Open Directory Investigation: This sample was discovered on an open directory hosted at IP address 109.230.231.37, representing an active malware distribution point. Unlike the weaponized RAT variants found alongside it, uac_test.exe is a security research tool designed for UAC bypass testing, not active malware operations. To see all other reports from this investigation see Executive Overview

Campaign Identifier: Arsenal-237-109.230.231.37-Malware-Repository

Last Updated: January 12, 2026

BLUF (Bottom Line Up Front)

Executive Summary

Business Impact Summary

uac_test.exe is a research and testing tool designed to demonstrate User Account Control (UAC) bypass techniques on Windows systems. Analysis confirmed this is NOT weaponized malware—it lacks command-and-control infrastructure, persistence mechanisms, data exfiltration capabilities, and malicious payloads. During dynamic analysis, the tool detected existing administrative privileges in the sandbox environment and self-terminated without executing any bypass techniques, confirming its educational design philosophy.

The tool implements two well-documented UAC bypass methods: CMSTPLUA COM interface abuse (CLSID {6EDD6D74-C007-4E75-B76A-E5740995E24C}) and Fodhelper registry hijacking (HKCU\Software\Classes\ms-settings\shell\open\command). However, its presence in your environment raises important questions about authorized vs. unauthorized security tool usage and highlights potential UAC configuration weaknesses that should be addressed through hardening measures rather than incident response.

Key Risk Factors

Risk Factor Score Business Impact
Overall Risk 2.1/10 LOW - Proof-of-concept tool, no malicious intent
Data Exfiltration Risk 0/10 No data theft capabilities present
System Compromise Risk 3/10 UAC bypass capability only (not executed in analysis)
Persistence Difficulty 0/10 No persistence mechanisms implemented
Evasion Capability 5/10 Basic anti-analysis through SEH and memory protection
Lateral Movement Risk 0/10 No network or lateral movement capabilities
  1. VERIFY authorization - Confirm whether security testing was approved by IT leadership
  2. INVESTIGATE context - Identify user who executed tool and determine intent
  3. HARDEN UAC configurations across enterprise per CIS Benchmarks
  4. IMPLEMENT application control policies to prevent unauthorized PoC tool execution
  5. DEPLOY behavioral detection for UAC bypass attempts (registry hijacking, COM abuse)
  6. NO REBUILD REQUIRED - Simple file deletion sufficient if unauthorized

Table of Contents

Quick Reference

Detections & IOCs:

File Identification

  • Original Filename: uac_test.exe
  • SHA256: 18da271868c434494a68937fa12cb302d37b14849c4c0fc1db4007ac13c5b760
  • SHA1: 08feb675d0553f98007c52b7658a725dee22d696
  • MD5: 36191c81f6b9fa40dceaa4700ff86800
  • File Size: 285,184 bytes (approx 278 KB)
  • Type: PE32+ executable (console) x86-64, Rust-compiled
  • Classification: Security Research Tool / UAC Bypass PoC
  • Distribution Source: IP 109.230.231.37 (CONFIRMED)

Discovery Context: This sample was discovered on an open directory at IP address 109.230.231.37, an active malware distribution point serving multiple RAT variants (agent.exe/PoetRAT, FleetAgent, XWorm) to opportunistic victims. The presence of this UAC bypass tool alongside weaponized malware suggests either penetration testing infrastructure compromise or threat actor testing/development activity.

Executive Technical Summary

Business Context

uac_test.exe represents a legitimate security research tool that has been publicly documented and is commonly used by penetration testers and security researchers to demonstrate UAC weaknesses. Its design prioritizes transparency and education over malicious functionality—it includes user-facing status messages, conditional bypass logic that skips execution if already elevated, and lacks any post-exploitation payload.

Key Business Impacts

  • Policy Violation Indicator: Presence suggests unauthorized security tool usage or approved penetration testing
  • Configuration Weakness Discovery: Tool’s existence highlights need for UAC hardening and application control
  • Minimal Remediation Cost: No system rebuild required; simple file deletion and policy enforcement sufficient
  • Low Data Breach Risk: Zero data exfiltration, credential theft, or network reconnaissance capabilities

Detection Challenges

  • Transparent Naming: “uac_test.exe” filename clearly indicates purpose (not attempting to hide)
  • Rust Compilation: Modern language provides some inherent obfuscation but not malicious packing
  • No Network Activity: Absence of C2 traffic means network-based detection ineffective
  • Behavioral Detection: UAC bypass techniques produce distinctive patterns (registry hijacking, COM abuse)

Executive Risk Assessment

LOW RISK - uac_test.exe is fundamentally a demonstration tool, not weaponized malware. While it contains UAC bypass capabilities, the lack of malicious payload, persistence mechanisms, and C2 infrastructure positions this as a policy enforcement issue rather than a critical security incident. Organizations should focus on investigating authorization status and hardening UAC configurations rather than extensive forensic analysis.

