Live Active security incident? Get immediate response
MITRE ATT&CK® Tool

S0116: UACMe

UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. [1]

EnterpriseS0116ToolObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

UACMe matters because it packages many known ways to bypass Windows User Account Control, making it useful for assessment but also a practical reference point for how privilege elevation can occur after an account or endpoint is already compromised. For leaders, the decision value is not the tool name alone; it is whether Windows endpoints, local administrator practices, and SOC telemetry can show when a process moves from normal user context toward elevated integrity without expected authorization.

Executive priority

Prioritize this as a Windows privilege-escalation readiness issue. It should drive questions about local administrator exposure, endpoint hardening, incident response evidence, and whether audit/compliance reporting can prove that UAC bypass attempts would be investigated. Because the ATT&CK relationship maps UACMe to Bypass User Account Control under privilege escalation, the business concern is attacker progression: a weak control or visibility gap here can make containment harder after initial access.

Technical view

ATT&CK identifies UACMe as an open source assessment tool containing multiple Windows UAC bypass methods and relates it to T1548.002, Bypass User Account Control. SOC and detection engineering teams should validate coverage around suspicious privilege elevation behavior on Windows rather than relying only on tool-name matching. Review whether endpoint telemetry captures process creation, parent-child process relationships, integrity level changes, elevated token usage, UAC-related prompts or consent behavior where available, and command-line context. Incident responders should be prepared to distinguish authorized assessment use from unexpected execution or UAC bypass-like behavior.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • Parent-child process relationships around elevated processes
  • Process integrity level or token elevation indicators where collected
  • Local administrator group membership and privilege context
  • Endpoint security alerts for suspicious privilege escalation behavior

Detection direction

  • Do not depend only on the string "UACMe"; validate behavior-based detection for UAC bypass patterns associated with T1548.002.
  • Tune detections for unexpected elevated child processes, unusual parent processes, or elevation from user-writable locations, while accounting for legitimate administrative and assessment activity.
  • Confirm whether endpoint visibility includes integrity level, token elevation, command line, and parent process data; gaps in these fields can make UAC bypass activity difficult to triage.
  • Correlate privilege-escalation indicators with account context, local administrator membership, and recent endpoint activity to reduce false positives.
  • Maintain an allowlisted process for authorized security testing so open source assessment tool use does not create unmanaged alert noise.

Mitigation priorities

  • Reduce unnecessary local administrator rights on Windows systems.
  • Harden Windows endpoint configuration and UAC-related policy according to organizational risk tolerance and administrative needs.
  • Ensure endpoint detection and response logging is enabled and retained for process, command-line, and privilege context.
  • Use controlled assessment to validate whether UAC bypass behavior is detected and escalated appropriately.
  • Document detection logic, response playbooks, and exceptions as compliance and audit evidence for privilege-escalation monitoring.
Analyst notes and limits

The supplied ATT&CK object has no official detection text, no explicit platforms field on the tool object, and no tactics listed directly on the tool. The Windows platform and privilege-escalation framing come from the relationship to T1548.002, Bypass User Account Control, and from the official description referencing Windows UAC. Treat UACMe as a coverage-validation anchor for Windows privilege escalation rather than proof of malicious activity by itself.

This take is limited to the supplied MITRE ATT&CK fields, external references, and the relationship to T1548.002. It does not establish active exploitation, attribution, prevalence, specific bypass methods, or guaranteed detection outcomes. Local endpoint configuration, logging depth, administrative practices, and authorized testing records are required to assess real exposure.

Official MITRE ATT&CK definition

UACMe

UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1548.002 Bypass User Account Control Sub-technique

UACMe contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.CitationGithub UACMe
Relationship explorer

All related ATT&CK context

uses · Technique T1548.002: Bypass User Account Control Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
dac64c8a3a35a3fb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle dac64c8a3a35…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Github UACMe

    UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.

    Open source URL
  2. [2]
    mitre-attack S0116
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use