{"id":7818,"date":"2024-05-21T07:09:19","date_gmt":"2024-05-21T07:09:19","guid":{"rendered":"\/cybersecurity-blog\/?p=7818"},"modified":"2025-01-31T06:45:02","modified_gmt":"2025-01-31T06:45:02","slug":"windows11-uac-bypass","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/","title":{"rendered":"Windows 11 UAC Bypass in Modern Malware"},"content":{"rendered":"\n<p>In this article, we&#8217;ve prepared a brief overview of UAC bypass methods in Windows 11 that are used in modern malware and provided examples of their implementation in active threats. We&#8217;ll show how to bypass user account control via:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exploitation of COM interfaces with the Auto-Elevate property&nbsp;<\/li>\n\n\n\n<li>Modification of the ms-settings registry branch&nbsp;<\/li>\n\n\n\n<li>Infinite UAC Prompt Loop (social engineering)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Let&#8217;s investigate these methods.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Exploitation of COM Interfaces with the Auto-Elevate Property&nbsp;<\/h2>\n\n\n\n<p>First, let\u2019s quickly define COM.&nbsp;&nbsp;<\/p>\n\n\n\n<p>COM (Component Object Model) refers to objects containing data and methods for working with them. COM objects can be used to create various applications.&nbsp;<\/p>\n\n\n\n<p>You can find the list of COM objects in this registry key:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\\HKEY_CLASSES_ROOT\\CLSID<\/strong>.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>We are interested in those that have the <strong>Elevation &#8211; Enable &#8211; 1<\/strong> entry in the registry. This means that the given object runs with elevated privileges without the UAC window appearing.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"928\" height=\"129\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/registry.png\" alt=\"\" class=\"wp-image-7870\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/registry.png 928w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/registry-300x42.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/registry-768x107.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/registry-370x51.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/registry-270x38.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/registry-740x103.png 740w\" sizes=\"(max-width: 928px) 100vw, 928px\" \/><figcaption class=\"wp-element-caption\">Elevation Enable (cmstplua COM-object)<\/figcaption><\/figure><\/div>\n\n\n<p>The main COM objects that can be used for UAC bypass are:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>{3E5FC7F9-9A51-4367-9063-A120244FBEC7} (cmstplua.dll)&nbsp;<\/li>\n\n\n\n<li>{D2E7041B-2927\u201342fb-8E9F-7CE93B6DC937} (colorui.dll)&nbsp;&nbsp;<\/li>\n\n\n\n<li>{E9495B87-D950\u20134AB5\u201387A5-FF6D70BF3E90} (wscui.cpl)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Let&#8217;s utilize <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows11_uac_bypass&amp;utm_term=210524&amp;utm_content=linktolookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Treat Intelligence Lookup<\/a> and try to find the use of the COM object cmstplua.dll using <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows11_uac_bypass&amp;utm_term=210524&amp;utm_content=linktolookup\/#{%22query%22:%22CommandLine:%5C%22Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%5C%22%20%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">this query<\/a>:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>CommandLine:\"Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\" <\/code><\/pre>\n\n\n\n<p>We managed to find <a href=\"https:\/\/app.any.run\/tasks\/596e9b4b-6ae6-4655-b7eb-2bcb39f5e027\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows11_uac_bypass&amp;utm_term=210524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">a recent Formbook sample<\/a> among the sandbox sessions:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"548\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-1024x548.jpg\" alt=\"\" class=\"wp-image-7821\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-1024x548.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-300x161.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-768x411.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-370x198.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-270x144.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-740x396.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image.jpg 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Example CMSTPLUA expluatation (UAC bypass from the <a href=\"https:\/\/app.any.run\/tasks\/596e9b4b-6ae6-4655-b7eb-2bcb39f5e027\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows11_uac_bypass&amp;utm_term=210524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">session featuring Formbook<\/a>)<\/figcaption><\/figure><\/div>\n\n\n<p>Now let&#8217;s try to find the use of the COM object colorui.dll with the help of <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows11_uac_bypass&amp;utm_term=210524&amp;utm_content=linktolookup\/#{%22query%22:%22CommandLine:%5C%22Processid:{D2E7041B-2927-42fb-8E9F-7CE93B6DC937}%5C%22%C2%A0%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">this query<\/a>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>CommandLine:\"Processid:{D2E7041B-2927\u201342fb-8E9F-7CE93B6DC937}\" <\/code><\/pre>\n\n\n\n<p>We discover old Lockbit samples, but nonetheless, this and the previous method work on Windows 11.&nbsp;You can also analyze methods for UAC bypass inside <a href=\"https:\/\/any.run\/cybersecurity-blog\/windows-10-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">Windows 10<\/a> in the ANY.RUN sandbox for free.   <\/p>\n\n\n\n<p>Here is <a href=\"https:\/\/app.any.run\/tasks\/b574fae6-379e-4534-a169-65b957b271fc\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows11_uac_bypass&amp;utm_term=210524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">a sandbox analysis of one sample<\/a>:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"611\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-1024x611.jpg\" alt=\"\" class=\"wp-image-7822\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-1024x611.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-300x179.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-768x458.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-370x221.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-270x161.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-740x442.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2.jpg 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Example of colorui&nbsp;exploitation (UAC Bypass from the <a href=\"https:\/\/app.any.run\/tasks\/b574fae6-379e-4534-a169-65b957b271fc\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows11_uac_bypass&amp;utm_term=210524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">session featuring Lockbit<\/a>)<\/figcaption><\/figure><\/div>\n\n\n<p>That is why organizations when dealing with Windows 11 UAC cyber security issues must take into account colorui\u00a0exploitation as one of the most common techniques used by attackers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Modifying the ms-settings Registry Branch and DelegateExecute Key&nbsp;<\/h2>\n\n\n\n<p>This method works because some programs start with elevated privileges and access the non-existent <strong>HKCU:Software\\Classes\\ms-settings\\shell\\open\\command <\/strong>registry branch, and only then the existing <strong>HKCR:ms-settings\\shell\\open\\command<\/strong> branch (e.g., <strong>fodhelper <\/strong>UAC bypass). <\/p>\n\n\n\n<p>Also, the first branch is writable with the current user&#8217;s rights.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nGet a 14-day free trial of <span class=\"highlight\">ANY.RUN sandbox<span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=windows11_uac_bypass&#038;utm_term=210524&#038;utm_content=linktodemo\" rel=\"noopener\" target=\"_blank\">\nRequest now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>This results in a situation where creating the required registry branch and key allows the action to be performed without the UAC prompt appearing.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s once again use ANY.RUN\u2019s TI Lookup and run <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows11_uac_bypass&amp;utm_term=210524&amp;utm_content=linktolookup\/#{%22query%22:%22RegistryKey:%5C%22%5C%5C%5C%5Cms-settings%5C%5C%5C%5Cshell%5C%5C%5C%5Copen%5C%5C%5C%5Ccommand%5C%22%20and%20RegistryName:%5C%22DelegateExecute%5C%22%20%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">the following query<\/a>:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>RegistryKey:\"\\\\ms-settings\\\\shell\\\\open\\\\command\" and RegistryName:\"DelegateExecute\" <\/code><\/pre>\n\n\n\n<p>We found <strong>BlankGrabber<\/strong>. Note that the path to the executable is written in Default.&nbsp;<\/p>\n\n\n\n<p>Here is <a href=\"https:\/\/app.any.run\/tasks\/f8d1eafa-8b92-42e4-8b5d-36aab72f3b72\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows11_uac_bypass&amp;utm_term=210524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">an example<\/a>:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1013\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-1024x1013.jpg\" alt=\"\" class=\"wp-image-7823\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-1024x1013.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-300x297.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-768x760.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-70x70.jpg 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-370x366.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-270x267.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-740x732.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3.jpg 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Modifying the Registry (UAC Bypass in a <a href=\"https:\/\/app.any.run\/tasks\/f8d1eafa-8b92-42e4-8b5d-36aab72f3b72\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows11_uac_bypass&amp;utm_term=210524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">session featuring <strong>BlankGrabber<\/strong><\/a>)<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Infinite UAC Prompt Loop&nbsp;<\/h2>\n\n\n\n<p>In this method, the UAC window repeatedly prompts the user to open an application. It&#8217;s impossible to close, so the user has no choice but to agree to run the application. There&#8217;s also a chance that the user will accidentally agree.&nbsp;<\/p>\n\n\n\n<p>Example of a simple script:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>while($true){try{Start-Process \"cmd.exe\" -Verb runas -ArgumentList \"\/c\", 'payload &amp;&amp; pause';exit}catch{}} <\/code><\/pre>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"808\" height=\"635\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-2.png\" alt=\"\" class=\"wp-image-7824\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-2.png 808w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-2-300x236.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-2-768x604.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-2-370x291.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-2-270x212.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-2-740x582.png 740w\" sizes=\"(max-width: 808px) 100vw, 808px\" \/><figcaption class=\"wp-element-caption\">UAC Window<\/figcaption><\/figure><\/div>\n\n\n<p>During our research, we came across several cases employing a similar method:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/1f338e0e-4bd7-4874-b60a-b80bfdaa9de6\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows11_uac_bypass&amp;utm_term=210524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">DCrat<\/a>&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/app.any.run\/tasks\/190efb94-ed32-47e8-9a50-299a909a55a3\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows11_uac_bypass&amp;utm_term=210524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">PureMiner<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>This method is closely related to social engineering, as it directly depends on the user&#8217;s actions.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Detection&nbsp;<\/h2>\n\n\n\n<p>To detect these methods, you can use the following rules:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/master\/rules\/windows\/process_creation\/proc_creation_win_uac_bypass_icmluautil.yml\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Rule #1<\/a>: Detects the exploitation of popular COM objects.&nbsp;&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/master\/rules\/windows\/registry\/registry_set\/registry_set_bypass_uac_using_delegateexecute.yml\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Rule #2<\/a>: Detects registry modification.