Deep Technical Analysis

UAC Bypass: CMSTPLUA COM Interface

Deep Technical Analysis

CONFIRMED (static analysis) - Code present but NOT executed in analysis environment.

The tool implements UAC bypass using the ICMLuaUtil COM interface, a well-documented technique publicly disclosed in 2016:

  • CLSID: {6EDD6D74-C007-4E75-B76A-E5740995E24C}
  • Interface: ICMLuaUtil (Windows Connection Manager Lua Utility)
  • Method: ShellExec() - Executes commands with auto-elevated privileges
  • Target OS: Windows 7, 8, 8.1, 10 (patched in some Windows 10 builds)
  • Technique: COM elevation moniker abuse

How It Works:

  1. Tool initializes COM via CoInitializeEx()
  2. Creates elevation moniker: Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
  3. Calls CoGetObject() with elevation moniker to obtain ICMLuaUtil interface
  4. Executes ShellExec() method to launch command with elevated token
  5. Target command inherits administrative privileges without UAC prompt

Evidence from Static Analysis:

Extracted Strings (FLOSS):
- "[*] Initializing COM..."
- "{6EDD6D74-C007-4E75-B76A-E5740995E24C}"
- "[*] Creating elevation moniker..."
- "Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"
- "[*] Calling CoGetObject with elevation moniker..."
- "[+] Got ICMLuaUtil interface!"
- "[*] Calling ShellExec to run elevated command..."
- "[+] ShellExec succeeded!"
- "[+] COM bypass executed!"

Executive Technical Context

What This Means: The CMSTPLUA technique exploits a Windows design decision where certain COM interfaces are allowed to auto-elevate without prompting the user. This was originally intended for legitimate Windows components but can be abused by any process that knows the correct CLSID.

Business Impact:

  • Effectiveness Limited: This technique has been publicly known since 2016 and is patched on fully-updated Windows 10/11 systems with default UAC settings (level 3 or 4)
  • Legacy System Risk: May work on Windows 7/8/8.1 (no longer supported) or unpatched Windows 10 builds
  • Detection Opportunity: COM object instantiation of this specific CLSID is highly suspicious and easily detected

Why This Technique Wasn’t Used in Analysis: The tool detected administrative privileges already present in the analysis environment (sandbox VM configured with admin rights), executed its conditional check, and exited immediately without attempting any bypass.

Mitigation Strategy:

  • Ensure Windows 10/11 systems are fully patched
  • Set UAC to highest level (always notify, secure desktop)
  • Deploy EDR behavioral monitoring for suspicious COM instantiations
  • Monitor for CLSID {6EDD6D74-C007-4E75-B76A-E5740995E24C} usage

UAC Bypass: Fodhelper Registry Hijack

Deep Technical Analysis

CONFIRMED (static analysis) - Code present but NOT executed in analysis environment.

The tool implements the “Fodhelper” UAC bypass technique via protocol handler hijacking:

  • Target Binary: C:\Windows\System32\fodhelper.exe (Windows Features on Demand Helper)
  • Registry Path: HKCU\Software\Classes\ms-settings\shell\open\command
  • Technique: DLL search order hijacking via default verb handler
  • Auto-elevation: fodhelper.exe runs with requestedExecutionLevel = highestAvailable
  • Privilege Required: User-level (HKCU access only, no admin needed)

How It Works:

  1. Tool creates registry key: HKCU\Software\Classes\ms-settings\shell\open\command
  2. Sets default value to attacker-controlled command path
  3. Sets DelegateExecute value to empty string (critical for exploitation)
  4. Launches fodhelper.exe (which runs elevated without UAC prompt)
  5. fodhelper.exe opens ms-settings: protocol handler
  6. Handler reads registry key and executes attacker command with elevated privileges
  7. Tool optionally cleans up registry key after execution

Evidence from Static Analysis:

Extracted Strings (FLOSS):
- "[2] Testing Registry-based UAC Bypass (fodhelper)..."
- "[+] Registry bypass triggered!"
- "[+] *** REGISTRY UAC BYPASS SUCCESS! ***"
- "[-] Registry bypass failed: "

YARA Detection:
- Capability: win_registry (registry manipulation)
- API: RegSetValueEx, RegCreateKeyEx

Executive Technical Context

What This Means: The Fodhelper technique abuses a Windows trust relationship—fodhelper.exe is a legitimate Windows binary trusted to run elevated because it’s part of the operating system. By hijacking the protocol handler it uses (ms-settings:), attackers inject arbitrary commands that execute with the same elevated privileges.

