Certified Security Operations Center GmbH

30. August 2024

UAC Bypass via Sdclt: What companies should know

In today’s digital era, in which companies are increasingly reliant on complex IT infrastructures, the security of these systems is a key challenge.

A current example is the UAC bypass that is executed via sdclt.exe, which presents companies with major challenges and is becoming particularly explosive. The UAC is a protection mechanism and the ability of cyber criminals to overcome these protection mechanisms is particularly alarming for companies. A successful UAC bypass can lead to serious security incidents, so awareness and defence against such threats is critical to protecting company data and processes. In this news article, we explain what a UAC bypass is, how it works, what dangers it poses and what measures organisations can take to protect themselves more effectively.

The UAC bypass

User Account Control (UAC) is a security feature in Windows operating security systems that prevents unauthorised changes being made to a system by prompting users to confirm actions. A UAC bypass, on the other hand, is a method used to bypass Windows security prompts. The attacker gains administrator rights unnoticed and can make unauthorised changes to the system without a warning being issued.

How a UAC bypass works

The most common method of infiltrating a UAC bypass into the system is to exploit weak UAC settings. If UAC is configured to be less restrictive, for example set to ‘Never notify’, the attacker can exploit this configuration to gain elevated privileges without the user’s consent. Another technique is the misuse of programmes that are executed with elevated rights by default. An attacker can start these programmes and manipulate them so that they execute code with administrator rights. These are just two examples, but there are constantly new and varied techniques to perform UAC bypass attacks, as cybercriminals are constantly looking for new ways to bypass Windows security mechanisms.

In a recent incident, an attempt was made to enable a UAC bypass via sdclt.exe. This involves creating a specific registry key structure to perform the bypass and launch a command prompt with elevated privileges. The relevant registry entry was as follows:

Registry value set:

RuleName: T1042

EventType: SetValue

TargetObject: HKLM\{bf1a281b-ad7b-4476-ac95-f47682990ce7}C:/ProgramData/Microsoft/Windows/Containers/Layers/06b6c56a-5192-4a70-b05d-08e4ac287adf/Files/Windows/System32/config/SOFTWARE\Classes\exefile\shell\runas\command\IsolatedCommand

Details: ‘Illegal function. ‘ %%*

User: NT-AUTHORITY\SYSTEM

Dangers

Elevated authorisations: Attackers can gain administrator rights and perform malicious actions without notification.

Data loss: Attackers with administrative rights can access confidential information and steal or delete it.

System damage: Malware can damage the system or make it unusable. Malicious software can be installed without the user receiving a warning or having to give their consent.

Network compromise: Once on the network, attackers can compromise other systems.

Persistence: Malware can remain active and cause damage after a system restart.

Operational failures: By sabotaging system processes, attackers can cause significant operational disruption.

– Bypassing fundamental protection mechanisms: A successful UAC bypass undermines the basic security precautions of an operating system and opens doors for further attacks.

A UAC bypass poses a serious threat to the IT security and operational stability of organisations. Companies should be aware of the danger and precautionary measures should be taken.

Our recommendations for action:

Monitoring and logging: Continuous monitoring of the registry and other critical areas is essential. All changes should be logged and reviewed regularly.

Restrict user rights: Reduce the number of users with administrator rights to the necessary minimum. Use the principle of least privilege.

Regular updates: Always keep operating systems and applications up to date in order to close known vulnerabilities.

Employee training: Sensitise your employees to the dangers of social engineering and phishing attacks, which are often the first step towards a successful attack.

Access controls: Implement strong access controls and monitor unusual activity to detect and stop potential attacks early.

– Strict UAC settings: Ensure that UAC is set to the highest security level so that users are always notified as soon as changes are made to system files or settings. Implement software restriction policies or AppLocker to prevent unauthorised software from running.

– Use security software: Utilise comprehensive security solutions, including antivirus and anti-malware programs specifically designed to detect and prevent UAC bypass techniques.

By implementing these measures, organisations can significantly reduce the risk of a successful UAC bypass and the associated security threats.

error: