The security researcher Matt Nelson reveals that a newly discovered User Account Control (UAC) bypass that uses App Paths can be used for fileless attacks.
A week ago, Nelson revealed that App Paths and the Backup and Restore tool (sdclt.exe) in Windows 10 version can be used to bypass the User Account Control (UAC) as sdclt.exe auto-elevates due to its manifest. The researcher also demonstrated the attack by publishing a proof-of-concept (PoC) script and warned that the payload had to be saved to the disk as the parameters were not supported.
This is not the first UAC bypass technique that Nelson reveals. Last year, he explains the Event Viewer and Disk Cleanup methods and now, he divulges that the App Paths UAC bypass can be also used for fileless attacks. These attacks, however, are only possible on Windows 10 version because the sdclt.exe’s manifest in older versions prevent it from auto-elevation when it is started from medium integrity.
Nelson also says that, while he was analyzing the sdclt.exe binary searching for command line arguments, he found out something. He discovered that if a particular argument was used, a parameter could be added to sdclt.exe, which would then be executed with elevated privileges. He published a proof-of-concept on GitHub demonstrating the bypass and explaining that the script takes a full path to the payload and any parameters. Furthermore, it starts ‘sdclt.exe /kickoffelev’, adds the necessary keys automatically and then deletes the attack`s traces.
As before, these attacks can be prevented by removing the current user from the Local Administrators group or by setting the UAC level to “Always Notify”. Experts say that a good tactic of monitoring the system for such attacks is looking for new registry entries in HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand.