Business Impact:

  • High Effectiveness: Unlike CMSTPLUA, this technique works on current Windows 10/11 builds as of 2026
  • User-Level Exploitation: Requires only HKCU registry access (no admin rights needed to set up)
  • Minimal Forensic Artifacts: Registry key can be deleted immediately after use
  • Detection Opportunity: Registry monitoring for ms-settings key creation is highly effective

Detection Methods:

Registry Monitoring:

Monitor for creation/modification of:
HKCU\Software\Classes\ms-settings\shell\open\command
HKCU\Software\Classes\ms-settings\shell\open\command\DelegateExecute

Process Monitoring:

Alert on fodhelper.exe spawning unexpected child processes
Normal behavior: fodhelper.exe launches settings apps or exits cleanly
Suspicious: fodhelper.exe → cmd.exe, powershell.exe, or arbitrary executables

Behavioral Indicators:

  • Registry key creation under HKCU\Software\Classes\ms-settings\
  • Unexpected process spawning from fodhelper.exe
  • Process elevation (Medium → High integrity) without UAC consent event (Event ID 4103)

Privilege Detection and Conditional Execution

Deep Technical Analysis

CONFIRMED (behavioral analysis) - This functionality was EXECUTED during sandbox analysis.

Before attempting any UAC bypass, the tool implements a privilege check that fundamentally differentiates it from weaponized malware:

Windows API Calls Used:

  • CheckTokenMembership() - Checks if current token is member of Administrators group
  • AllocateAndInitializeSid() - Creates SID for Administrators group
  • FreeSid() - Cleans up SID after check

Logic Flow (Rust Implementation):

fn is_running_as_admin() -> bool {
    // Check if current process token is member of Administrators group
    // Returns true if elevated, false if standard user
}

fn main() {
    println!("=========================================");
    println!("UAC Bypass Test - Rust Implementation");
    println!("=========================================");

    if is_running_as_admin() {
        println!("[+] Already running as administrator!");
        println!("[+] No UAC bypass needed.");
        return;  // EXIT WITHOUT ATTEMPTING BYPASS
    } else {
        println!("[*] Running as standard user - attempting UAC bypass...");
        // Bypass logic here
    }
}

Evidence from Static Analysis:

Extracted Strings (FLOSS):
- "UAC Bypass Test - Rust Implementation"
- "[*] Checking system info..."
- "[*] Running as admin: "
- "[*] Running as standard user - attempting UAC bypass..."
- "[+] Already running as administrator!"
- "[+] No UAC bypass needed."

Executive Technical Context

What This Means: This conditional logic is the definitive evidence that uac_test.exe is a proof-of-concept tool rather than weaponized malware.

Proof-of-Concept Behavior:

  • Check privileges → Skip bypass if already admin → Demonstrate success → Exit cleanly
  • Educational messages inform user what’s happening at each step
  • Transparent about when bypass is needed vs. not needed

Malware Behavior (for comparison):

  • Always attempt to gain maximum privileges regardless of current state
  • Install persistence mechanisms
  • Execute malicious payload
  • Maintain access and establish C2 communications

What Happened in This Analysis:

  1. 17:05:09 - uac_test.exe launched (PID determined from process monitoring)
  2. Tool executed CheckTokenMembership() via Windows API
  3. Detected admin privileges already present (analysis VM configured with admin rights)
  4. Tool printed: "[+] Already running as administrator!"
  5. Tool printed: "[+] No UAC bypass needed."
  6. 17:05:09 - Tool exited cleanly with status code 0 (immediate exit)
  7. Duration: < 1 second from launch to termination

Forensic Confirmation:

  • Autoruns Comparison: 0 new persistence entries, 0 removed entries
  • Registry Analysis: No modifications detected
  • Process Monitoring: No child processes spawned
  • Network Monitoring: No TCP/UDP connections established
  • Volatility Memory Analysis: No code injection, no suspicious memory regions

Anti-Analysis Techniques

Deep Technical Analysis

CONFIRMED (static analysis) - Basic anti-debugging present, but not sophisticated.

The tool implements minimal anti-analysis techniques consistent with Rust compiler standard output:

Structured Exception Handling (SEH):

  • Detection: YARA signature SEH__vectored matched
  • Evidence: SEH chains present in binary structure
  • Impact: LOW - Standard Rust exception handling, not custom anti-debugging
  • Bypass: Modern debuggers (x64dbg, WinDbg, IDA Pro) handle SEH correctly

Memory Protection (VirtualProtect):

  • Detection: CAPA identified VirtualProtect API calls
  • Purpose: Modify memory page permissions (mark code sections executable)
  • Impact: LOW - Normal behavior for Rust binaries, not malicious obfuscation
  • Characteristics: Used to allocate RW and RWX memory regions

Compilation Language (Rust):

  • Detection: FLOSS identified language as Rust with library paths
  • Evidence: 
    library\alloc\src\string.rs
library\core\src\slice\memchr.rs
/rustc/6b00bc3880198600130e1cf62b8f8a93494488cc\library\alloc\src\vec\mod.rs
  • Impact: MODERATE - Rust compilation provides inherent obfuscation (larger binaries, complex runtime)
  • Analysis Difficulty: Higher than C/C++ but lower than packed/obfuscated malware

What This Tool Does NOT Implement:

  • VM detection (no checks for virtual machine environment)
  • Sandbox evasion (no sleep delays, user interaction requirements, or mouse movement detection)
  • Anti-disassembly tricks (no control flow obfuscation or junk code)
  • Code encryption or packing (static strings clearly visible)
  • Advanced debugger detection beyond SEH
  • Network infrastructure validation before execution

Executive Technical Context

What This Means: The anti-analysis techniques present are minimal and standard for a Rust-compiled executable. This is not a sophisticated, evasion-focused malware sample attempting to avoid detection.

