The User Account Control feature has been around since Windows Vista and can still be found implemented on Windows 10. Basically UAC is a security feature implemented in the Windows OS to prevent potentially harmful programs from making changes to your computer. Even if your user account belongs to the administrators group that is supposed to have complete and unrestricted access to the computer, you are still subjected to the UAC restriction.
When you run an application that needs privileges to make file or registry changes that can globally affect all users on the computer, it will initiate a User Account Control notice window. The user can either click on the Yes button to allow the program that will make changes to the computer to run or else clicking No will stop it from running.
Even with UAC enabled in a system, a malicious software such as a trojan RAT can be built to install on the system without triggering the UAC notice. This is done by configuring the server builder to drop the malicious file in to user’s application data folder (%AppData%) and adding a shortcut to the user’s startup folder or a registry entry in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to run automatically on Windows startup.
Without the UAC elevation, the malicious file only has limited privileges that can affect the currently logged in user, but not on the whole system.
This feature that is commonly found in most RAT isn’t really worthy to be called a UAC bypass because it is just merely running silently without requesting UAC elevation that ends up with limited privileges.
A real UAC bypass is when an application gains full administrative privilege through a backdoor without triggering the UAC notice and requiring the user to click the the Yes button in the UAC window.
UAC Bypass Proof of Concept
A publicly available open source proof of concept to defeat the User Account Control called UACMe can be downloaded for free from GitHub. It contains 12 different popular methods that are used by malware to bypass UAC. To test each different method of UAC bypass, simply append a number from 1 to 12 after the filename.
(Credit to S3lf for the share)