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Wrapping up&nbsp;<\/h2>\n\n\n\n<p>The methods on how to bypass UAC highlighted in this article are not the only ones cyber security experts need to be aware of. There are also custom techniques that are difficult to detect, but they&#8217;re few and far between, rarely seen in the wild because they&#8217;re just as difficult to implement.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Advantages of ANY.RUN&nbsp;&nbsp;<\/h3>\n\n\n\n<p>ANY.RUN helps you analyze threats faster while improving detection rates. The platform detects common malware families with YARA and Suricata rules and identifies malware behavior with signatures when detection by family is not possible.&nbsp;<\/p>\n\n\n\n<p>With ANY.RUN you can:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detect malware in under 40s<\/strong>: ANY.RUN detects malware within about 40 seconds of a file upload. It identifies prevalent malware families using YARA and Suricata rules and uses behavioral signatures to detect malicious actions when you encounter a new threat.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Interact with samples in real time<\/strong>: ANY.RUN is an interactive cloud sandbox powered by VNC, which means that you can do everything you could on a real system: browse webpages, click through installers, open password-protected archives.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Save time and money on sandbox setup and maintenance<\/strong>: ANY.RUN\u2019s cloud-based nature eliminates the need for setup or maintenance by your DevOps team, making it a cost-effective solution for businesses.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Record and study all aspects of malware behavior<\/strong>: ANY.RUN provides a detailed analysis of malware behavior, including network traffic, system calls, and file system changes.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Collaborate with your team<\/strong>: easily share analysis results, or, as a senior team member, check work of junior analysts by viewing recordings of their analysis sessions.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scale as you need<\/strong>: as a cloud service, you can easily scale your team, simply by adding more licenses.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>We&#8217;ll show you in an interactive presentation how ANY.RUN can help your security team.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows11_uac_bypass&amp;utm_term=210524&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Get a demo \u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this article, we&#8217;ve prepared a brief overview of UAC bypass methods in Windows 11 that are used in modern malware and provided examples of their implementation in active threats. We&#8217;ll show how to bypass user account control via:&nbsp; Let&#8217;s investigate these methods.&nbsp; Exploitation of COM Interfaces with the Auto-Elevate Property&nbsp; First, let\u2019s quickly define [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":7826,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-7818","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Windows 11 UAC Bypass in Modern Malware - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Learn about UAC bypass methods in Windows 11 that are used in modern malware and explore examples of their implementation in active threats.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"khr0x\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/\"},\"author\":{\"name\":\"khr0x\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Windows 11 UAC Bypass in Modern Malware\",\"datePublished\":\"2024-05-21T07:09:19+00:00\",\"dateModified\":\"2025-01-31T06:45:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/\"},\"wordCount\":1009,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/\",\"name\":\"Windows 11 UAC Bypass in Modern Malware - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-05-21T07:09:19+00:00\",\"dateModified\":\"2025-01-31T06:45:02+00:00\",\"description\":\"Learn about UAC bypass methods in Windows 11 that are used in modern malware and explore examples of their implementation in active threats.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Windows 11 UAC Bypass in Modern Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"khr0x\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg\",\"caption\":\"khr0x\"},\"description\":\"I'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got on my computer. In my spare time I do sports and play video games.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Windows 11 UAC Bypass in Modern Malware - ANY.RUN&#039;s Cybersecurity Blog","description":"Learn about UAC bypass methods in Windows 11 that are used in modern malware and explore examples of their implementation in active threats.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/","twitter_misc":{"Written by":"khr0x","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/"},"author":{"name":"khr0x","@id":"https:\/\/any.run\/"},"headline":"Windows 11 UAC Bypass in Modern Malware","datePublished":"2024-05-21T07:09:19+00:00","dateModified":"2025-01-31T06:45:02+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/"},"wordCount":1009,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/","url":"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/","name":"Windows 11 UAC Bypass in Modern Malware - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-05-21T07:09:19+00:00","dateModified":"2025-01-31T06:45:02+00:00","description":"Learn about UAC bypass methods in Windows 11 that are used in modern malware and explore examples of their implementation in active threats.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Windows 11 UAC Bypass in Modern Malware"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"khr0x","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg","caption":"khr0x"},"description":"I'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got on my computer. In my spare time I do sports and play video games.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7818"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7818"}],"version-history":[{"count":19,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7818\/revisions"}],"predecessor-version":[{"id":11381,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7818\/revisions\/11381"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7826"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7818"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7818"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7818"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}