Reality Check: If this were weaponized malware, we would expect:

  • Time-delayed execution to evade sandbox analysis
  • VM detection to avoid running in analysis environments
  • Code packing/encryption to hide capabilities
  • String obfuscation to prevent static analysis

The absence of these techniques confirms the tool’s educational purpose.

Dynamic Sandbox Analysis

Execution Timeline

Environment Configuration:

  • OS: Windows 10 x64 (Sandbox VM)
  • User Context: Administrator (elevated privileges)
  • Network: Isolated (no internet access)
  • Monitoring: Noriben (process monitor), TCPView (network), Autoruns (persistence), Volatility (memory)

Baseline Establishment (Pre-Execution)

17:05:08 - Initial system state captured

  • Autoruns baseline: 1,556 persistence entries recorded
  • Process list captured
  • Registry baseline established via RegShot
  • Network connections logged via TCPView

Execution Window

17:05:09 - Tool Launch

  • Event: uac_test.exe executed
  • User Context: Administrator
  • Integrity Level: High (confirmed via token analysis)
  • Parent Process: User-initiated execution

17:05:09 - Privilege Check Execution

  • API Calls Observed:
    • AllocateAndInitializeSid() - Created Administrators group SID
    • CheckTokenMembership() - Verified token membership in Administrators group
    • FreeSid() - Cleaned up SID
  • Result: Elevation detected (token is member of Administrators group)
  • Tool Action: Printed "[+] Already running as administrator!" and "[+] No UAC bypass needed."

17:05:09 - Clean Termination

  • Event: Process exited with status code 0 (success)
  • Duration: < 1 second (immediate exit after privilege check)
  • Registry Activity: NONE detected
  • Network Activity: NONE detected
  • File System Activity: Read-only access to own executable, no writes
  • Child Processes: NONE spawned

Post-Execution Monitoring (Extended Window)

17:05:09 - 17:10:09 (5-minute active monitoring)

  • Process Persistence Check: No processes spawned or persisting
  • Network Monitoring: No connection attempts (TCP/UDP/ICMP)
  • Registry Monitoring: No keys created or modified
  • File System Monitoring: No files created, modified, or deleted
  • Memory Analysis: No injection attempts detected

17:21:40 - Autoruns Comparison (16 minutes post-execution)

  • New Persistence Entries: 0
  • Removed Persistence Entries: 0
  • Total Entries: 1,556 (unchanged from baseline)
  • Analysis: No Run keys, scheduled tasks, services, or startup items modified

17:27:41 - Volatility Memory Analysis (22 minutes post-execution)

  • Plugins Executed: 5/5 successful
    • windows.pslist - Process enumeration
    • windows.pstree - Process hierarchy
    • windows.netscan - Network connections
    • windows.malfind - Code injection detection
    • windows.cmdline - Command-line arguments
  • Findings:
    • No suspicious memory regions identified
    • No code injection detected
    • No hidden processes
    • No active network connections from uac_test.exe
    • Process confirmed exited cleanly (no zombie processes)

Analysis Summary

Why UAC Bypass Was NOT Attempted:

The tool’s internal logic includes a privilege check that executes BEFORE any bypass attempt. The analysis environment (Windows 10 sandbox VM) was configured with administrative privileges for comprehensive malware analysis capabilities. When the tool detected existing admin rights via CheckTokenMembership(), it:

  1. Printed success message: "[+] Already running as administrator!"
  2. Printed skip message: "[+] No UAC bypass needed."
  3. Exited cleanly with status code 0 (success)
  4. Total runtime: < 1 second

This is expected behavior for a proof-of-concept testing tool. Real malware would not include this conditional logic—it would attempt privilege escalation regardless of current state, then proceed to install persistence, establish C2 communications, and execute its malicious payload.

Forensic Artifacts:

  • Process Execution: Windows Event Log 4688 (Process Creation) with PID, user, integrity level
  • File Access: Prefetch file created confirming execution
  • No Persistence: Zero registry modifications, zero scheduled tasks, zero services
  • No Network: Zero DNS queries, zero TCP connections, zero HTTP/HTTPS requests
  • No Data Theft: Zero file access beyond reading own executable

MITRE ATT&CK Mapping

Techniques Identified

Privilege Escalation:

  • T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
    • Sub-technique: CMSTPLUA COM Interface (CLSID abuse)
    • Sub-technique: Fodhelper Registry Hijack (protocol handler abuse)
    • Confidence: CONFIRMED (code present, not executed in analysis)

Defense Evasion:

  • T1622 - Debugger Evasion
    • Sub-technique: SEH (Structured Exception Handling) anti-debugging
    • Confidence: CONFIRMED (static analysis)

