Wednesday, November 4, 2020

People That

Succ 

(c) Andrea Allievi aka aall64
Pic 1. What is all about.

When you interact with software and it developing company (in face of some developers) sometimes you meet a bunch of company fanatics. Those are people who actually jumped into the wagon not so long time ago but already think they are part/have rights on anything - they are deeply identify themselves with company they are working now. It is of course true if we take this from the commercial point of view and inter company communications. From the other (public) side this creates a problem of fanaticism. It is when you are become brainwashed at that level so you start to see things that does not exist. This depends on people but unfortunately it is a common trend. And they are not necessary devil advocates.

For example, any criticism targeting products of their company they take with pain in their own asses. And it does not matter if this criticism is valid or not.

Usually it starts with classic sentence - "If you don't %verb% %my company/product% then why you still %verb% it". E.g. - "if you don't like Windows then why you still use it". Such sentences used as a typical indicator of upcoming demagogy attack next.

So what is all about?

Meet the proud Microsoft fanatic who are unhappy with recent blogpost I made.

Pic 2. Meet aall64.
 

Long story short - he read (as he said) that https://swapcontext.blogspot.com/2020/10/uacme-35-wd-and-ways-of-mitigation.html. This ignited his butt very well and he went to me expressing his deep displeasure along with the demonstration of a rich imagination and the ability to see what is not exist.

Who is this guy? It is Microsoft employee that formerly worked in PrevX. Infamous MD5 calculators NextGen AV developing company with always lurking copy-pasters on various forums and EraserHW (Marco G.) as main PR man at charge who was linked to the fake overestimated malware campaigns of Gromozon/LinkOptimizer in 2006. This toxic active has been acquired by Webroot in the end of 2010 and later went to special hell dedicated for hash calculators NextGen AV. Andrea is a current co-author of that yet another full of water Russinovich book edition (which 3rd edition copy I accidentally bought in 2006, when actually liked it those days). Also he is a "proud Microsoft guy" (as he said). I know about him 10 years. This guy come up to kernelmode.info in 2010 with his pet project called AntiTdl. He come here after advice from wilderssecurity.com forums where he initially posted his project. Casuals from that forum wasn't happy with it (they wasn't able to deal with it), so following their advice he registered on kernelmode.info and posted stuff. That is how we meet. This project was already out-dated, extremely bugged and was basically useless. However no one said a word against it, and KM community (including me) welcomed and provided all possible support to this author. Because sharing knowledge is always great idea. You can find this in kernelmode.info by searching with google "antitdl site:kernelmode.info". Next he come up to TDL4 reversing and other kind of bootkits, along the way he did plagiarism on existing content (https://twitter.com/Fyyre/status/155383565943701504). 

Pic 3. 2 years delay reply, rofl.
 

Next there was something about PatchGuard (another doubtful technology from MS) and he ended up surprisingly in Microsoft. I actually glad that he made his way from a mediocre half-fake AV company to the MSFT, good job.

Here is what exactly he does not like in my mentioned article about UAC. I specifically asked him about this because his initial claims has nothing to do with actual article context - it simple does not have anything he said. This is what he answered to me in a DM which I next made public.

Pic 4. "I see dead people everywhere".

To make it more readable, here is the part of article as screenshot.

Pic 5. Comedy Section Bonus part screenshot.

First, lets begin with "edited" statement.

His first tweet with accusations was 29 October 2020, it is on picture 2. The DM conversation take place 31 October 2020. So following this guy logic (I really hope it is not the same when he code anything), I edited material in between of his first tweet (29 Oct) and my answer to it few hours later.

Unfortunately to this guy there is a Google Cache of my blogpost available from 27 October -> https://webcache.googleusercontent.com/search?q=cache:_dzbCypL044J:https://swapcontext.blogspot.com/2020/+&cd=5&hl=ru&ct=clnk&gl=en&client=firefox-b-d (this google cache page saved to WebArchive additionally now).

This article has never been edited after publication. I have no habit of changing anything after it became public, except and only if I fix typos. However, if you remember his glorious way to Microsoft, you should remember this guy already familiar with plagiarism so probably he just projected his own habits on me.

Since we are dealing with a typical fanatic he still can claim that he read it before 27 Oct (and I don't have google cache earlier that date), so I magically got notified about that reading fact, magically imagined his reaction and edited content doing that in a stealth mode. It is ridiculous but from this guy I can expect anything now.

The context of the bonus of this article is describing typical social media behavior taking place each year. So this part "Woohoo, Windoze Byp@$$3d M1cr0$0ft SuXx!" is not my words and not a projection of my options. It is what people say and mean. I don't know Andrea aka aall86, are you seriously thinking you are dealing with a sort of 14 year old script-kiddie here? What is the 86 here btw, year of birth or IQ rate?

The last part about "s3curity r3s3arch3rs", I've to decipher to Andrea, is about mister "DimopoulosElias" a guy who stuck in copy-pasta, use google for more info. Now put here your imagined "MiCro$oft sucks" and try to read this sentence again. It actually will lose all sense.

All these lying accusations is just weak attempt to hide actual reason of Andrea butt ignition. If you read this article it contains a lot of criticism. And harsh part related to Windows Defender. It is not the first time Andrea come ups trying to defend this crappy Microsoft imposed product. The last time he was defending that brain-dead Microsoft employees who multiple times signatured Process Hacker - popular open source software. So this guy read this vertically, butt ignited and he hang on the most notable sentences for him from this article (the magic number of 86 don't forget) completely ignoring not only their context but actual text, because I don't know what kind of reading skills you should have to read "s3curity r3s3arch3rs" as "MiCro$oft sucks" 😆

Pic 6. DM part


Yes, you just a dumbfuck fanatic 👌. Mister aall86 insisted during "conversation" via DM so he got a dedicated blogpost, achievement unlocked.

Conclusions:

1. Always backup your original content with ability for others track any changes in it. You can use WebArchive and save your page after publication or copy contents to the some public git repository, so everybody will be able do a simple fact-check and track exact changes.

2. PrevX as indicator in people portfolio. Take such guys with a caution. Yes it is a sad thing but almost all of them I know ended up to be like this guy. It is PrevX curse and knowing this company past and key personalities of it - I should not be that surprised.

