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe")

Registry Key Modification:

EventCode=4657 (WineventLog) OR EventCode=13 (Sysmon) AND (RegistryKeyPath="Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" OR RegistryKeyPath="Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe")

Powershell Script Logging:

EventCode=4104 (Powershell Logging) AND (RegistryKeyPath="Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" OR RegistryKeyPath="Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe")