Commanding Heights: Unmasking COM-Based UAC Bypass Techniques - Amankumar Badhel

good morning everyone thank you all for being here today it's my privilege to be a part of such a big Community which is so much passionate about sharing knowledge and information oh sorry before I dive into the good stuff I want to run you through some basic standard who am I and I promise this isn't me running Who Am my commands on my window terminal I'm Aman Kumar badel currently working as a threat researcher for sofos labs I spend most of my times writing detections for various ttps when I'm not writing detections I work on work on my kenic skills paddling and exploring the trails so I think about it as hacking the outdoors where I discover New Path now

we get the obstacles and yes I do the bug my sense of direction today I'm going to take you on a journey of UAC and com where the secret Source lies in the intersection of UAC and Comm and that's where the magic happens followed by an exploit demo as this talk is not just about the offensive side of Comas UAC bypass I'll be covering the monitoring and the detection aspects too followed by by Q&A let's dive in quickly to overview of UAC what is UAC UAC is basically a Windows security feature that forces all the process to run with a security context of limited privilege users by default it's basically also a policy that applies to all the process which is

created by any users including administr too so the idea is to not solely rely on users identity in order to determine the privilege activity which is being performed in short UAC thus prevents unauthorized changes for example it might seem very odd if Bob being an administrator downloads a malware without realizing it any process Bob would create would by default be created as an administrator but what if UAC was turned off in that case Mal would have got instant access to Bob system whereas what if UAC was turned on Mal would have got limited privileges to Bob system before I dive in to the actual working of UAC I would want to touch base on process Integrity levels tokens

and filter tokens in Windows there are four major process Integrity levels low medium high and system low refers to minimal interactions mostly used in Internet Explorer medium refers to standard privileges which is being assigned to any normal users high is then reserved for administrative users subject in this level can modify object at a lower Integrity level level as well as at the same Integrity level system is then reserved for kernel and core operating system processes tokens and filter tokens in order to deal with in in order to provide separation of roles non-administrative users and administrative users are dealt separately during the log on process non administrative users would receive only single token this token is with medium

Integrity level and is used to perform all the operating task screenshot shows us how medium Integrity token looks like in token viewer and in command prompt whereas administrative users are dealt differently during the log on process administrative users would receive two tokens first a filter token and an elevated token filter token is with strip of privileges it is referenced with medium Integrity level and is used to perform all the normal operating task whereas elevated token has much more higher privileges as compared to the filter token and it references higher Integrity level and is used to perform only and only administrative task as we have covered the basic understanding of UAC let's dive deep into the actual working of UAC when a

user wants to run cmd.exe as an administrator at the back end shell execute function is then executed with the following argument of runas and cmd.exe this request is then forwarded to application info Services where application manifest would verify if cmd.exe has Auto elevation enabled by default if not then this request is then forwarded to consent.exe where user gets a prompt for UAC on a secure desktop based on users's input cmd.exe is then launched with a higher Integrity level Windows com it's a very dull and dry Topic in my honest opinion anyone who has dwelt with Windows com I can assure you anyone who has dwelt with my Microsoft website for Windows comom I can really assure you that it is

designed to test two things first your patience second your troubleshooting skills today I'm going to take you on a journey of Windows com this is going to be in a very effortless journey and I assure you that there won't be any tangling wires overview of com so basically com is an client server module which allows interprocess communication so think of it more comparable to an HTTP API as shown in my figure client that is fexe would initiate a request to create the com object which is referenced via specific unique ID called as Tu ID also called as CLS ID Windows com that acts as a middle layer between the client and the com object it also verifies if the

client request has appropriate privileges to access the com object if this request is authorized Windows Comm then creates the com object and provides a reference back to the client once the reference established client can then access all the methods and the function available for the Comm object any interaction that is happening back and forth between the client and the com object happens via RPC in the case of com as well as in the case of distributed com where clients and servers are on a different machine Al together screenshot shows the register location where you can list down all the available Comm objects into your system second screenshot is a very juicy aspect with respect to Comas U bypass this

would be further explained in the intersection of UAC and com as we have had a basic understanding of com interaction and UAC let's try to unwind the secret source and dive deep into the intersection of UAC and com certain com interactions are designed to support automatic elevations by default that means specific task within Comm object can be executed with elevated privileges without prompting for a UAC the only constraints are that client should be a system trusted binary or a Microsoft sign binary this particular register key is strictly managed by windows in order to provide in order to prevent any unauthorized modification over the wild blackard and log bit ransomwares were found to use these kind of Comas UAC

bypasses let's try to dive deep into the exploit flow attacker would execute the exploit which is food. exe in our case exploit would first spoof its process environment block to explorer.exe in order to impersonate itself as a system trusted binary exploit then uses a very specific com object which is referenced by the clsid in the screenshot this com object is from cmstp Lua and has a very special shell execute method this method is then used to run applications exploit then constructs an elevation monitor elevation monitor is a com feature which would create the requested com object with elevated context system in our case would just verify if the client is a system trusted binary but exploit has proofed its

process environment block to explorer.exe in order to impersonate itself as a system trusted binary which results in the creation of Comm object with elevated Contex exploit then uses this particular object in order to launch in order to use shell execute method and then launch cmd.exe with a higher Integrity level without prompting for a UAC normally launching cmd.exe with a higher Integrity level would you prompt you for a UAC but as in our case shell execute method was executed via elevated Comm object it inherits the Privileges of elevated com object and spawns cmd.exe with a higher Integrity level without prompting for a UAC at all and it's time for an exploit demo someone did mention to me that before I run to

the exploit demo pray for the demog God but as demo God is on Christmas vacation today let's hope for the best and embrace for the

worst so I have a low privilege shell running here and I'm currently running on a medium Integrity level verifying the Privileges and integrity level via who am I commands and then I'll be using this this shell in order to launch my exploit while executing my exploit I'll be passing cmd.exe as an

argument successful execution of the exploit would launch a new instance of CMD .exe with a higher Integrity level without prompting for a UAC and you can see that I have another shell which is currently running on a higher Integrity level much more privileges as compared to the previous one and I am uh and that's all without prompting for a UAC as we have covered the working of offense as we have covered the working of Comas UAC by pass I want to take this opportunity in order to discuss the detection aspects to since we know exploit uses Comm object and dll host.exe acts as a com surrogate process where it also orchestrates the creation of Comm object with elevated

context then any payload which is executed within the exploit via shell execute method is then spawn as a child process of this particular L host in simpler terms my detection logic would be monitoring for something like any child process which is created by dllhost.exe having parent process as dllhost.exe whereas command line should have a com object CLS ID as a reference while excluding some system generic noises let's try to look at this logic in our detection tool so I have a python detection tool running in the back end which is UAC bypass detection. py and I have a low privilege shell which is which I'll be using in order to execute my exploit verifying the Privileges by

who am I priv and passing cmd.exe as an argument for the exploit successful exploitation would launch a new instance of cmd.exe and as you can see I have a higher integrity shell and at the back end you can see that I have a detection on my tool which splits out all the relevant information with respect to process like child process being my cmd.exe parent process being my dllhost.exe whereas you can also see that I have com object CLS ID as a reference in its command line in order to to wrap it up today we have covered working of Comas UAC bypass its detection technique with appropriate visibility we can create sophisticated detections for any threats thank you all

for your time and I'm happy to take any questions last but not the least thanks for my mentor Ali and my partner WN