UAC Bypass Method: Application Compatibility a/k/a Dridex Method

This UAC bypass method encompasses manipulating application compatibility databases.

Method of Operation:

  1. Dridex creates an application compatibility database ($$$.sdb), a batch file ($$$.bat) and a copy of itself (edg3FAC.exe)
  2. Dridex uses the sdbinst command to install/uninstall application compatibility databases to install $$$.sdb.
  3. Dridex launches the iscsicli command, which is a command line tool for iSCSI initiator. However, the configuration in the installed application compatibility database ($$$.sdb) causes iscsicli.exe to execute $$$.bat with administrative privileges.
  4. $$$.bat executes edg3FAC.exe with administrative privileges.
  • Auto-elevation programs such as sdbinst.exe and iscsicli.exe automatically elevate privileges to administrative privileges when launched without a UAC warning being displayed.
  • The sdbinst command, which can change the behavior of other programs, is an auto-elevation program.

1. ucmInitAppHelp
* Purpose:
*Initialize AppHelp routines.

2. ucmRegisterAndRunTarget
* Purpose:
* Register shim database and execute target app.

3. ucmShimRedirectEXE
* Purpose:
* Build, register shim database and execute target app.
* Initially used in BlackEnergy2 and Gootkit by mzH (alive-green).
* Currently used in number of trojans (Win32/Dyre, WinNT/Cridex)

tidShim = SdbBeginWriteListTag(hShimDb, TAG_SHIM_REF);
if (tidShim != TAGID_NULL) {
SdbWriteStringTag(hShimDb, TAG_NAME, L“RedirectEXE”);
SdbWriteStringTag(hShimDb, TAG_COMMAND_LINE, lpszPayloadEXE);
SdbEndWriteListTag(hShimDb, tidShim);
SdbEndWriteListTag(hShimDb, tidEXE);

4. ucmAppcompatElevation
* Purpose:
* AutoElevation using Application Compatibility engine.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: