Windows 10 UAC Bypass

A German graduate student named Christian B. discovered a user account control (UAC) bypass method that could allow a threat actor to install malicious code on devices running Windows 10 when users are a part of the operating system's administrator group. The exploit takes advantage of “auto-elevation,” a state that Microsoft assigns to trusted binaries, files signed with a Microsoft certificate and found in a trusted location. Christian’s method uses the trusted binaryfodhelper.exe and, therefore, Windows 10 does not display a UAC notification window when it is executed. Windows 10 takes two registry keys for additional commands to execute when it launches the file. Christian found he could modify one of the registry keys’ value to execute his chosen commands. This action can be used by threat actors to infect the targeted system with malware. This method executes only in memory and does not hijack dynamic-link libraries (DLLs), making it harder to identify. This UAC bypass was released as a proof-of-concept and has not yet been acknowledged by Microsoft. The NJCCIC recommends administrators implement the principle of least privilege for all user accounts, prohibit the use of administrator accounts for daily use and standard functions such as web browsing and email, and regularly audit administrator accounts, removing those that are no longer required. For home users, establish non-administrator accounts for daily use, only log in to the administrator account when necessary, and set the UAC level to “Always notify."