Esc
Bypass User Account Control - T1548.002
(ATT&CK® Technique)
Definition
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1548002["Bypass User Account Control"] --> |invokes| CreateProcess["Create Process"]; class T1548002 OffensiveTechniqueNode; class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; click T1548002 href "/offensive-technique/attack/T1548.002/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1548002["Bypass User Account Control"] --> |executes| ExecutableFile["Executable File"]; class T1548002 OffensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; click T1548002 href "/offensive-technique/attack/T1548.002/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1548002["Bypass User Account Control"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1548002 OffensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; click T1548002 href "/offensive-technique/attack/T1548.002/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | CreateProcess["Create Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | May Detect | T1548002["Bypass User Account Control"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | CreateProcess["Create Process"]; SystemCallAnalysis["System Call Analysis"] -.-> | May Detect | T1548002["Bypass User Account Control"] ; class SystemCallAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableFile["Executable File"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | May Detect | T1548002["Bypass User Account Control"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | May Detect | T1548002["Bypass User Account Control"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableFile["Executable File"]; DynamicAnalysis["Dynamic Analysis"] -.-> | May Detect | T1548002["Bypass User Account Control"] ; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; FileRemoval["File Removal"] --> | deletes | ExecutableFile["Executable File"]; FileRemoval["File Removal"] -.-> | May Evict | T1548002["Bypass User Account Control"] ; class FileRemoval DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileRemoval href "/technique/d3f:FileRemoval"; DecoyFile["Decoy File"] --> | spoofs | ExecutableFile["Executable File"]; DecoyFile["Decoy File"] -.-> | May Deceive | T1548002["Bypass User Account Control"] ; class DecoyFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; FileEncryption["File Encryption"] --> | encrypts | ExecutableFile["Executable File"]; FileEncryption["File Encryption"] -.-> | May Harden | T1548002["Bypass User Account Control"] ; class FileEncryption DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableFile["Executable File"]; LocalFilePermissions["Local File Permissions"] -.-> | May Harden | T1548002["Bypass User Account Control"] ; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableFile["Executable File"]; ExecutableDenylisting["Executable Denylisting"] -.-> | May Isolate | T1548002["Bypass User Account Control"] ; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | restricts | CreateProcess["Create Process"]; class ExecutableDenylisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | restricts | CreateProcess["Create Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | May Isolate | T1548002["Bypass User Account Control"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class CreateProcess ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableFile["Executable File"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | May Isolate | T1548002["Bypass User Account Control"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | restricts | CreateProcess["Create Process"]; class ExecutableAllowlisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; RestoreFile["Restore File"] --> | restores | ExecutableFile["Executable File"]; RestoreFile["Restore File"] -.-> | May Restore | T1548002["Bypass User Account Control"] ; class RestoreFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] --> | restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"]; RestoreConfiguration["Restore Configuration"] -.-> | May Restore | T1548002["Bypass User Account Control"] ; class RestoreConfiguration DefensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; FileAnalysis["File Analysis"] -.-> | May Detect | T1548002["Bypass User Account Control"] ; class FileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemCallFiltering["System Call Filtering"] --> | filters | CreateProcess["Create Process"]; SystemCallFiltering["System Call Filtering"] -.-> | May Isolate | T1548002["Bypass User Account Control"] ; class SystemCallFiltering DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; MandatoryAccessControl["Mandatory Access Control"] --> | restricts | CreateProcess["Create Process"]; MandatoryAccessControl["Mandatory Access Control"] -.-> | May Isolate | T1548002["Bypass User Account Control"] ; class MandatoryAccessControl DefensiveTechniqueNode; class CreateProcess ArtifactNode; click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl";