Bypassuac

Category: trojan_tool · Aliases: None known · Sample count (EMBER 2018): 145 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Behavior:Win32/BypassUAC is a critical heuristic detection for malware or attack frameworks that actively exploit design flaws or vulnerabilities in the Windows User Account Control (UAC) mechanism to silently elevate privileges from a standard user to a local Administrator.

Understanding BypassUAC
For the end-user, this behavior is invisible—the screen does not dim, and no prompt asking for 'Yes/No' administrator approval appears. For an incident responder, a BypassUAC alert means the attacker has successfully compromised the entire machine. By bypassing the prompt, the malware can now silently disable Windows Defender, install rootkits, or dump LSASS memory to steal domain credentials.

Execution and Evasion Strategies
BypassUAC is not a specific malware family, but a technique heavily utilized by advanced trojans (like Trickbot or Emotet) and penetration testing frameworks (like Metasploit and Cobalt Strike). Common techniques include 'Auto-Elevated COM Objects' (exploiting trusted Windows binaries like eventvwr.exe or sdclt.exe that automatically run as admin without prompting) and 'DLL Hijacking' (placing a malicious DLL in a specific path where an auto-elevating process will load it). The attacker drops the payload, triggers the trusted Windows binary, and the payload executes with elevated privileges.

Indicators of Compromise & Impact
The impact is total endpoint compromise. Threat hunters should look for anomalous execution of administrative tools (e.g., pkgmgr.exe, ComputerDefaults.exe, fodhelper.exe) immediately followed by the spawning of an unknown child process or a command shell. EDR platforms detect this by monitoring for DLLs being written to system paths immediately prior to the execution of auto-elevating binaries.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1548.002Abuse Elevation Control Mechanism: Bypass User Account ControlPrivilege Escalation
T1574.001Hijack Execution Flow: DLL Search Order HijackingPrivilege Escalation
T1055Process InjectionDefense Evasion
T1112Modify RegistryDefense Evasion
T1562.001Impair Defenses: Disable or Modify ToolsDefense Evasion

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_BYPASSUAC {
    meta:
        description = "Detects Bypassuac (trojan_tool)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "bypassuac" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Bypassuac Activity
id: b171ef4cc34e39efdf12dbf4855648d2
status: experimental
description: Detects generic indicators of the bypassuac malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*bypassuac*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Immediately isolate the endpoint; a successful UAC bypass means the attacker has full administrative control and is likely moving laterally.
  2. Capture a full memory image to identify what payload was executed with the elevated privileges.
  3. Enforce the 'Always Notify' setting for UAC via Group Policy across the domain to mitigate automated bypass techniques.
  4. Assume total machine compromise; rebuild the operating system and force a password reset for the local user and any cached domain accounts.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not assume the user clicked 'Yes' to a prompt; UAC bypasses are entirely silent and automated by the malware.
  2. Avoid relying solely on local AV after a bypass; the attacker has the privileges to whitelist their own tools or disable the AV entirely.

References & External Analysis

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/bypassuac.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.