Discovery:

  • T1033 - System Owner/User Discovery
    • Method: Token membership check via CheckTokenMembership() API
    • Confidence: CONFIRMED (executed in analysis)
  • T1082 - System Information Discovery
    • Method: Environment variable queries via GetEnvironmentVariable()
    • Confidence: CONFIRMED (static analysis)

Execution:

  • T1129 - Shared Modules
    • Method: Dynamic API loading via GetProcAddress()
    • Confidence: CONFIRMED (static analysis)

Techniques NOT Observed (Critical Distinction)

Persistence: NONE

  • No T1547 (Boot or Logon Autostart Execution)
  • No T1053 (Scheduled Task/Job)
  • No T1543 (Create or Modify System Process)

Command and Control: NONE

  • No T1071 (Application Layer Protocol)
  • No T1573 (Encrypted Channel)
  • No T1090 (Proxy)

Collection: NONE

  • No T1056 (Input Capture / Keylogging)
  • No T1005 (Data from Local System)
  • No T1113 (Screen Capture)

Exfiltration: NONE

  • No T1041 (Exfiltration Over C2 Channel)
  • No T1048 (Exfiltration Over Alternative Protocol)

Impact: NONE

  • No destructive capabilities
  • No ransomware functionality
  • No system modifications

ATT&CK Navigator Visualization

The MITRE ATT&CK coverage for uac_test.exe is extremely limited compared to weaponized malware:

  • Total Techniques: 5 (Privilege Escalation, Defense Evasion, Discovery only)
  • Typical RAT Coverage: 15-25 techniques across all tactics
  • Missing Tactics: Persistence, Lateral Movement, Collection, C2, Exfiltration, Impact

This minimal ATT&CK footprint confirms the tool’s single-purpose design (UAC bypass demonstration) rather than full-featured malware operations.

Frequently Asked Questions

Q1: “Is this malware or a legitimate security tool?”

Short Answer: This is a security research / penetration testing tool, NOT malware.

Detailed Explanation:

Technical analysis confirms this is a proof-of-concept UAC bypass tool designed for security testing and educational purposes. Key evidence includes:

  1. Educational Logging Messages: User-facing status updates like "[+] Already running as administrator!" and "UAC Bypass Test - Rust Implementation" are typical of demonstration tools
  2. Conditional Logic: Built-in check that skips bypass if already elevated (malware would not include this)
  3. No Malicious Payload: After obtaining elevation (if needed), the tool has no secondary payload, data theft, or persistence
  4. Clean Exit: Tool terminates immediately after privilege check—malware maintains execution
  5. Rust Development: Modern, memory-safe language popular with security researchers
  6. Transparent Naming: “uac_test.exe” clearly indicates purpose (not attempting to hide)

However, the tool’s presence in your environment may still represent a policy violation or unauthorized activity depending on your organization’s acceptable use policies.

The key question is: “Who executed this and why?”

Recommendation: Investigate authorization status. If approved testing, document and close. If unauthorized, enforce policies and implement application control.

Q2: “Do we need to rebuild systems where this was found?”

Short Answer: No, simple file deletion is sufficient.

Detailed Explanation:

System rebuild is NOT required for this tool because:

  1. No Persistence: Autoruns analysis confirmed zero persistence mechanisms (no registry Run keys, scheduled tasks, or services)
  2. No Kernel Components: Tool operates entirely in user space; no drivers, kernel patches, or bootkit functionality
  3. No Data Exfiltration: No network capabilities, no C2 infrastructure, no stolen credentials to remediate
  4. Clean Exit: Process terminated cleanly with no zombie processes, no injected code (confirmed via Volatility)

Remediation Steps:

  1. Delete uac_test.exe file
  2. Verify no Fodhelper registry keys remain (HKCU\Software\Classes\ms-settings)
  3. Optional: Clear prefetch artifacts

Total remediation time: < 5 minutes per system

See: Detection Package for detailed removal commands

Exceptions Requiring Deeper Investigation:

  • If tool was executed alongside actual malware (check for other suspicious executables)
  • If unauthorized user executed tool as part of broader malicious activity (review full user timeline)
  • If Fodhelper registry keys ARE present (indicates bypass was attempted—warrants investigation)

Q3: “Can our EDR/antivirus detect this tool?”

Short Answer: Modern EDR solutions can detect this via behavioral monitoring; signature-based antivirus may miss it.