3. Since all his content now viewed through the prism of the above events - as of the "book" he co-writes - well, thankfully, it is now 2020 and not 2001-2005 so if you for some unknown reason still want to learn anything(new) about Windows internals you can always find a alternate way instead of this water pool. Remember one simple thing - since beginning, this book was a perfect illustration of Microsoft inability to write somewhat decent public documentation, MSDN is when they do this not because they want to, but because they have to. That's explains failing quality of available content. And to compensate this here we came up with sort of fan-fictions which are approved and welcomed by company.

Monday, November 2, 2020

UAC bypasses from COMAutoApprovalList

Intro

(This post is made with permission of Arush Agarampur - an original author of all methods described below). 

Here and below we assume Windows user account created by default with default settings. Windows COM object model is a complicated technology and is an essential part of almost every UAC bypass since Windows 7 release in 2009. The point of interest in this technology is a set of classes with enabled elevation, thus when you run interfaces based on them you can skip confirmation dialog from consent.exe (depending on UAC settings).

The definition of this elevation enabled class must look like this:

HKEY_CLASSES_ROOT\CLSID
   {CLSID}
       Elevation
          Enabled: 1

Live example:

Pic 1. SPPLUAObject Class.

These entries always exist only in HKEY_LOCAL_MACHINE (HKEY_CLASSES_ROOT is just a subkey of HKLM\Software) and during elevation process Windows expect them to be only in this hive. This automatically prevents users from elevating COM classes they did not have the privileges to register and prevent altering existing keys because of permissions set on these keys.

There is a few utilities that can help you walk through COM classes in the Windows. First is a very old tool from Microsoft - "OleView - OLE-COM Object Viewer" shipped together with Visual C++, and second is a relatively new tool from James Forshaw "OleView.NET", available with source at https://github.com/tyranid/oleviewdotnet 

Both are good enough for our task and I can suggest you try them all. Forshaw tool however has some features that especially very handy for our task and which MS OleView does not have.

What happens when elevated COM object created? 

There are few types of COM classes and they are handled differently. Here are the types that are used in this article described UAC bypass methods:

COM class that support elevation with linked dll that implements this class (it is specified in InProcServer32 registry subkey). A special application called DllHost.exe will be started with High IL and command line parameter /ProcessId:{CLSID} where CLSID belongs to requested COM class. Internally this is managed by combase.dll. This mechanic is called Dll Surrogate. The idea behind this is a very similar to that used in SCM with svchost.exe application instances hosting service dlls. In short - the requested code will be loaded in additional process and in case of critical failure this process will die leaving requestor alive and able to respond. In case of COM classes it also makes possible transparent elevation when your requestor code will still be running at Medium IL and COM code will run at High IL in separate process.

COM class that supports elevation and has LocalServer32 subkey set, which specifies the location of the COM server application to launch (parameter ServerExecutable). Server executable will have "-Embedding" parameter set as command line.

That is important part as some security researchers can assume that for elevation detection is enough inspect DllHost.exe parameters in logs. No, it is not sufficient indicator as it won't cover case above when default system-supplied surrogate is not used.

Pic 2. OleView.NET DllHost.exe surrogate listing.
 

Number of such autoelevated COM classes is a really big. Just a small list of them available in kernelmode.info archive Autoelevated COM objects, list (win7-win10). However starting from Windows 10 RS1 even if COM class has elevation ability enabled it doesn't mean it will be elevated. This innovation was a part of complex UAC update introduced in Redstone 1.  

Special COMAutoApprovalList was introduced (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList). Location of this list prevents it from being edited without sufficient privileges.

Pic 3. COMAutoApprovalList as seen on Redstone 5.

It values are checked by consent.exe in the internal function named CuiIsCOMClassAutoApprovable called from CuiCheckElevationAutoApprovalMedium before processing COM class as autoelevated. This gives Windows ability to selectively ban autoelevation of arbitrary COM class without modification of existing registry keys and further impact on applications. Introduction of this list already blocked several UAC bypass methods based on autoelevated COM objects (UninstallStringLauncher and CreateNewLink). From the attacker perspective this save a lot of time validating existing UAC bypass methods. This list is also working as a starting point for exploring undiscovered UAC bypasses and few of them described next.

ActiveX Install Broker UAC bypass

The first method based on autoelevated COM object with CLSID {BDB57FF2-79B9-4205-9447-F5FE85F37312}, this is "Internet Explorer Add-on Installer" coclass. This COM object already has an exploitation backstory. In 2014 it was mentioned in the "Digging for Sandbox Escapes" at BlackHat 2014 USA by James Forshaw as part of attack surface in IE sandbox breakouts. It seems this particular usage was addressed by Microsoft later, however this COM object is still valuable for UAC bypass. This coclass contain several interfaces and from revese-engineering and behavior analysis two of them are of interest to us.

  1. IexAxiAdminInstaller
  2. IeAxiInstaller2

Pic 4. Internet Explorer Add-on Installer class interfaces.

This type of COM uses server executable that hosts code. In this case server executable is "C:\Program Files\Internet Explorer\IEInstal.exe" and exactly it will be started when instance of class will be created. These interfaces allows running specific file via RunSetupCommand method which is the part of IEAxiInstaller2 interface. This method is pretty much similar to RunSetupCommand documented on MSDN https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa768010(v=vs.85).

Thus main idea here is to force this method execute our file as "setup command", since this host application is elevated our code will also be elevated and UAC will be bypassed.

The full call chain following to the "setup command" execution is the following:

  1. Allocate elevated object of IEAxiAdminInstaller (CLSID: {BDB57FF2-79B9-4205-9447-F5FE85F37312}, IID: {9AEA8A59-E0C9-40F1-87DD-757061D56177}).
  2. Initialize admin installation by calling IEAxiAdminInstaller->InitializeAdminInstaller. This will give us unique string GUID that is used in further calls.
  3. Query IEAxiInstaller2 broker object with QueryInterface from IEAxiAdminInstaller. (IID: {BC0EC710-A3ED-4F99-B14F-5FD59FDACEA3})
  4. IEAxiInstaller2 calls VerifyFile method. This routine will copy file (which is given as method parameter) with slightly modified name to the newly created temp directory which has modify permissions granted to Administrators and resides inside current user temporary directory. Next it will do WinVerifyTrust over that file. If file is not signed by MS or something went wrong - method will return error. Note that signature must be embedded, as it seems this method won't check files signed via catalog.
  5. IEAxiInstaller2 calls RunSetupCommand with parameter set to previously validated file.

