Skip to content

M1052 User Account Control

Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.

Item Value
ID M1052
Version 1.1
Created 11 June 2019
Last Modified 31 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking.
enterprise T1548.002 Bypass User Account Control Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking.
enterprise T1546 Event Triggered Execution -
enterprise T1546.011 Application Shimming Changing UAC settings to “Always Notify” will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions.
enterprise T1574 Hijack Execution Flow Turn off UAC’s privilege elevation for standard users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] to automatically deny elevation requests, add: “ConsentPromptBehaviorUser”=dword:00000000. Consider enabling installer detection for all users by adding: “EnableInstallerDetection”=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: “EnableInstallerDetection”=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged. 1
enterprise T1574.005 Executable Installer File Permissions Weakness Turn off UAC’s privilege elevation for standard users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] to automatically deny elevation requests, add: “ConsentPromptBehaviorUser”=dword:00000000. Consider enabling installer detection for all users by adding: “EnableInstallerDetection”=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: “EnableInstallerDetection”=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged. 1
enterprise T1574.010 Services File Permissions Weakness Turn off UAC’s privilege elevation for standard users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]to automatically deny elevation requests, add: “ConsentPromptBehaviorUser”=dword:00000000. Consider enabling installer detection for all users by adding: “EnableInstallerDetection”=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: “EnableInstallerDetection”=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.1
enterprise T1199 Trusted Relationship Properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary.
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy.

References

Back to top