Detailed Explanation:

Signature-Based Detection (Traditional Antivirus):

  • Effectiveness: LOW to MEDIUM (30-50% detection rate)
  • Why: Tool is custom Rust binary without known malware signatures
  • Result: May be flagged as “generic trojan” or “HackTool” but not reliably detected

Behavioral Detection (EDR):

  • Effectiveness: HIGH (80-95% detection rate)
  • Why: UAC bypass techniques produce distinctive behavioral patterns:
    • COM interface abuse (CLSID {6EDD6D74-C007-4E75-B76A-E5740995E24C})
    • Registry hijacking (HKCU\Software\Classes\ms-settings\)
    • Privilege escalation without UAC prompt (Event ID 4672 without Event ID 4103)

EDR Solutions with Confirmed UAC Bypass Detection:

  • Microsoft Defender for Endpoint (Attack Surface Reduction rules detect Fodhelper abuse)
  • CrowdStrike Falcon (Privilege Escalation IOA detects UAC bypass attempts)
  • SentinelOne (Behavioral AI detects registry hijacking and COM abuse)
  • Carbon Black (Watchlist for UAC bypass techniques available)

Recommendation: If you don’t have EDR, implement SIEM rules for UAC bypass detection (see Detection Rules section).

Q4: “How did this tool get past our security controls?”

Short Answer: This tool likely wasn’t distributed via typical malware infection chains; it was probably manually downloaded or transferred.

Detailed Explanation:

Why Traditional Security Controls May Not Block This:

  1. No Network-Based Detection: Tool has no C2 infrastructure, no malicious URLs embedded, so web proxies and DNS filters wouldn’t flag it
  2. No Email-Based Detection: Not distributed via phishing (typical malware vector); likely downloaded from GitHub, security research sites, or transferred via USB
  3. No Signature Match: Custom-compiled binaries don’t match known malware signatures in AV databases
  4. Legitimate Appearance: Named uac_test.exe (transparent naming), not obfuscated, looks like a security tool (because it is one)

How It Likely Entered Your Environment:

Scenario Likelihood Explanation
Authorized Security Testing HIGH IT security team or authorized penetration testers using PoC for UAC testing
Unauthorized Research Activity MEDIUM Curious employee or contractor experimenting with security tools without approval
Downloaded from Open Directory MEDIUM User downloaded from IP 109.230.231.37 alongside other samples (testing/curiosity)
Part of Malware Toolkit LOW Downloaded alongside actual malware as part of attacker toolkit (requires investigation)
USB Transfer LOW Transferred from external USB drive or shared folder

Preventive Controls:

  • Application Whitelisting: Would have blocked execution (prevents unsigned/unapproved binaries)
  • USB Device Control: Prevents unauthorized file transfers via removable media
  • Download Restrictions: Block or monitor downloads from known malware hosting (109.230.231.37)
  • User Training: Educate on unauthorized security tool usage policies

Q5: “What if the tool HAD successfully bypassed UAC in our environment?”

Short Answer: It would have gained administrative privileges but still had no malicious payload to execute.

Detailed Explanation:

If the tool had executed on a standard user account (not administrator):

  1. UAC Bypass Attempt: Tool would try CMSTPLUA COM interface or Fodhelper registry hijack
  2. Privilege Escalation: If successful, would spawn new process with high integrity level (administrator privileges)
  3. Post-Escalation Behavior: New process would execute… nothing (this tool has no secondary payload)
  4. Expected Result: Process would print success message and exit cleanly

This is fundamentally different from malware UAC bypass:

Aspect uac_test.exe Typical Malware
After bypass success Logs success, exits cleanly Installs persistence, downloads payload
Network activity None C2 connection, data exfiltration
Persistence None Registry Run keys, scheduled tasks, services
Lateral movement None Credential theft, SMB/RDP pivoting
End goal Demonstrate bypass works Maintain access, steal data, deploy ransomware

Real-World Impact of Successful Bypass:

  • Immediate: Elevated process runs briefly, then exits
  • Forensic Artifacts: Event ID 4688 (process creation with high integrity), registry modification (if Fodhelper method used)
  • Business Impact: MINIMAL (no data loss, no system damage, no persistence)
  • Concern Level: LOW (tool demonstrates vulnerability but doesn’t exploit it maliciously)

However: The fact that UAC bypass would have succeeded indicates a configuration weakness in your environment.

Recommended Actions:

  • Review UAC settings (see Long-Term Defensive Strategy section)
  • Implement behavioral detection for UAC bypass attempts
  • Consider EDR deployment if not already present
  • Baseline legitimate administrative activity to identify anomalies

Q6: “Should we be concerned about whoever ran this tool?”

Short Answer: It depends on context—authorized testing is legitimate; unauthorized research may be a policy violation.

