Behavior:Win32/BypassUAC is a critical heuristic detection for malware or attack frameworks that actively exploit design flaws or vulnerabilities in the Windows User Account Control (UAC) mechanism to silently elevate privileges from a standard user to a local Administrator.
Understanding BypassUAC
For the end-user, this behavior is invisible—the screen does not dim, and no prompt asking for 'Yes/No' administrator approval appears. For an incident responder, a BypassUAC alert means the attacker has successfully compromised the entire machine. By bypassing the prompt, the malware can now silently disable Windows Defender, install rootkits, or dump LSASS memory to steal domain credentials.
Execution and Evasion Strategies
BypassUAC is not a specific malware family, but a technique heavily utilized by advanced trojans (like Trickbot or Emotet) and penetration testing frameworks (like Metasploit and Cobalt Strike). Common techniques include 'Auto-Elevated COM Objects' (exploiting trusted Windows binaries like eventvwr.exe or sdclt.exe that automatically run as admin without prompting) and 'DLL Hijacking' (placing a malicious DLL in a specific path where an auto-elevating process will load it). The attacker drops the payload, triggers the trusted Windows binary, and the payload executes with elevated privileges.
Indicators of Compromise & Impact
The impact is total endpoint compromise. Threat hunters should look for anomalous execution of administrative tools (e.g., pkgmgr.exe, ComputerDefaults.exe, fodhelper.exe) immediately followed by the spawning of an unknown child process or a command shell. EDR platforms detect this by monitoring for DLLs being written to system paths immediately prior to the execution of auto-elevating binaries.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | Privilege Escalation |
T1574.001 | Hijack Execution Flow: DLL Search Order Hijacking | Privilege Escalation |
T1055 | Process Injection | Defense Evasion |
T1112 | Modify Registry | Defense Evasion |
T1562.001 | Impair Defenses: Disable or Modify Tools | Defense Evasion |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_BYPASSUAC {
meta:
description = "Detects Bypassuac (trojan_tool)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "bypassuac" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Bypassuac Activity
id: b171ef4cc34e39efdf12dbf4855648d2
status: experimental
description: Detects generic indicators of the bypassuac malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*bypassuac*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/bypassuac.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.