Full Report
A newly devised technique leverages a Windows accessibility framework called UI Automation (UIA) to perform a wide range of malicious activities without tipping off endpoint detection and response (EDR) solutions. "To exploit this technique, a user must be convinced to run a program that uses UI Automation," Akamai security researcher Tomer Peled said in a report shared with The Hacker News. "
Analysis Summary
# Tool/Technique: Windows UI Automation (UIA) Abuse
## Overview
A newly devised technique exploiting the legitimate Windows accessibility framework, UI Automation (UIA), to perform various malicious actions stealthily, often evading Endpoint Detection and Response (EDR) solutions. The abuse relies on tricking a user into running a program that utilizes UIA functionalities, allowing for hidden command execution, data harvesting (including from messaging apps like Slack/WhatsApp), and redirection to phishing sites.
## Technical Details
- Type: Technique (Abuse of legitimate framework)
- Platform: Windows (Available since Windows XP via .NET Framework)
- Capabilities: Programmatic access and manipulation of UI elements, inter-process interaction, event handling based on UI changes.
- First Seen: The research detailing this specific abuse was recently disclosed (implied late 2024 based on context).
## MITRE ATT&CK Mapping
- T1547 - Boot or Logon Autostart Execution (Implied, requires initial execution)
- T1056 - Input Capture
- T1056.001 - Keylogging (Can be used to capture data being inputted)
- T1047 - Windows Management Instrumentation (WMI) (While UIA is distinct, the goal of remote/stealthy execution aligns)
- T1566 - Phishing (Can be used for redirecting browsers)
- T1071 - Application Layer Protocol (Used for potential C2 communication after initial compromise, though not directly detailed)
*Note: The primary evasion benefit relates to **T1056 - Input Capture** and general **Execution/Persistence** techniques seen as permissible application behavior.*
## Functionality
### Core Capabilities
- Stealthy Command Execution: Launching commands in a manner that appears to stem from a trusted system process or assistive technology.
- Data Harvesting: Reading sensitive data entered into websites (e.g., payment information) or reading/writing messages to applications like Slack and WhatsApp.
- Browser Redirection: Exploiting UI element changes (like page refreshes) to automatically redirect browsers to malicious websites.
### Advanced Features
- Interaction with Cached Elements: Ability to interact with UI elements that are loaded into the cache but not currently visible on the screen (e.g., reading hidden messages).
- Inter-Process Communication (IPC): Leverages Component Object Model (COM) for IPC, enabling interaction with arbitrary applications.
- Privilege Escalation Context: When launched by an administrator, assistive technology applications can set the `UIAccess` flag to interact with higher Integrity Level (IL) processes.
- Potential Network Manipulation: The technique is noted as potentially weaponizable to manipulate UI elements over a network.
## Indicators of Compromise
- File Hashes: [N/A - Technique relies on legitimate framework binaries]
- File Names: [N/A - Depends on the custom application leveraging UIA]
- Registry Keys: [N/A]
- Network Indicators: [N/A - Focus is on local UI manipulation, though subsequent actions could involve network calls.]
- Behavioral Indicators: Processes utilizing the UI Automation API components to interact with other high-privilege application windows or cache elements unexpectedly, especially outside the context of screen readers or accessibility utilities.
## Associated Threat Actors
- Not explicitly named in relation to this specific UIA abuse, but the technique targets EDR blind spots.
## Detection Methods
- Signature-based detection: Difficult, as the activity mimics legitimate assistive technology usage.
- Behavioral detection: Monitoring for legitimate processes (leveraging UIA/COM) performing non-standard actions, especially targeting protected elements or interacting with cached elements outside the visible viewport.
- YARA rules: [N/A]
## Mitigation Strategies
- Monitoring applications that utilize the UIAccess flag (requires high privilege launch).
- Implementing strict Application Control solutions focusing on applications making unusual COM calls related to UI manipulation.
- User education regarding running unrecognized programs that require elevated access or prompt accessibility permissions.
- Reviewing processes specifically utilizing the UI Automation framework outside of known accessibility software.
## Related Tools/Techniques
- Android Accessibility Services API abuse (parallels the concept of misusing accessibility features for data extraction).
- DCOM (Distributed COM) Abuse: Mentioned in the context of lateral movement, where researchers found DCOM could be exploited via the `IMsiServer` COM interface to remotely write and execute custom DLLs, creating an embedded backdoor (Deep Instinct research).
***
# Tool/Technique: DCOM Upload & Execute Backdoor (Deep Instinct Research)
## Overview
A lateral movement attack vector discovered by Deep Instinct that abuses the Distributed Component Object Model (DCOM) remote protocol to remotely write custom payloads (DLLs) onto a target machine, load them into a service context, and execute them with arbitrary parameters, effectively creating an embedded backdoor.
## Technical Details
- Type: Technique / Exploit (Abuse of DCOM)
- Platform: Windows (Requires machines within the same domain)
- Capabilities: Remote payload delivery (DLL writing), service execution, communication with the executed payload.
- First Seen: Disclosed recently based on the article's context.
## MITRE ATT&CK Mapping
- T1570 - Lateral Movement
- T1570.008 - Remote Services: Distributed Component Object Model (DCOM)
- T1106 - Native API
- T1543.003 - Create or Modify System Process: Windows Service
## Functionality
### Core Capabilities
- Remote DLL Writing: Allows for writing custom DLL files to the victim's Global Assembly Cache (GAC).
- Remote Execution Context: Executes the payload from a service context on the victim machine.
- Backdoor Functionality: Communicates with the payload, functioning as an embedded backdoor once established.
### Advanced Features
- Abuse of Unexpected COM Objects: Exploits the `IMsiServer` COM interface, which was previously less scrutinized compared to scriptable IDispatch-based objects for lateral movement.
## Indicators of Compromise
- File Hashes: [N/A - Depends on the custom payload]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: Relies on DCOM communication, typically within an internal domain network.
- Behavioral Indicators: Anomalous writing of DLLs to the GAC, or service creation/modification originating from DCOM interactions on trusted internal systems.
## Associated Threat Actors
- Not explicitly named in relation to this specific DCOM abuse.
## Detection Methods
- Signature-based detection: Focusing on known attack strings or file operations associated with the specific abuse of `IMsiServer`.
- Behavioral detection: Analyzing network traffic and system calls related to DCOM activity, specifically looking for remote execution of loaded modules or unexpected file writes to system directories (like the GAC).
- YARA rules: [N/A]
## Mitigation Strategies
- Implementing proper defense-in-depth strategies across the domain, as this attack requires domain presence.
- Monitoring and alerting on remote DCOM usage that results in file writes to sensitive locations (like the GAC) or subsequent service creation/modification.
- Limiting administrative access and preventing lateral movement between systems.
## Related Tools/Techniques
- Traditional PsExec style lateral movement.
- General COM/DCOM exploitation techniques.
- UI Automation Abuse (discussed alongside DCOM abuse as a recent area of focus for EDR evasion).