M1052 User Account Control
User Account Control (UAC) is a security feature in Microsoft Windows that prevents unauthorized changes to the operating system. UAC prompts users to confirm or provide administrator credentials when an action requires elevated privileges. Proper configuration of UAC reduces the risk of privilege escalation attacks. This mitigation can be implemented through the following measures:
Enable UAC Globally:
- Ensure UAC is enabled through Group Policy by setting
User Account Control: Run all administrators in Admin Approval ModetoEnabled.
Require Credential Prompt:
- Use Group Policy to configure UAC to prompt for administrative credentials instead of just confirmation (
User Account Control: Behavior of the elevation prompt).
Restrict Built-in Administrator Account:
Set Admin Approval Mode for the built-in Administrator account to Enabled in Group Policy.
Secure the UAC Prompt:
- Configure UAC prompts to display on the secure desktop (
User Account Control: Switch to the secure desktop when prompting for elevation).
Prevent UAC Bypass:
- Block untrusted applications from triggering UAC prompts by configuring
User Account Control: Only elevate executables that are signed and validated. - Use EDR tools to detect and block known UAC bypass techniques.
Monitor UAC-Related Events:
- Use Windows Event Viewer to monitor for event ID 4688 (process creation) and look for suspicious processes attempting to invoke UAC elevation.
Tools for Implementation
Built-in Windows Tools:
- Group Policy Editor: Configure UAC settings centrally for enterprise environments.
- Registry Editor: Modify UAC-related settings directly, such as
EnableLUAandConsentPromptBehaviorAdmin.
Endpoint Security Solutions:
- Microsoft Defender for Endpoint: Detects and blocks UAC bypass techniques.
- Sysmon: Logs process creations and monitors UAC elevation attempts for suspicious activity.
Third-Party Security Tools:
- Process Monitor (Sysinternals): Tracks real-time processes interacting with UAC.
- EventSentry: Monitors Windows Event Logs for UAC-related alerts.
| Item | Value |
|---|---|
| ID | M1052 |
| Version | 1.2 |
| Created | 11 June 2019 |
| Last Modified | 24 December 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL. |
| enterprise | T1548.002 | Bypass User Account Control | Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL. |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.011 | Application Shimming | Changing UAC settings to “Always Notify” will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions. |
| enterprise | T1574 | Hijack Execution Flow | Turn off UAC’s privilege elevation for standard users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] to automatically deny elevation requests, add: “ConsentPromptBehaviorUser”=dword:00000000. Consider enabling installer detection for all users by adding: “EnableInstallerDetection”=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: “EnableInstallerDetection”=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged. 1 |
| enterprise | T1574.005 | Executable Installer File Permissions Weakness | Turn off UAC’s privilege elevation for standard users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] to automatically deny elevation requests, add: “ConsentPromptBehaviorUser”=dword:00000000. Consider enabling installer detection for all users by adding: “EnableInstallerDetection”=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: “EnableInstallerDetection”=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged. 1 |
| enterprise | T1574.010 | Services File Permissions Weakness | Turn off UAC’s privilege elevation for standard users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]to automatically deny elevation requests, add: “ConsentPromptBehaviorUser”=dword:00000000. Consider enabling installer detection for all users by adding: “EnableInstallerDetection”=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: “EnableInstallerDetection”=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.1 |
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.002 | Pass the Hash | Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy. |