Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | Abuse Elevation Control Mechanism |
Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking. |
|
.002 | Bypass User Account Control |
Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking. |
||
Enterprise | T1546 | .011 | Event Triggered Execution: Application Shimming |
Changing UAC settings to "Always Notify" will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions. |
Enterprise | T1574 | Hijack Execution Flow |
Turn off UAC's privilege elevation for standard users |
|
.005 | Executable Installer File Permissions Weakness |
Turn off UAC's privilege elevation for standard users |
||
.010 | Services File Permissions Weakness |
Turn off UAC's privilege elevation for standard users |
||
Enterprise | T1199 | Trusted Relationship |
Properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary. |
|
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons.[2] |