A security researcher has discovered a critical exploit that enables hackers to bypass the User Account Control (UAC) in Windows and infiltrate the computer without leaving a single trace, meaning that it would be impossible for antivirus or infiltration detection technologies to detect that hackers have accessed the network.
Independent security researcher Matt Nelson discovered it was possible to bypass the UAC by hijacking a native Windows feature called Event Viewer that allows users to view event logs either locally or remotely.
Nelson found a way to use Event Viewer to hijack registry processes, as well as to start the Windows PowerShell task automation and scripting platform and use it to execute any malicious script or command desired, and he found that the exploit worked on any Windows OS version that implements UAC, which is basically all of them from Windows XP onwards.
He found that the Event Viewer application executes registry queries against the HKEY_CURRENT_USER (HKCU) registry hive as a high-integrity process, and that if you were to execute registry queries against HKCU, because it is connected to the HKEY_LOCAL_MACHINE (HKLM) hive under the HKEY_CLASSES_ROOT (HKCR) hive, you can then use it to hijack the Microsoft Management Console and then use that to execute malicious PowerShell scripts or commands.
No need to use malware to infiltrate a network
Typically, when hackers try to infiltrate a computer network, they will go searching for a security vulnerability that has not been patched, exploit it to get them into the network, and then install malware that quietly sends back data to their server.
Certain types of malware can also give the hackers escalated privileges in the network so that they can impersonate actual system administrators and use it to access sensitive data, and so a lot of a threat detection software revolves around trying to track any administrative changes in the network, as well as whether any files are being installed or downloaded.
The simplicity of this attack is that it does not require any malware to be downloaded – instead the exploit takes place at such a high level, in the native Windows feature, that it cannot be seen by a system administrator, but it cannot be carried out unless the hacker has already gained a foothold in the network.
"This attack simply allows an admin user to execute code in a high-integrity context without requiring the user to 'approve' the administrative action via the pop-up. It essentially removes the restrictions an attacker has when running under the context of a local administrator," Nelson told Kaspersky Labs' Threatpost.
UAC bypasses not worth patching
Nelson, who has previously discovered other ways to bypass the UAC in Windows, such as hijacking the native Disk Cleanup tool in Windows 10, said that he has disclosed multiple UAC bypasses to Microsoft, but the software giant has told him that it does not consider this type of exploit worthy of being included in a Patch Tuesday security update.
"This significantly reduces the risk to the attacker because they aren't placing a traditional file on the file system that can be caught by AV/HIPS or forensically identified later," explained Nelson.
"Fileless attacks permit an attacker to operate without the risk of detection from security products that rely upon traditional, file-based analysis. It also reduces the attacker's footprint on the system."
A Microsoft spokesperson told IBTimes UK: "This is not a vulnerability but a method of bypassing a defense-in-depth feature – and it requires administrative privileges to work. We recommend customers follow best practices and not run machines in administrator mode full-time."