The Windows User Access Control (UAC) security feature in Windows versions 7 and 10 can be easily bypasses by cybercriminals who managed to leverage the Event Viewer application.
The security experts Matt Graeber and Matt Nelson were the ones to uncover this hack. At the end of last month, they detailed one more Windows UAC bypass which is using the Windows 10 Disk Cleanup utility. However, the two bypasses are different from each other when it comes to their technique.
The one from the end of July is using Disk Cleanup and required the researchers to use a high-privileged process to copy a DLL into a safe location, which they used in a DLL hijacking attack that didn’t get detected by UAC.
For the latest bypass, the duo came up with a new technique in which dropping any malicious DLL on the file system and DLL hijacking are not necessary. It doesn’t rely on stored on disk files.
This fileless UAC bypass needs the creation of a structure of intertwined Windows registry keys. The Event Viewer process (eventvwr.exe) would query these keys causing a disguised high integrity process operation like Event Viewer. Thinking of it as an innocuous operation, the UAC wouldn’t flag it.
Given that all others UAC bypass techniques require privileged file copy, process hijacking and dropping files on the user’s PC to be successful, Graber and Nelson claim that this is one of a kind bypass which has never been seen before.
Luckily, these types of UAC bypass attacks can be prevented.
“This particular technique can be remediated or fixed by setting the UAC level to “Always Notify” or by removing the current user from the Local Administrators group.” – Nelson writes – “Further, if you would like to monitor for this attack, you could utilize methods/signatures to look for and alert on new registry entries in HKCUSoftwareClasses, which is one of the key places in the aforementioned intertwined registry structure.”
Even though Microsoft doesn’t think of UAC as an actual security feature, malware authors still include UAC bypasses in their codes to assure themselves their products won`t end up flagged by an UAC.