The problem here is that temporary directory created during VerifyFile call has modify permissions granted to the Administators so we can use another autoelevated COM interface - well known IFileOperation and alter data inside this folder. However we need to do this after VerifyFile call and before RunSetupCommand otherwise nothing will work. Also we cannot use RunSetupCommand to run something with advanced command line - Microsoft code validates command line and does not expects anything advanced in it, otherwise causing method to return failure. File to verify also must be signed by Microsoft with embedded signature. Here is how we can alter above call scheme and bypass UAC.

  1. Same as before.
  2. Same as before.
  3. Same as before.
  4. Call IEAxiInstaller2->VerifyFile on Microsoft binary from system32, something lightweight with embedded digital signature like for example our beloved consent.exe. It will be copied to temp folder with new name. Remember new name (for our example [1]consent.exe) and location (inside newly created temporary directory in user temp).
  5. Allocate IFileOperation object and use it to replace [1]consent.exe with our payload executable. Name must be the same -> [1]consent.exe.
  6. Run IEAxiInstaller2->RunSetupCommand with parameter set to the forged file.
  7. ...
  8. Profit.

Don't forget to kill temp directory after this method completion. This method implemented in UACMe v3.5.1 as #64. Original author implementation can be found in "References" at the end of this article.

Security Center UAC Bypass 

Second method based on autoelevated COM object with CLSID {E9495B87-D950-4AB5-87A5-FF6D70BF3E90}, this is Security Center and it uses default system-supplied surrogate DllHost.exe.

Pic 5. Security Center class.


IWscAdmin interface is of interest here. It has method called
DoModalSecurityAction which depending on supplied parameters calls ShellExecuteExW. This call is done with URL as parameter. In our case it is "http://go.microsoft.com/fwlink/?LinkId=534032". 

How this can be turned into fully working UAC bypass? Because we are dealing with over-complicated Windows Shell it is very simple but at first glance you can miss this opportunity. We can hijack shell protocol handler "http" for current user and force it use our payload thus instead of browser you will have our payload executed when ShellExecuteExW will be called with this URL as parameter.

Hijacking protocol handler is the main problem here. Before Windows 8 it is all simple - you just create protocol handler key and then modify HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice ProgId value with that name. With Windows 8 and above it is all complicated because protocol settings now encrypted and verified with a hash, so we cannot change it like before anymore. Personally, I don't really know purpose of this, was it result of "set %browser% as default app" wars or whatever, so this change for me is just annoying. In Windows 10 it is all now managed with help of SystemSettings application. Reverse engineering of this app in recent Windows 10 versions shows it uses call to SystemSettings.Handlers.dll!SetUserAssoc internal function to perform association. This suggest it can be used for our task. However to make it compatible with all Windows versions starting from 7 up to recent 10 it was required to dig deeper and locate the key function which is the same for all versions. 

And it was found, it is unexported shell32.dll function called UserAssocSet, it present in Windows at least since Windows XP. The SetUserAssoc function later pass it parameters to UserAssocSet call where this function looks like completely copy-pasted from shell32.dll to the SystemSettings.Handlers.dll.

Quick googling for that symbol revealed interesting article in Chinese which is covering detective story of finding and understand how all this brand new association works. Author(s) used it to register browser default app. Link to it included in the References at the end of this article. So final steps for this UAC bypass method are the following:

  1. Create registry protocol entry somewhere in HKEY_CURRENT_USER\Software\Classes.
  2. Query UserAssocSet function address from shell32.dll .text section using known patterns. 
  3. Register new association for "http" by calling UserAssocSet with first parameter set to UASET_PROGID.
  4. Allocate elevated object IWscAdmin (CLSID: {E9495B87-D950-4AB5-87A5-FF6D70BF3E90}, IID: {49ACAA99-F009-4524-9D2A-D751C9A38F60}).
  5. Call IWscAdmin->Initialize (it is required for interface to work as it contain some GUI stuff).
  6. Call IWscAdmin->DoModalSecurityAction with "action" parameter set to 103 to trigger ShellExecuteEx call.
  7. ...
  8. Profit.

During analysis of shell32 from number of Windows 10 builds it was found out that UserAssocSet is a subject of multiple internal changes, including number of parameters and functions from where this routine called. However first three parameters of it are always the same and generic prototype of this routine doesn't changed since Windows XP.

 HRESULT UserAssocSet(
    UASET set,
    LPCWSTR pszExt,
    LPCWSTR pszSet,
    [DWORD dwFlags]);

dwFlags parameter is variable and may present on some Windows 10 builds and not present on others. It is another enumeration of type ASSOC_MAKE_DEFAULT_FLAGS which complete definition is unknown and out of interest for us. However Windows 10 versions that has this parameter require it to be set to specific value which can be determinated with disassembler.

Association registration maybe removed later with another call of UserAssocSet this time with first parameter set to UASET_CLEAR. This UAC bypass method implemented in UACMe v3.5.2 as #65. It uses signature search method to locate UserAssocSet

In attempt to improve signature search I've looked on possibility of going out directly to internal routine that has this UserAssocSet call through IApplicationAssociationRegistration interface (https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iapplicationassociationregistration). In the mentioned Chinese article author(s) used this interface to get to the internal one (called surprisingly as IApplicationAssociationRegistrationInternal) and use methods from it. By the way you can ignore what MSDN says about this interface limitations - MSDN information is a partial lie. Unfortunately Microsoft altered this interface heavily since this article publication. They not only changed interface ID but also redesigned methods so they does not have call to UserAssocSet now. I will leave this question to those who want to improve method.

P.S.

As you can see COM autoelevation objects are still have a lot of potential even 11 years after Windows 7 release. No doubt there are more surprises still need to be revealed as this is classic security through obscurity model.

Monday, October 5, 2020

UACMe 3.5, WD and the ways of mitigation

Intro

(warning this post if quite long)

UACMe is a demonstrator tool initially developed following WinNT/Pitou research. It contains set of User Account Control (UAC) bypass methods, where most of them initially extracted from ITW malware.

