• ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10th1 100136

1. ucmMasqueradedAlterObjectSecurityCOM
* Purpose:
* Change object security through ISecurityEditor(SetNamedInfo).

2. ucmSimdaTurnOffUac
* Purpose:
* Disable UAC using AutoElevated undocumented ISecurityEditor interface.
* Used by WinNT/Simda starting from 2010 year.

• Wusa method used by Win32/Carberp
  

static const char* uacTargetDir[] = { "system32\\sysprep", "ehome" };
static const char* uacTargetApp[] = { "sysprep.exe", "mcx2prov.exe" };
static const char* uacTargetDll[] = { "cryptbase.dll", "CRYPTSP.dll" };
static const char* uacTargetMsu[] = { "cryptbase.msu", "CRYPTSP.msu" };

Steps to reproduce:
1. Make .cab archive with your own cryptbase.dll or wdscore.dll and rename it to .MSU
2. Deploy .MSU to any system directory you want with wusa.exe. For example: wusa.exe PACKAGE.MSU /quiet /extract:%WINDIR%\system32\migwiz
3. Run migwiz.exe

Source: http://blog.jpcert.or.jp/2015/02/a-new-uac-bypass-method-that-dridex-uses.html
 
This UAC bypass method encompasses manipulating application compatibility databases.
 
Method of Operation:

1. Dridex creates an application compatibility database ($$$.sdb), a batch file ($$$.bat) and a copy of itself (edg3FAC.exe)
2. Dridex uses the sdbinst command to install/uninstall application compatibility databases to install $$$.sdb.
3. Dridex launches the iscsicli command, which is a command line tool for iSCSI initiator. However, the configuration in the installed application compatibility database ($$$.sdb) causes iscsicli.exe to execute $$$.bat with administrative privileges.
4. $$$.bat executes edg3FAC.exe with administrative privileges.

​

• Auto-elevation programs such as sdbinst.exe and iscsicli.exe automatically elevate privileges to administrative privileges when launched without a UAC warning being displayed.
• The sdbinst command, which can change the behavior of other programs, is an auto-elevation program.

1. ucmInitAppHelp
* Purpose:
*Initialize AppHelp routines.

2. ucmRegisterAndRunTarget
* Purpose:
* Register shim database and execute target app.

3. ucmShimRedirectEXE
* Purpose:
* Build, register shim database and execute target app.
* Initially used in BlackEnergy2 and Gootkit by mzH (alive-green).
* Currently used in number of trojans (Win32/Dyre, WinNT/Cridex)

tidShim = SdbBeginWriteListTag(hShimDb, TAG_SHIM_REF);
if (tidShim != TAGID_NULL) {
SdbWriteStringTag(hShimDb, TAG_NAME, L"RedirectEXE");
SdbWriteStringTag(hShimDb, TAG_COMMAND_LINE, lpszPayloadEXE);
SdbEndWriteListTag(hShimDb, tidShim);
}
SdbEndWriteListTag(hShimDb, tidEXE);

4. ucmAppcompatElevation
* Purpose:
* AutoElevation using Application Compatibility engine.

• 1 - Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;
• 2 - Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;
• 3 - Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10th2 10532;

​
* Leo Davidson AutoElevation method with derivatives.
*
* UacMethodSysprep1   - Original Leo Davidson concept.
* UacMethodSysprep2   - Windows 8.1 adapted UacMethodSysprep1 (bypassing sysprep embedded manifest dlls redirection).
* UacMethodTilon      - Leo Davidson concept with different target dll, used by Win32/Tilon.
* UacMethodSysprep3   - Windows 10 TH1 adapted UacMethodSysprep1.
* UacMethodOobe       - WinNT/Pitou derivative from Leo Davidson concept

Typical malware UAC bypass:

1. Creates a DLL in %temp%;
2. Inserts code into the running explorer.exe, and explorer.exe moves dll from %temp% to C:\Windows\System32\sysprep\cryptbase.dll;
3. C:\Windows\System32\sysprep\sysprep.exe is executed and sysprep.exe loads ;C:\Windows\System32\sysprep\cryptbase.dll with administrative privileges; and,
4. C:\Windows\System32\sysprep\cryptbase.dll executes malware with administrative privileges

Source: https://github.com/hfiref0x/UACME

The following 22 most popular methods to bypass user account control (UAC):

• 1 - Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;
• 2 - Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;
• 3 - Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10th2 10532;
• 4 - Application Compatibility Shim RedirectEXE method, from WinNT/Gootkit. Works from Windows 7 up to 8.1.9600;
• 5 - ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10th1 100136;
• 6 - Wusa method used by Win32/Carberp, tweaked to work with Windows 8/8.1 also;
• 7 - Wusa method, tweaked to work from Windows 7 up to 10th1 10136;
• 8 - Slightly modified Leo Davidson method used by Win32/Tilon, works only on Windows 7;
• 9 - Hybrid method, combination of WinNT/Simda and Win32/Carberp + AVrf, works from Windows 7 up to 10th1 10136;
• 10 - Hybrid method, abusing appinfo.dll way of whitelisting autoelevated applications and KnownDlls cache changes, works from Windows 7 up to 10th2 10532;
• 11 - WinNT/Gootkit second method based on the memory patching from MS "Fix it" patch shim (and as side effect - arbitrary dll injection), works from Windows 7 up to 8.1.9600;
• 12 - Windows 10 sysprep method, abusing different dll dependency added in Windows 10 (works up to 10th2 10558);
• 13 - Hybrid method, abusing Microsoft Management Console and EventViewer missing dependency, works from Windows 7 up to 10rs1 14295;
• 14 - WinNT/Sirefef method, abusing appinfo.dll way of whitelisting OOBE.exe, works from Windows 7 up to 10th2 10558;
• 15 - Win32/Addrop method, also used in Metasploit uacbypass module, works from Windows 7 up to 10rs1 14295;
• 16 - Hybrid method working together with Microsoft GWX backdoor, works from Windows 7 up to 10rs1 14295;
• 17 - Hybrid method, abuses appinfo whitelist/logic/API choice&usage, works from Windows 8.1 (9600) up to 10rs1 14367;
• 18 - Hybrid method, abuses SxS undocumented backdoor used to fix (1) and appinfo whitelist, works from Windows 7 up to 10rs1 14367;
• 19 - Hybrid method, using InetMgr IIS module and based on 10 & 16 MS fixes, works from Windows 7 up to 10rs1 14372;
• 20 - Hybrid method, abusing Microsoft Management Console and incorrect dll loading scheme, works from Windows 7 up to 10rs1 14383;
• 21 - Hybrid method, abusing SxS DotLocal and targeting sysprep, works from Windows 7 up to 10rs1 14383;
• 22 - Hybrid method, abusing SxS DotLocal and targeting consent to gain system privileges, works from Windows 7 up to 10rs1 14383.