Bypassing Administrator Protection by Abusing UI Access

Key Takeaways

• The UI Access flag, designed for accessibility tools, can be abused to bypass Windows Administrator Protection and UAC by interacting with higher-integrity windows.
• Attackers achieved arbitrary code execution in High integrity UI Access processes via secure directory check bypasses, DLL hijacking, and RPC exploitation.
• Shared user profiles between limited users and UI Access processes allowed environment variable and registry-based DLL hijacking in tools like On-Screen Keyboard and Quick Assist.
• The RAiLaunchAdminProcess RPC method was vulnerable to TOCTOU attacks and improper process creation flag sanitization (e.g., passing the DEBUG_PROCESS flag).
• Microsoft has patched these 9 bypasses, notably changing UI Access processes to use a filtered shadow administrator token instead of the limited user token.

Affected Systems

• Windows 11
• Windows Administrator Protection
• User Account Control (UAC)

Attack Chain

An attacker running as a limited user identifies a method to execute arbitrary code within a UI Access process, such as bypassing secure directory checks using MSIX installers or exploiting TOCTOU vulnerabilities in the RAiLaunchAdminProcess RPC. Once code execution is achieved in the High integrity UI Access process, the attacker triggers a scheduled task (like SilentCleanup) that runs as the shadow administrator and creates a window. The attacker then uses SetWindowsHookEx or GetProcessHandleFromHwnd to inject a malicious DLL into the shadow administrator process, successfully bypassing Administrator Protection and escalating privileges.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: High — EDRs can monitor process creation, RPC calls to RAiLaunchAdminProcess, DLL loads into high-integrity processes, and the use of SetWindowsHookEx. Network Visibility: None — This is a local privilege escalation technique with no inherent network footprint. Detection Difficulty: Hard — Differentiating legitimate UI Access behavior (like accessibility tools) from malicious abuse requires deep inspection of process ancestry, integrity levels, and API calls.

Required Log Sources

• Event ID 4688 (Process Creation)
• Event ID 4656 (Handle Request)
• Sysmon Event 7 (Image Loaded)
• Sysmon Event 10 (Process Access)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected processes spawning with the UI Access flag enabled, especially those originating from unusual directories or involving drive remapping.	Process creation events (Event ID 4688) with token elevation/UI Access details.	Privilege Escalation	Medium (Legitimate accessibility tools will trigger this, requiring baseline filtering).
Monitor for the SilentCleanup scheduled task being triggered manually by a limited user followed by suspicious DLL loads into cleanmgr.exe.	Scheduled task execution events and Sysmon Event 7 (Image Loaded).	Privilege Escalation	Low (Manual triggering of this task by non-system accounts is rare).

Control Gaps

• Lack of strict profile separation in older Windows versions allowed limited users to influence high-integrity processes via environment variables and registry keys.

Key Behavioral Indicators

• Suspicious use of RAiLaunchAdminProcess with DEBUG_PROCESS flag
• Creation of NTFS named streams on secure directories like C:\Windows\tracing
• Unexpected DLLs loaded into osk.exe or cleanmgr.exe

False Positive Assessment

• Medium

Recommendations

Immediate Mitigation

• Ensure Windows 11 systems are fully updated to receive the patches for these Administrator Protection bypasses.

Infrastructure Hardening

• Restrict limited user write access to directories that might be used for secure directory bypasses.
• Audit and disable unnecessary scheduled tasks that run with highest privileges and allow demand start.

User Protection

• Deploy EDR policies to monitor for DLL hijacking attempts against built-in Windows executables like osk.exe and cleanmgr.exe.

Security Awareness

• Educate security teams on the risks of UI Access and how it can be abused to bypass UAC and Administrator Protection.

MITRE ATT&CK Mapping

• T1548.002 - Bypass User Account Control
• T1574.001 - DLL Search Order Hijacking
• T1055.001 - Dynamic-link Library Injection
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1564.004 - Hide Artifacts: NTFS File Attributes

Additional IOCs

• File Paths:
  • C:\Windows\tracing - Directory potentially abused via NTFS named streams to bypass secure location checks.
  • Tasks_Migrated - Backup directory potentially abused to bypass secure location checks.
  • C:\Program Files\WindowsApps - Directory abused via MSIX installers to place executables in a trusted location.
  • Z:\osk.exe - Example path used in TOCTOU drive remapping attack against RAiLaunchAdminProcess.
• Command Lines:
  • Purpose: Find accessible files for secure directory bypass | Tools: PowerShell | Stage: Discovery | Get-AccessibleFile -Win32Path $paths -Access Execute, WriteData
  • Purpose: Find UI Access executables | Tools: PowerShell | Stage: Discovery
  • Purpose: Find exploitable scheduled tasks | Tools: PowerShell | Stage: Discovery | Get-AccessibleScheduledTask -Access Execute
• Other:
  • \Microsoft\Windows\Input\LocalUserSyncDataAvailable - Scheduled task identified as a potential candidate for abuse.
  • \Microsoft\Windows\Input\MouseSyncDataAvailable - Scheduled task identified as a potential candidate for abuse.