Pic 1. Typical UAC window (IFileOperation).
 

More about UACMe and Microsoft way of fixing "not a security boundary" (and side effects of these fixes) you can read at kernelmode.info archive. Since initial release in the December 2014 a total number of added UAC bypass methods counted 63. It maybe astonishing number at first glance but keep in mind that around ~20% of these methods are combinations of each other, any change made by Microsoft to fix designated method will ruin not only this method but also automatically everything where it was used. A perfect example is methods based on ISecurityEditor undocumented autoelevated interface used by Win32/Simda (previously wide-spread malware family with Russian origin). When Microsoft altered this interface forcing it to work only with file objects this ruined not only original Simda method but also method that used Application Verifier dll planting (later this method was also used in some ITW malware). However this does not mean UACMe doesn't have measures against these fixes where they are available. Several methods have different ways of execution depending on current Windows version where they expect original implementation to be fixed or unavailable by different reasons. Anyway - don't take UACMe methods counter as an indicator of anything.

With these number of methods codebase has ridiculously grown and because it late 2020 it was decided to drop everything that does not work or have been fixed on current mainstream Windows version. 

Microsoft fixes to UAC, while there are plenty of them, almost never been backported to previous Windows versions. Only exceptions are: generic fuckup in media (like in case of some APT causing MS drop UAC fix as part of their bulletin) or as part of big rollup update (Windows 7). Just keep in mind that UAC become "not a security boundary" when it was fucked up by Microsoft marketing specialists with Windows Vista.

Currently Windows 10 pushing major updates 1-2 times per year. As for now, Windows 7 and 8/8.1 out of the box settings render their UAC almost transparent to threats due to fundamental design flaws revealed in the UAC implementation over time. Not surprisingly all methods that bound on Windows 7 are dropped in UACMe 3.5+. It is time to move on.

The last major UAC update in Windows 10 was in RS1 release (14393) where they massively updated appinfo (UAC service with implementation inside appinfo.dll) and reviewed several other things. Since that time they released only some sporadic updates targeting some specific methods. However this does not mean they do nothing. Not at all.

Windows Defender to the rescue

This Microsoft aggressively imposed "product" that ships with Windows 10 (now even Server) and it general purposes are:

1. Massively affect PC performance;

2. Imitate protection from threats by detecting open source projects, collections of out-dated malware and various script-kiddie junk;

3. Have an option to work as selective backdoor (hello Kaspersky GRU mode 🙀);

4. Take a share on AV global market.

Windows Defender is the thing you don't need at all. At least if you capable of being a master of your PC not slave of it installed program. Fortunately, despite the Microsoft attempts to harden WD presence, you still can remove it completely from system without side effects.

Regarding to UACMe Windows Defender works as "that guy" who is fixing what OS devs doesn't want to fix. Yes, they selectively and very carefully signatured lots of unfixed UAC bypass methods and UACMe program and it components. However even there MS for some unknown reason leaving wide open window for malware constantly ignoring a very popular methods used ITW and at the same time detecting some of really rare (if even used). On the other side WD installed and updated on systems that has no fancy UAC fixes built-in so it working as the only available lazy fix here 😉

How does it detect it? Windows Defender has a real-time behavior monitoring feature that can catch system events by a bunch of kernel mode filters and callbacks (most of them inside WDFilter.sys driver). A user mode client subscribed to these events and judging on their combinations can predict program behavior thus giving WD ability to check it against set of rules stored in the signatures called "Behavior" in their AV database. There are hundreds of such rules in their database and this number always grows. And of course they have a lot of them regarding possible UAC bypasses. 

Examples of such behavior detection:

The filter reports registry write at specific key which is hardcoded in the WD database. Some program want to change @Default value of current logged user Software\Classess\mscfile\shell\open\command key. Determinate a caller application (if it is an indirect registry write - attempt to locate its initiator). Revert registry change, remediation - check and kill initiator, notify user through message balloon, write logs, quarantine the initiator, if required. Take a hint, this is all done in real-time, involving a lot of highly ineffective code, with a race condition state so if system lags a lot WD actually can miss the moment when initiator effectively launch payload and despite achtung balloon UAC bypass will "pass".

Pic 2. Windows Defender detection with behavior signature (nothing quarantined, its just a WD bullshit).
 

Another example of same kind. We have same registry write event, but our detection rule is more complicated. Now we also check if there is a specific process launch registered - sdclt.exe (Microsoft binary). If so, we are looking for its parameter (it can't be obfuscated as we doesn't control sdclt.exe behavior this way). If this parameter is /kickoffelev - bingo, you got a balloon "Threat detected Behavior:Win32/UacBypassExp.K!sdclt"

Et cetera. There are more than 40 behavior detection signatures targeting UAC bypass attempts at the moment of this writing and this count will highly likely increase. Some of them giving cross detection capabilities.

Does this effective enough? It depends on how much space for maneuver the particular method has. If you out of space and different approach is impossible - WD have won.

However, you should not overestimate WD team capabilities. While they are indeed carefully signatured some of the known methods and combinations in various malware, they are doing this in a way missing any creativity in mind. Or maybe they are incapable of it. So if the method is still technically working on latest Windows 10 and WD has behavior signature for it - it is highly likely we can bypass it by altering method in a way WD does not expect it to work.

Below we will take a tour to the UACMe 3.5 remaining methods, figure out how they can be fixed from OS dev point of view and how WD can be improved to block them completely as "lazy way fix".

UAC Bypass Exploits

 
Everything below tested against full patch Windows 10 (2004), clean install with default settings and fully updated Windows Defender as of 26 September 2020.
 

💥Method #22 

(herein and below numbers are method ids in UACMe list). 

