Exploiting Windows UI Automation: A New Stealthy Attack Vector
A newly discovered technique leverages the Windows UI Automation (UIA) framework to perform malicious activities while bypassing endpoint detection and response (EDR) solutions, according to research by Akamai security researcher Tomer Peled.
What is UI Automation?
UI Automation, introduced with Windows XP as part of the .NET Framework, provides programmatic access to user interface elements for assistive technologies, such as screen readers, and automated testing tools. It operates by interacting with system UI elements using Component Object Model (COM) as the communication mechanism.
Key capabilities of UI Automation include:
- Manipulating and monitoring UI elements.
- Gaining access to privileged system UI elements via a UIAccess flag when run with administrator rights.
Exploitation Techniques
This technique manipulates intended UI Automation features to perform malicious actions:
Stealthy Command Execution:
- Harvests sensitive data from active UI elements.
- Redirects browsers to phishing websites.
Local Attack Vectors:
- Reads and writes messages on applications like Slack or WhatsApp without alerting users.
- Interacts with off-screen elements cached by the UI framework, enabling attackers to manipulate messages or input text silently.
Remote UI Manipulation:
- Potentially weaponized for network-based UI manipulation attacks.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Why Does UIA Evade Detection?
These scenarios are not bugs but features of UI Automation. Since the system treats the actions as legitimate functionality, security tools like Microsoft Defender fail to detect malicious behavior. This mirrors the abuse of Android’s accessibility services API for data extraction by malware.
“If something is seen as a feature rather than a bug, the machine’s logic will follow the feature,” said Peled.
From COM to DCOM: Expanding Lateral Movement Vectors
In parallel research by Deep Instinct, a new lateral movement technique exploiting Distributed COM (DCOM) has been disclosed.
Key Insights:
- DCOM Remote Protocol:
- Enables software components to communicate over a network.
- Can be abused to write custom DLL payloads to a target machine, load them into a service, and execute arbitrary parameters.
- ‘DCOM Upload & Execute’ Method:
- Writes custom payloads to the Global Assembly Cache (GAC) of the victim’s machine.
- Executes payloads from a service context, enabling persistent backdoor functionality.
Limitations:
- Requires attacker and victim machines to be within the same domain.
- Leaves clear indicators of compromise (IoCs), which can be monitored and mitigated.
Trending: Recon Tool: Argus
Defensive Recommendations
Mitigating UI Automation Exploitation:
- Limit the use of UIAccess applications to trusted programs.
- Regularly audit and monitor processes that interact with UI elements.
- Employ endpoint visibility solutions capable of detecting anomalous UI interactions.
Preventing DCOM-Based Attacks:
- Restrict DCOM access to trusted domains and IP ranges.
- Monitor the IMsiServer COM interface for suspicious DLL loads and modifications.
- Use endpoint detection to flag anomalous service context executions
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com