User Account Control (UAC) is a Windows security mechanism designed to limit application software to standard user privileges until an administrator authorizes an increase or elevation. In the context of CompTIA PenTest+, UAC bypass techniques are post-exploitation methods used by attackers to exec…User Account Control (UAC) is a Windows security mechanism designed to limit application software to standard user privileges until an administrator authorizes an increase or elevation. In the context of CompTIA PenTest+, UAC bypass techniques are post-exploitation methods used by attackers to execute code with high integrity (administrative privileges) from a medium integrity context without triggering the visual consent prompt.
Most bypasses exploit 'auto-elevate' executables built into Windows, such as fodhelper.exe or eventvwr.exe. These binaries are signed by Microsoft and trusted to elevate without prompting the user if the account is already part of the Administrators group.
One prevalent technique relies on Registry Key Manipulation. Many auto-elevate binaries query specific registry keys in the HKEY_CURRENT_USER (HKCU) hive to locate shell commands or dependencies. Since the current user has write access to HKCU, a pentester can create or modify these keys to point to a malicious payload. When the trusted binary executes, it unwittingly runs the payload with elevated privileges.
Another common vector is DLL Hijacking or path interception. If a trusted, auto-elevating application attempts to load a DLL from a directory the user controls before checking System32, an attacker can plant a malicious DLL. The application then loads the attacker's code with high integrity.
To automate these attacks, penetration testers often utilize tools like UACME or specific Metasploit modules. Mitigation involves setting UAC to 'Always Notify' or, more effectively, ensuring users operate as standard users rather than administrators, thereby nullifying the split-token architecture these exploits abuse.
UAC Bypass Techniques Guide for CompTIA PenTest+
What is User Account Control (UAC)? User Account Control (UAC) is a mandatory access control enforcement feature introduced in Windows Vista. Its primary goal is to prevent unauthorized changes to the operating system. It ensures that applications run with standard user rights (Medium Integrity) unless an administrator explicitly authorizes the application to run with administrative rights (High Integrity). When an action requires elevation, UAC presents a prompt (the 'Yes/No' dialog) to the user.
What is a UAC Bypass? A UAC bypass is an attack technique used to elevate privileges from a standard user context (specifically, an administrator user with a split-token) to a high-integrity administrator context without triggering the UAC prompt. This allows an attacker to execute code with administrative privileges silently.
Why is it Important? For a penetration tester, UAC bypass is a critical step in the Post-Exploitation phase. Gaining initial access often results in a shell running with medium integrity. To dump credentials (like hashing passwords), install persistence mechanisms, or modify system files, the tester needs high integrity. Bypassing UAC allows this vertical privilege escalation without alerting the victim.
How it Works: Common Techniques Most UAC bypasses exploit the relationship between auto-elevating Windows binaries and the Windows Registry or file system paths.
1. Auto-Elevation Exploitation: Windows contains signed binaries (like fodhelper.exe, eventvwr.exe, or computerdefaults.exe) that are trusted by the OS to auto-elevate to high integrity without showing a prompt. Attackers exploit these binaries by hijacking the resources they load.
2. Registry Manipulation: When an auto-elevating binary runs, it often queries the registry for commands to execute. For example, fodhelper.exe looks for specific keys in HKCU\Software\Classes\ms-settings\Shell\Open\command. By inserting a malicious command into this registry key, the attacker triggers the trusted binary, which then executes the malicious command with high privileges.
3. DLL Hijacking: If an auto-elevating process tries to load a DLL that does not exist in the System32 folder, it may look in the application's current directory. An attacker can place a malicious DLL there, which the high-integrity process then loads and executes.
Exam Tips: Answering Questions on UAC bypass techniques When facing questions about UAC bypasses on the CompTIA PenTest+ exam, keep the following strategies in mind:
Identify the Goal: If the question asks about moving from a standard user shell to an administrative shell without user interaction, the answer is likely a UAC Bypass.
Recognize the Context: These techniques apply to Windows environments. If the scenario involves Linux, look for sudo exploits or SUID binaries instead.
Key Indicators: Look for mentions of specific binaries known for UAC exploits, such as fodhelper.exe, eventvwr.exe, or sdclt.exe. Also, look for registry modifications in the HKCU (Current User) hive, as modifying HKLM usually requires admin rights already.
Tool Usage: Be familiar with tools that automate this, such as Metasploit (specifically the exploit/windows/local/bypassuac modules), Empire, or UACME.
Mitigation Knowledge: You may be asked how to prevent this. The answer is usually to set the UAC level to 'Always Notify' (the highest setting), which disables auto-elevation logic for signed binaries.