1) Description

This is a dll hijacking method based on internal Windows dll redirection feature called DotLocal (or .local) and relying on IFileOperation autoelevated interface to plant payload files/create required subdirectories structure inside Windows system32 protected directory. It is similar to #21 with different target application, in that case it is consent.exe - this thing is responsible for UAC credentials dialog and launched every time when you start anything that require an elevation (even if it is has autoelevation capabilities). Except providing GUI for UAC this program also responsible for checking autoelevated interfaces to be in special whitelist introduced in the Windows 10 RS1 and called COMAutoApprovalList. If checked interface is not in this list it won't be elevated. UACMe creates a required subdirectory structure in system32 and plants it special module called Fubuki under name comctrl32.dll. Next when consent.exe started this dll loads into consent address space as common controls library, executes payload and terminate consent. Resulting payload will run with LocalSystem (NT Authority\SYSTEM) account rights because consent.exe spawned from UAC service that also runs as LocalSystem. 

2) WD detection

Microsoft has a behavior signatures for this method. Their idea here is to catch the moment when you create subdirectories for planting payload and moment when attacker code moves payload from temporary folder to the target subdirectory in system32. This is strange and incomplete detection as it doesn't cover different scenario when nothing moves anywhere and there is a direct write to this directory from memory.

3) WD detection bypass

Since IFileOperation creates an admin owned directories in system32 we can abuse that fact, create subdirectories as usual and then reset DACL for final subdirectory to allow us write access without elevation. This can be achieved by combing IFileOperation with ISecurityEditor which has been a subject of incomplete fix after Win32/Simda where MS banned it usage for anything else than file objects, previously it was nice autoelevated Set/GetNamedSecurityInfo wrapper.

4) Lazy fix for WD

Obviously you must catch a moment when a file is created inside this DotLocal subdirectory structure. However this can be not enough, as attacker code can use renaming operation, so better solution will be catch both cases and if there is ANY file present (or there is an attempt to write here) in this DotLocal substructure show detect. It is a bit more complicated then what they actually have.

5) Possible fix

When consent.exe started by appinfo service it maybe be started with process mitigation binary policy "Microsoft Signed Only" applied. This even won't require any IFEO keys etc. I've no idea why they didn't bothered to implement this from the beginning. This is especially fun because #21 targeting sysprep.exe was fixed by MS in that way.

💥Method #23

1) Description

This is dll hijacking method based on fact that PkgMgr.exe (whitelisted by UAC service in g_lpAutoApproveEXEList internal list) is being deprecated and works just as launcher for Dism application which is located in system32 subdirectory "Dism". When the Dism application has started, it will search for its dependencies in the system32 as first, then from its home directory. Attacker can plant a payload dll as dismcore.dll to the system32 and then trigger Dism launch by calling PkgMgr.exe with special parameters.

2) WD detection

Windows Defender has several signatures to detect this, their exact dedicated signature called Win32/Disemer and has several variants. They detect it by various things - starting from dismcore.dll file in the system32 (which indeed achtung and red alert as it never happens on real system), and ending up with pkgmgr.exe parameters containing specific tokens.

3) WD detection bypass

First of all, since I was this one who made this method public I'm quite surprised that for a few years of it existence no one actually look on it deeper. It seems both malware and AV industry blindly adapted what was posted on kernelmode.info. If we can trust crowdstrike (dubious security company sometimes serving as a proxy in West info wars campaigns) - even some "APT" used it as is. Actually you can do this bypass in a different way. There is no need in any additional files (packages) to be dropped anywhere and supplied as parameter to pkgmgr. You can just give it complete junk and use something else not only dismcore.dll. However this method has not so much space for maneuvering and can be completely signatured.

4) Lazy fix for WD

Pkgmr execution with ANY parameters following executable code planting as file in the system32.

5) Possible fix

Remove deprecated PkgMgr.exe from appinfo g_lpAutoApproveEXEList. There is no sense in keeping it here. Instead, PkgMgr may have manifest with requested execution level set to "requireAdministrator" and autoelevation blocked or unspecified.

💥Method #30

1) Description

Strictly speaking this is not a true dll hijack, it is more like abusing undocumented feature where this it seems completely for internal debugging. Method based on Wow64 subsystem logger dll. The first public mention about this Wow64 mechanics has been posted more than 10 years ago by lhc645 here. There also was posted wow64log dll source skeleton. The target dll - wow64log.dll must be placed to the system32 folder. Every wow64 application when started will load it and execute dll entry point, thus you can inject this dll to the autoelevated binaries from syswow64 folder. The logger dll must be native otherwise there will be a crash in the target application. This method has a lot of disadvantages and not that much room to maneuver in case of active counteraction from WD. UACMe uses IFileOperation to plant module named Akatsuki - payload dll as wow64log.dll in the system32 folder. This dll is not native and this is done on a purpose. When target application attempts to load this dll it will crash causing launch of WerFault application which is also will be 32 bit but started as LocalSystem. Thus Akatsuki will propagate to WerFault instance(s) and grant payload code NT Authority\SYSTEM access rights.

2) WD detection

Not capable (as of 26 Sep 2020).

3) WD detection bypass

No needed, see above.

4) Lazy fix for WD

Block wow64log.dll loading by default.

5) Possible fix

Block wow64log feature by checking corresponding registry value (lets say REG_DWORD "EnableWow64Logging") somewhere in HKLM with default state set to FALSE(0).

💥Method #32

1) Description

This method implements UAC bypass by window hook set from dll hijacked UIAccess application. As target it abused OSK.exe copied from Windows folder to the %ProgramFiles%\Windows Media Player folder (created if not exist) with help of IFileOperation. This is done for creating conditions required for dll hijack. Target directory selected because it is inside appinfo g_lpIncludePFDirs secure directories whitelist. Next Fubuki planted in the same folder as duser.dll or osksupport.dll depending on Windows version. When OSK.exe starts - variant of this dll loaded and Fubuki code runs on Medium+ integrity level from UIAccess allowed application which enables it dll injection via windows hooks. As target of final injection it uses eventvwr.exe launcher application.

2) WD detection

Not capable (as of 26 Sep 2020).

3) WD detection bypass

No needed, see above.

4) Lazy fix for WD

Easiest and obvious - block dlls planting by folder and name. However there can be different targets and dlls. Ultimate solution would be preventing dll injection at final stage to the high IL process from Medium+ IL as it clearly not something you can expect from such UIAccess applications.

5) Possible fix

UIAccess applications should include manifest with hardened loadFrom elements thus preventing dll hijacking as dll dependencies that are not in KnownDlls will be loaded from manifest specified paths. Microsoft did this in the past with Sysprep.exe (unfortunately this was incomplete fix and it took them few more years to finally harden sysprep from dll hijacking) and for inetmgr.exe.

