Elevated privilege conditions
We summarize the preceding reverse engineering results for Windows 10 Enterprise LTSC (10.0.17763 N/A Build 17763) and can derive the following conditions for automatic privilege elevation for UAC design:
- The program must configure itself as Auto Elevation
- The program should have a valid digital signature
- The program is run from a trusted system directory
In fact, you will soon understand that there are many services and tools in the system that are directly privileged on wakeup in order to allow users to use them smoothly without having to agree to frequent authorizations. So, if we can hijack these privileged processes, wouldn’t we be able to elevate our malware as well? A few common examples are as follows:
- The DLL module paths or commands used by a high-privileged system program are improperly stored in the registry,
*.xml, or*.inifiles on disk - The privileged service has exported a public COM interface to...
