UAC Guard

UAC is not a security boundary and has inherent limitations as well as good number of known and unpatched exploits. We recommend configuring your users‘ accounts to run as standard users or using a Privilege Management solution. If that is not possible, UAG Guard may be of help.

UAC Guard is a research project that aims to prevent all known forms of code injections and - ehm - Local Privilege Elevation. The default policy protects all Windows inbox executables from sideloading non-Windows DLLs. A Windows binary, in this context, is a signed file whose certificate contains specific Enhanced Key Usage values.

Background

Sophisticated malware families typically employ a combination of techniques to achieve their objectives. In this context, we will focus on Execution and Privilege Escalation, on Windows.

A common technique to evade detection involves injecting and executing code into legitimate processes, typically writing to a process’s memory and/or causing it to load a malicious DLL.

The primary targets are operating system files, as they are guaranteed to be present on the victim’s endpoint.

In recent versions of Windows, every single(*) file that is shipped as part of the operating system is digitally signed. Therefore, there should be no reasons for a Windows executable to load an untrusted DLL - **ever**.

This should not need something that needs to be "detected". It should be enforced by the OS by default.

Process Mitigation Policies to control Image Loading and Binary Signature can be applied to mitigate some of these techniques. The main limitation is that Binary Image policies apply generically to "Microsoft" code and they cannot be customized nor extended to other vendors. Process Mitigation Policies also require you to identify all operating system files and write policies for all of them.

UAC Guard

UAC Guard protects all Windows executables by preventing them from loading non-Windows DLLs. It consists of a kernel driver that intercepts both process creation and DLLs loading and checks their characteristics. In this context, Windows executable/DLL means a digitally signed binary file that is shipped as part of the operating system with specific Enhanced Key Attributes included in its certificate(s) as shown below.

Enhanced Key Attributes image
UAC presents a challenge, as if one can easily gain Adinistrative privileges, it's game over. It is thus important to prevent the execution of known UAC bypasses to make this solution effective.

Features

  • Single Policy: Audit or Enabled
  • Restricts Windows executable to only loading Windows and Microsoft DLLs
  • Prevents non-Windows processes from writing to Windows processes' memory
  • Blocks known UAC Privilege Escalation attempts
  • Prevent Process Hollowing, Doppelgaenging, Herpaderping, etc.

Proof of Concept

The POC is a self-contained kernel driver for Windows 10+.

The driver leverages Code Integrity and caches information on NTFS, inaccessible to user mode applications.

The POC takes also into account security solutions that might inject their own DLL(s) into user mode processes. This is accomplsihed by a simple certificate white-list. The mechanism can be easily extended to cover applications such as Office, Acrobat Reader, etc.

Why

I believe that there is the need for better OS "defaults" to reduce the attack surface area. These safe default are effective in disrupting common attack patterns that often precede ransomware deployment.

Possible extensions:

  • Support for popular applications like Office and Acrobat Reader
  • Support for a generic policy
  • Prevent Microsoft scripting DLLs from being loaded into other applications
  • Prevent loading of lol drivers
  • Prevent lol bins from gaining administative privileges
  • etc.

(*) With the exception of Native Images.