Pic 3. Sysprep.exe manifest as example.

💥Method #33 (#62)

1) Description

This is a registry key manipulation type bypass. It is similar to infamous Enigma0x3 "mscfile fileless" bypass and the only difference in a key and target application. It abuses fact that Windows Shell will first lookup given class items in the current user registry hive and only after that in local machine. Thus you can control key that later Windows will attempt to parse and execute command from it. Method 33 and 62 has the same code base in UACMe, the only difference is the target applications they involve. It was requested by some of the UACMe users and I didn't mind to fulfill that request.

2) WD detection

Because this is similar to Enigma0x3 methods and widely used ITW by malware Windows Defender has behavior detection signature Behavior:Win32/UACBypassExp.T (with variants). Part of rule including write event to the current user Software\Classes\ms-settings\shell\open\command @Default value and following process execution (fodhelper.exe or computerdefaults.exe - both are Microsoft binaries).

3) WD detection bypass

Windows Defender capable of detecting write event to the hardcoded registry key either direct or indirect using for example reg.exe or Powershell. In fact it doesn't matter, it will detect all writes, indirect write through registry symbolic link or registry transaction. It detects 😉 

How this can be bypassed? We will use the fact that WD is:

A) incapable prevent registry key creation and B) only inspect @Default value change of the last key in the registry path chain. 

Our goal is to redirect key read for Windows Shell from WD inspected key to our fake key with all planted data. To do this we will set registry symbolic link to the "command" registry key in path chain and redirect it to our controlled "command" key somewhere else. WD will read original key and will be happy as it will have the same unmodified @Default value. Windows Shell will reparse registry key when accessing "command" and will read data from "our" key instead. Everybody happy.

4) Lazy fix for WD

Block symbolic link creation for entire registry entry elements, or follow symbolic link and inspect resulting key instead of just reading hardcoded one ignoring reparse. More hardcore solution would be is to block write access at all to these shell keys.

5) Possible fix

Create default empty keys for users and protect them with security descriptor. Windows Shell is over-complicated bullshit so there can be side effects and this require more investigations which is simpler to do when you have all source code.

💥Method #34

1) Description

This is AlwaysNofity compatible method. It abuses environment variables and Microsoft DiskCleanup scheduled task. The idea behind this method is to set your own controlled %windir% environment variable to the registry and then force scheduled task take it resulting in command line injection. Quotes for payload command are required part here as they need for successful command line injection since executable path in scheduled task is not quoted.

2) WD detection

It detects the fact of scheduled task startup and does this by comparing command line of schtaks.exe to have \Microsoft\Windows\DiskCleanup\SilentCleanup substring. If found - then achtung you got Behavior:Win32/SilentCleanupUACBypass 

Note they also prepared for possible other sources - this signature speaks for itself PossibleSchedTasksUACBypass (checks for \Microsoft\Windows sub-string).

3) WD detection bypass

Just don't use schtasks. No one actually forced you to do so. This method is perfect illustration when everybody just simple copy-pasted original. You can do the same what schtasks does with help of Task Scheduler interface objects such as ITaskService, ITaskFolder and IRegisteredTask.

4) Lazy fix for WD

Detect %windir% environment variable modification for current user.

5) Possible fix

Get rid of environment variables for DiskCleanup scheduled task or use quoted path. That %windir% actually was a ridiculous idea.

💥Method #36

1) Description

This method is from infamous SandboxEscaper from those times when he was not yet what he(she/it whatever) is now. Like almost everything from this guy it is based on NTFS reparse point feature and state of race condition. It abuses Wusa behavior which creates hidden temporary directory in the root of the current drive with default security descriptor when processing msu (cab) files. Wusa extracts contents of processed cab file to that temporary directory looking for further instructions inside these files. By setting reparse point on that directory you can redirect Wusa write to specified target directory.

2) WD detection

There is no specific detection signature for this method. However since one variant of it uses Dism hijack similar to method #23 WD detects file planting to the system32 folder with Win32/Disemer signature.

3) WD detection bypass

Similar to #23

4) Lazy fix for WD

Similar to #23

5) Possible fix

Wusa should set security descriptor when creating temporary directory. Something like similar fix has been implemented for method #26 by MS in the past.

💥Method #37

1) Description

It is combination of DotLocal, Wusa race condition methods (#21, #22, #36). It uses Wusa race condition to create DotLocal directory structure and copy file to the system32. Instead of comctrl32 it abuses GdiPlus with target set to DCCW.exe

2) WD detection

Not capable (as of 26 Sep 2020).

3) WD detection bypass

No needed, see above.

4) Lazy fix for WD

Similar to #22 and #36

5) Possible fix

Dccw.exe autoelevation removal.

💥Method #38

1) Description

This method uses appinfo command line parsing spoofing. This requires talking to appinfo via RPC as Windows Shell always build correct command line request when used ShellExecute(Ex). This can be achieved through AicLaunchAdminProcess hook or by direct RPC call. You have to prepare your MMC snap-in and embed in it Shockwave Flash Object which will execute supplied HTML script located somewhere on disk. This HTML code will eventually run your payload through ExecuteShellCommand method.

2) WD detection

Not capable (as of 26 Sep 2020).

3) WD detection bypass

No needed, see above.

4) Lazy fix for WD

This method require file drops. Both fake management console snap-in and html run script can be detected when dropped to the disk. However this is not really reliable. Perhaps you can catch the moment when mmc.exe got started with fake snap-in.

5) Possible fix

Obviously appinfo command line parsing need a tweak so it won't skip arguments in command line without actual check of them.

💥Method #39

1) Description

This is NET Code Profiler method. It entirely rely on setting very specific current user environment variables and registering fake profiler dll which must be dropped to the disk. Then you must select dotnet origin target. In our case it is EventViewer GUI - slow & ridiculously over complicated piece of crap.

2) WD detection

Not capable (as of 26 Sep 2020).

3) WD detection bypass

No needed, see above.

4) Lazy fix for WD

Can be entirely prevented by WD inspecting environment variables regarding CorPofiler path.

5) Possible fix

mmc.exe should not allow loading of non Microsoft binaries in it address space when run with High IL.

💥Method #41

1) Description

Based on ICMLuaUtil autoelevated COM interface which provides a set of methods that can be used to bypass UAC. It allows running arbitrary executable with High IL, deleting and setting arbitrary registry entries with elevation and more.

2) WD detection

WD has multiple behavior signatures for initially presented script based attacks, for example: Behavior:Win32/CICmstp, Behavior:Win32/UacCmstp, Behavior:Win32/SuspParentLaunchingLOLBin, Behavior:Win32/CmstpSuspParent and variants of them. Unfortunately they are completely incapable of preventing this method when it used as it should be. They only signatured script-kiddie junk. Why is that read next. Meanwhile this method is somewhat popular in malware because of it simplicity in raw mode.

3) WD detection bypass

No needed.

4) Lazy fix for WD

This interface is a backdoor by design. It is fully controllable by attacker with attacker defined components and huge space for maneuver. It is hard to trace behavior as it can be various and unpredictable. You can however trace when this interface used for legitimate purposes, log it behavior and compare this trace with occurred event. It doesn't look very reliable however.

5) Possible fix

Remove this interface from COMAutoApprovalList. This will force UAC to show dialog each time this interface called.

💥Method #43

1) Description

This method is a combination of #41 which is used to write arbitrary data to the Windows Registry and another undocumented autoelevated interface called
IColorDataProxy. Main idea here - write custom calibrator setting to the HKLM\Software\Microsoft\Windows NT\CurrentVersion\ICM\Calibration @DisplayCalibrator and then run it by calling autoelevated IColorDataProxy interface method LaunchDccw. Interface will read custom calibrator value and start this program via ShellExecuteEx call doing that on High IL.

2) WD detection

Not capable (as of 26 Sep 2020).

3) WD detection bypass

No needed.

4) Lazy fix for WD

Detect write to HKLM\Software\Microsoft\Windows NT\CurrentVersion\ICM\Calibration at value @DisplayCalibrator. May cause problems if this feature used somewhere legitimately.

5) Possible fix

This won't work without writing to the registry which is provided by ICMLuaUtil interface. Removing it from COMAutoApprovalList will automatically block this method too.

💥Method #52

1) Description

This method currently popular ITW because of it simplicity so even zero skill malware authors may embed it to their elite dotnet droppers. Idea behind it is to abuse appinfo design flaw where Win32 API GetLongPathName due to it specific is converting supplied fake security directory path to the real one thus passing further internal check against secured directories whitelist. There at least two variants of these method used ITW - original and my - involving reparse points, exactly it is used by WastedLocker ransomware. They mostly copy-pasted it as is from UACMe with their set of ridiculous additions.

2) WD detection

Not capable (as of 26 Sep 2020).

3) WD detection bypass

No needed.

4) Lazy fix for WD

Detect directory creation, mount point creation. It should not be that hard as this method require trusted directory name abuse.

5) Possible fix

This needs to be patched in appinfo. Get rid of Win32 API when converting file path. It is ridiculous combination having Win32 API path conversion for path check.

💥Method #53

1) Description

This method is similar to #33. The only difference is the target key and application. Target key here is HKCU\Software\Classes\Folder\shell\open\command @Default value (+DeletegateExecute as usual) and trigger is sdclt.exe

2) WD detection

WD is capable to detect this. Dedicated signatures named Behavior:Win32/UACBypassExp.F!sdclt(2)(3)(4)(src). Writing (direct or indirect) to that key default value triggers detection.

3) WD detection bypass

Similar to #33

4) Lazy fix for WD

#Similar to #33

5) Possible fix

#Similar to #33

💥Method #55

1) Description

It is UIPI bypass with UIAccess application primary token duplication. Duplicated token next modified to have Medium IL and used to create second stage process. Because this process created with token that has UIAccess flag set this process will be able to circumvent UIPI. As second stage process UACMe uses Fubuki unit modified in the runtime to be standalone executable. When started Fubuki will spawn msconfig.exe at Tools page. Next it will identify ListView window and use SendInput API to navigate to the "cmd.exe" entry in the tools list and simulate button click. After that it will wait for console window and type specified command to it running actual payload. This is a complex method that is not really reliable in the real life and was added just for fun as I really liked the concept.

2) WD detection 

Not capable (as of 26 Sep 2020).

3) WD detection bypass

No needed.

4) Lazy fix for WD

I would detect all kind of Medium IL processes running with UIAccess flag set as malicious just because it against Windows behavior as normal UIAccess application always has >= Medium+ integrity level.

5) Possible fix

Remove UIAccess from token if it duplicated from Medium+ IL from a process with Medium IL. This need actual investigation as there could be unexpected side effects.

💥Method #56

1) Description

This method is similar to #33. The only difference is the target key and application.Target key here is HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command @Default value (+DeletegateExecute as usual) and trigger is wsreset.exe

2) WD detection

WD is capable to detect this. Dedicated signatures named Behavior:Win32/UACBypassExp.F!wsreset(2)(3)EF. Writing (direct or indirect) to that key default value triggers detection.

3) WD detection bypass

Prepare target key structure somewhere else and rename it key component to actual name before running target.

4) Lazy fix for WD

Additionally to #33 detect rename key event.

5) Possible fix

#Similar to #33

💥Method #58

1) Description

Based on IEditionUpgradeManager autoelevated COM interface. This interface has method called AcquireModernLicenseWithPreviousId. During execution it starts Clipup.exe process from (what it suppose) windows system32 folder. It uses %windir% environment variable(sic!) to build path to that executable. Thus you can set your own %windir% variable and this code will use it to build a path with your controlled location in it.

2) WD detection

Not capable (as of 26 Sep 2020).

3) WD detection bypass

No needed.

4) Lazy fix for WD

Same as #34

5) Possible fix

Cheap and easy fix - get rid of environment variables from Win95 era and build a proper path to clipup.exe by using, surprise - surprise! GetSystemDirectory.