Detailed Explanation:

Assess Intent Based On:

1. User Role and Responsibilities:

  • IT Security / Penetration Tester: Likely authorized testing (confirm with management)
  • System Administrator: Possible security research or vulnerability assessment (verify approval)
  • Standard User / Developer: Likely unauthorized curiosity or policy violation (investigate)
  • Unknown / External User: CRITICAL - indicates potential insider threat or compromised account

2. Context of Execution:

  • On security testing VM / lab environment: Authorized research
  • On production system: Requires investigation regardless of user role
  • Multiple systems: Broader concern—systematic testing or reconnaissance

3. Accompanying Activity:

  • Other security tools found (Mimikatz, BloodHound, Cobalt Strike): Strong indicator of penetration testing OR malicious activity
  • No other tools: Isolated curiosity or single-purpose testing
  • Data exfiltration, lateral movement: CRITICAL - escalate to incident response immediately

Decision Framework:

User + Context Concern Level Recommended Action
Security team + Lab VM NONE Document in testing log
Security team + Production LOW Verify approval, educate on change management
Sysadmin + Lab VM LOW Confirm authorization, document
Sysadmin + Production MEDIUM Interview user, verify intent, policy reminder
Standard user + Any system MEDIUM-HIGH Investigate intent, enforce policy, consider disciplinary action
Unknown user + Any system CRITICAL Full incident response, treat as potential insider threat

Recommendation: Always investigate first, attribute malicious intent only after evidence review. Many security professionals conduct research that may appear suspicious without context.

Long-Term Defensive Strategy

Technology Enhancements

Application Control / Whitelisting

What It Provides:

  • Prevents execution of unauthorized binaries (including PoC tools like uac_test.exe)
  • Blocks malware and unapproved software at kernel level
  • Provides audit trail of blocked execution attempts

Leading Solutions:

  • Windows Defender Application Control (WDAC) - Built into Windows 10/11 Enterprise (FREE)
  • AppLocker - Built into Windows (FREE with Enterprise/Education licenses)
  • Carbon Black App Control - Enterprise solution ($40-60/endpoint/year)

Implementation Considerations:

  • Start with audit mode to build whitelist (5-10% pilot deployment recommended)
  • Expect initial false positives (2-4 week tuning period)
  • Ongoing whitelist updates as new applications are approved

Cost vs. Benefit:

  • Investment: $0 (AppLocker/WDAC) to $50K-200K (enterprise solution for 1,000-10,000 endpoints)
  • Risk Reduction: 90% reduction in unauthorized tool execution
  • ROI Timeline: 6-12 months (prevents single ransomware incident worth $100K-$1M+)

Enhanced UAC Configuration

What It Provides:

  • Reduces attack surface for UAC bypass techniques
  • Forces authentication even for built-in elevated tasks
  • Improves audit trail of privilege elevation

Configuration Recommendations:

  • Set UAC to highest level (always notify, secure desktop)
  • Enable UAC for built-in Administrator account
  • Ensure UAC is enabled system-wide (EnableLUA registry value)

Impact Assessment:

  • User Experience: More prompts for legitimate administrative tasks (training required)
  • Security Benefit: 40-50% reduction in UAC bypass success rate
  • Cost: $0 (configuration change via GPO)

See: Detection Package for specific registry configuration commands

Endpoint Detection & Response (EDR)

What It Provides:

  • Real-time behavioral monitoring for UAC bypass attempts
  • Automated detection of registry hijacking (Fodhelper technique)
  • COM interface abuse detection (CMSTPLUA technique)
  • Process tree analysis to identify privilege escalation

Leading Solutions:

  • Microsoft Defender for Endpoint - Deep Windows integration ($5-10/user/month)
  • CrowdStrike Falcon - Cloud-native, lightweight agent ($8-15/user/month)
  • SentinelOne - AI-driven behavioral detection ($6-12/user/month)

EDR-Specific Detection for UAC Bypass:

  • Monitors for CLSID {6EDD6D74-C007-4E75-B76A-E5740995E24C} instantiation
  • Alerts on registry creation under HKCU\Software\Classes\ms-settings\
  • Detects privilege escalation without corresponding UAC consent event (Event ID 4103)

Cost vs. Benefit:

  • Investment: $50K-150K/year for 1,000 endpoints (licensing + SOC labor)
  • Risk Reduction: 80% improvement in detection speed for privilege escalation attacks
  • ROI Timeline: 3-6 months (early detection prevents lateral movement and data breaches)

Process Improvements

SIEM Rules & Behavioral Analytics

Key Detection Opportunities:

  • Registry monitoring: HKCU\Software\Classes\ms-settings\shell\open\command creation (Fodhelper bypass)
  • COM abuse detection: CLSID {6EDD6D74-C007-4E75-B76A-E5740995E24C} instantiation (CMSTPLUA bypass)
  • Privilege escalation correlation: Token elevation (Event 4672) without UAC consent (Event 4103)
  • Process ancestry anomalies: fodhelper.exe or DllHost.exe spawning unexpected child processes

See: Detection Package for complete Sigma rules, SIEM queries, and EDR detection logic

Organizational Measures

User Awareness & Training

Training Topics:

  1. What is UAC and Why It Matters: Explain that UAC prompts indicate privilege escalation attempts
  2. Recognizing Suspicious Prompts: Teach users to read UAC prompts carefully (what program is requesting elevation?)
  3. Reporting Procedures: How to report suspicious tools or unexpected UAC prompts to security team
  4. Authorized vs. Unauthorized Testing: Explain that security research requires approval and coordination

ROI Calculation:

