Fileless UAC Bypass Uses Windows Backup and Restore Utility

Researcher Matt Nelson disclosed another Windows UAC bypass, this one abusing the sdclt.exe backup and restore utility to execute a payload without triggering an alert.

One nugget buried in a recent Vault 7 dump was a bypass of User Account Controls in Windows 7 that allows applications to execute code without triggering the familiar prompt to the user that something may be afoot.

Microsoft has not, in the past, considered UAC bypasses a security boundary that trigger a security bulletin and a patch release. But with apparent nation-state interest, the upcoming Windows 10 Creators Update scheduled for delivery this spring takes on new significance given that a number of older UAC bypasses will reportedly be addressed.

Researcher Matt Nelson, who previously has found and disclosed a few of these issues, recently disclosed a fresh bypass that takes advantage of the sdclt.exe backup and restore utility in Windows.

Nelson said that the utility is among a number of Microsoft-signed binaries that auto-elevate due to its manifest, and that it can be abused to execute a payload in a “high-integrity context” without triggering the UAC prompt. And like other similar bypasses, this is a post-exploitation technique.

“It is just a local attack. UAC bypasses are only useful if an attacker has access to a host and is running in the context of a user account that is a part of the Local Administrators group,” Nelson told Threatpost. “This is just a way to silently elevate into a high-integrity context, which tools such as Mimikatz require.”

Nelson said he did not privately disclose this bypass to Microsoft. In the past, Microsoft has not considered these vulnerabilities, but instead a bypass of a defense-in-depth feature. This attack, however, works only on Windows 10—and possibly Windows 8 machines—because of a change Microsoft made after Windows 7. The sdclt.exe utility in Windows 7 has its execution level set to “AsInvoker,” Nelson said, preventing auto-elevation.

“While this binary was used to demonstrate the technique, there are likely other binaries that can be used as well. It should be noted that this binary can’t be used to bypass UAC on Windows 7,” Nelson said. “It has been tested on Windows 10, and reported to work on Windows 8.”

This attack, similar to a UAC bypass using the Event Viewer feature disclosed by Nelson last summer, is fileless. It uses the same bug with additional parameters without dropping files or libraries on the local system, making it more challenging for detection systems to discover and alert about such an attack.

“Fileless attacks simply reduce the footprint an attacker leaves on the system, in the sense that it doesn’t require a payload to be put directly on the filesystem,” Nelson said. “From an attackers perspective, this reduces the risk of their malware/payload getting detected and quarantined by different security products.”

Nelson said he is not aware of any publicly known malware using this technique. He added that until the availability of the Creators Update, Windows admins can set the UAC level to “Always Notify” or remove the current user from the Local Admin group as a remediation.

“Microsoft, in my opinion, is quite vested in resolving these bypasses,” Nelson said. “UAC isn’t an official security boundary, but Microsoft is spending time fixing the ones they know about. Like I mentioned, the Windows 10 Creators Update contains fixes for the vast majority of public bypasses.”

Suggested articles