💥Method #59

1) Description

This method abuses debug objects to achieve elevation through appinfo direct talking via RPC. It is complex and non trivial. While it is using same RPC request as #38 it is completely different in implementation and bug/feature it abuses. At first stage we create non elevated process with RPC request and supplying DEBUG_PROCESS flag in process startup parameters. When appinfo processes our launch process request it uses CreateProcessAsUser API which automatically will create debug object if DEBUG_PROCESS is specified in process startup flags. The handle for this debug object will be stored inside TEB reserved field. All processes created by the same thread will share the same debug object. Note that appinfo uses thread pool so it could make sense to spam it with requests to fill it all. We capture debug object with NtQueryInformationProcess(ProcessDebugObjectHandle) call, detach debugger with NtRemoveProcessDebug and kill our first process - it was only needed to allocate debug object on appinfo side. On the next stage we run autoelevated process again with help of direct RPC call and set thread debug object to our saved one. Next we process standard debugging message loop looking for CREATE_PROCESS_DEBUG_EVENT. Once hit we capture process handle from event and duplicate it with PROCESS_ALL_ACCESS desired access rights. Then resulting handle used to create final payload process with help of CreateProcess and PROC_THREAD_ATTRIBUTE_PARENT_PROCESS.

2) WD detection

Not capable (as of 26 Sep 2020).

3) WD detection bypass

No needed.

4) Lazy fix for WD

Detect parent process creation.

5) Possible fix

This need a fix on appinfo side. Perhaps you could ensure that there is no debug object set when creating a High IL process by request from Medium IL.

💥Method #61

1) Description

This method is similar to #33. The only difference is the target key and application. Target key here is HKCU\Software\Classes\Launcher.SystemSettings\shell\open\command @Default value (+DeletegateExecute as usual) and trigger is slui.exe which is started with runas verb.

2) WD detection

WD is capable to detect this. As detection it will show you one of the previously highlighted behavior signature names used in similar methods as they cross check this method. Writing (direct or indirect) to that key default value triggers detection.

3) WD detection bypass

#Similar to #33

4) Lazy fix for WD

Similar to #33

5) Possible fix

Similar to #33 

💥Method #63

1) Description

This method is relatively new. It uses dll injection to the Windows Native Image Cache (NIC), forces it to be used and then exploits by running Windows Firewall MMC snap-in. Files in NIC are accessible to Administrators group so we can reset their security permissions (by using ISecurityEditor autoelevated COM interface) and after that overwrite file contents with your payload. Required target file for overwrite located by searching in installed assemblies and comparing MVID (Module Version Id) of files.

2) WD detection

Not capable (as of 26 Sep 2020).

3) WD detection bypass

No needed.

4) Lazy fix for WD

Detect write event to NIC from Medium IL process.

5) Possible fix

Administrator group should not have write access to NIC directory and it contents.

P.S.

Of course the best and lazy way to circumvent everything from above is not use Administrator group account at all. I'm not talking about AlwaysNofity UAC setting because as proven by time it is useless. However I would like to point that current Windows eco system evolved from Windows XP times with deep rejection of UAC since Vista fuckup. Thus, no matter what you tell or want, default account still will have administrator group. Idiotic shield icon doesn't help a lot too giving people sort of placebo. Nothing from above is a rocket science or require millions of dollars for fix. Fix your leaky shield.

As of UACMe 3.5 I've no further plans to fight WD next wave of signatures by giving them free help. I have no doubt they will implement more and more measures against UAC bypasses in future, not necessary against mentioned methods or in the mentioned ways. It doesn't really matter and personally I don't care. What I wanted to show - is that if someone want to bypass WD behavior signature - it will highly likely do this without significant problems.

If something new, creative and working will be discovered - it will be added in UACMe 3.5+ versions. Old 3.2.7 branch will be still available but without any further support from my side. Speaking about new, creative and working methods - see P.P.S. next.

P.P.S. Comedy Section Bonus

Every year you can find a lot of junk noise about yet another "uac bypass" involving something with Open/Save/Print what ever dialogs. It is when "hackers" runs some elevated process, then clicks somewhere in it menu, spawns shell dialog and runs programs from it through menu. Woohoo, Windoze Byp@$$3d M1cr0$0ft SuXx! Or another example is some modification in system that must be triggered by manual clicking somewhere in target application running at High IL.  

Nothing from this is UAC bypass as it require massive user interactions with UI and target applications have High IL preventing GUI hacking. That doesn't mean you can't do GUI hacking at all - method #55 proves it is possible, however NONE of these elite hackers are even close to something like that, because it is simple not their level. Any of such posts are just attention whoring and nothing else. If you can't automate your "bypass" it is not a bypass otherwise I'm giving you ultimate UAC bypass working with AlwaysNotify - select an executable file on disk, right click on it - press "Run as Administrator", when UAC window popup - confirm it. Ultimate "bypass" done, probably needs a video to be recorded, ROFL.

Another kind of attention whore scam release their ultimate "private" tools (together with snot with bubbles) claiming old well known methods as something they used "privately" for "years" and now "released to the public", because they, you know, "s3curity r3s3arch3rs" (just like that funny guy who managed to copy-paste from everywhere without understanding what he copy-paste).

Microsoft has determination of what they consider security boundary and what is not. UAC as you guess - is not a boundary, we can go to usual demagogy here, but that is the fact. This is one side of the medal. From the other side, malware usually need this not only as a some bonus but as critical for it viability. So you have a dilemma - some broken mechanics you don't consider as worth looking at and real malware taking this as essential part. Because of that you always will have a lot of noise around UAC. Unfortunately most of this noise will come from typical internet idiots (included in target audience of malware and most of malware developers).

Unfortunately both types of mentioned guys does a lot of white noise each year which makes it harder to find real methods as you have to filter out tons of such trash. Don't be like them. While maybe not that sophisticated and complicated UAC is still part of Windows and integrated to the system. It is not about OpenDialog. The better you understand Windows internals the better you understand how UAC works and it weakness (and the more you laugh at yet another idiot with OpenDialog). Aside of this some of these bypasses are usually accompaned by various different mechanics, algorithms and internals that need to be researched. 

There is a still a lot of possible real UAC bypasses undiscovered since this system mechanics is entirely broken in many ways and these methods are just waiting to be exploited.

References

All the links to the original authors descriptions are provided at UACMe page and inside source (where available). Make sure to visit and view original authors content if you like their methods. Also note that actual UACMe implementation of their methods maybe different from original.

1. UACMe - https://github.com/hfiref0x/UACME