  • Training Cost: $20-50/user for security awareness training annually
  • Benefit: 30-50% reduction in risky user behavior (executing unknown tools, approving suspicious prompts)
  • Breakeven: Prevention of 1-2 malware infections per year (typical incident cost: $10K-$50K)

Security Culture Development

Foster Environment Where:

  • Users feel comfortable reporting suspicious files without fear of blame
  • Security team provides rapid feedback on reported samples
  • “Security curiosity” is channeled into approved programs (bug bounty, authorized research)
  • Clear process exists for requesting security tool usage authorization

Implement Formal Approval Process:

  1. Security tool request form (what tool, what purpose, what systems, what timeframe)
  2. Risk assessment by security team (tool capabilities, potential impact)
  3. Documented approval from IT leadership
  4. Post-testing debrief and findings documentation

IOCs

File Hashes

Primary Sample:

  • SHA-256: 18da271868c434494a68937fa12cb302d37b14849c4c0fc1db4007ac13c5b760
  • SHA-1: 08feb675d0553f98007c52b7658a725dee22d696
  • MD5: 36191c81f6b9fa40dceaa4700ff86800
  • File Size: 285,184 bytes
  • File Type: PE32+ executable (console) x86-64, Rust-compiled

Network Indicators

Distribution Infrastructure:

  • IP Address: 109.230.231.37
  • Description: Confirmed malware distribution point - open directory serving multiple RAT variants
  • Confidence: CONFIRMED
  • Action: BLOCK at network perimeter immediately

C2 Infrastructure:

  • Status: NOT APPLICABLE (this tool has no C2 capabilities)

Host-Based Indicators

Registry Keys (Fodhelper UAC Bypass - Monitored, Not Created in Analysis):

HKCU\Software\Classes\ms-settings\shell\open\command
HKCU\Software\Classes\ms-settings\shell\open\command\DelegateExecute

Note: Analysis confirmed these keys were NOT created (tool did not execute bypass due to existing admin privileges), but they should be monitored as indicators of Fodhelper-based UAC bypass attempts.

File Paths:

C:\Users\*\Downloads\uac_test.exe
C:\Users\*\Desktop\uac_test.exe
[Any user-writable directory]\uac_test.exe

Prefetch Files:

C:\Windows\Prefetch\uac_test.exe-*.pf

Behavioral Indicators:

  1. COM CLSID Instantiation:
    • {6EDD6D74-C007-4E75-B76A-E5740995E24C} (CMSTPLUA)
    • Elevation moniker: Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
  2. Process Ancestry Anomaly:
    • Parent: DllHost.exe (COM surrogate)
    • Child: Any process with high integrity level
    • No corresponding UAC consent event (Event ID 4103)
  3. Privilege Escalation Without UAC:
    • Event ID 4672 (Special Privileges Assigned to New Logon)
    • Integrity level change: Medium → High
    • No Event ID 4103 (UAC consent) within 5 seconds prior

Detection Opportunities

High-Confidence Indicators:

  • File hash match: 18da271868c434494a68937fa12cb302d37b14849c4c0fc1db4007ac13c5b760
  • Registry creation: HKCU\Software\Classes\ms-settings\shell\open\command
  • COM object instantiation: CLSID {6EDD6D74-C007-4E75-B76A-E5740995E24C}
  • Network connection to: 109.230.231.37

Behavioral Patterns:

  • Rust executable making privilege elevation checks
  • Process creating Fodhelper registry hijack keys
  • Process making COM elevation moniker calls
  • Encrypted outbound connections from user-writable directories (NOT observed in this sample, but general UAC bypass malware pattern)

Forensic Artifacts:

  • Prefetch file creation/modification
  • Process creation events (Event ID 4688)
  • Registry modification events (Event ID 4657) if Fodhelper technique used
  • Token elevation events (Event ID 4672) if bypass successful

Detections

Detection Strategy Overview

File-Based Detection:

  • Hash matching: SHA-256 signature (18da271868c434494a68937fa12cb302d37b14849c4c0fc1db4007ac13c5b760)
  • Static signatures: CMSTPLUA CLSID presence, Fodhelper registry paths, UAC bypass string patterns
  • Compilation artifacts: Rust-compiled executable, minimal anti-analysis features

Behavioral Detection:

  • Fodhelper technique: Registry key creation under HKCU\Software\Classes\ms-settings\
  • CMSTPLUA technique: COM object instantiation of CLSID {6EDD6D74-C007-4E75-B76A-E5740995E24C}
  • Privilege escalation without UAC: Token elevation without corresponding consent event
  • Process anomalies: fodhelper.exe or DllHost.exe spawning unexpected child processes

Forensic Indicators:

  • Prefetch files confirming execution
  • Registry keys if Fodhelper bypass attempted
  • Token elevation events (Event 4672) without UAC consent (Event 4103)
  • Process creation events with privilege changes

Comprehensive Detection Rules: For complete YARA signatures, Sigma rules, EDR queries, and SIEM correlation rules:

License

© 2026 Joseph. All rights reserved. Free to read, but reuse requires written permission.