Attackers hope getting administrator privileges always. If they had get it, they can do anything. Therefore, they try to get administrator privileges in various ways, such as account stealing, privilege escalation, UAC bypass. I have found one way to escalate privileges to administrator without using vulnerability. I hope you to see the demo, understand the mechanism, and prepare against the attacks.
How to escalate privileges to administrator in latest Windows.
How to escalate privileges to
administrator in latest Windows.
BSides Las Vegas 2017
July 25, 2017
Who I am
• Soya Aoyama
• Fujitsu System Integration Laboratories Limited
• First Presentation : AVTOKYO 2016
Do you want administrator privileges?
• Steal administrator accounts
• Mimikatz, PwDump, CacheDump, …
• Attack system vulnerabilities
• CVE-2017-0156, 0158, 0165, 0166, 0189, 0211, …
• Use Windows 10 weakness
• UAC bypass, IFileOperation , …
A year ago…
• I submitted to Microsoft's bounty program.
I decided to make it in public.
• CompMgmtLauncher loads a third party DLL
• Requirement : Registered in the following registry
Third Party Program
2.Escalate to Administrator 3.Load
During the demonstration…
• You need administrator privileges to access the file.
I found a means to solve this issue.
OneDrive helps to solve the problem
• Explorer loads a OneDrive DLL
• The OneDrive program is located in the following
• You can use IFileOperation API in Explorer
You can access to administrator’s owned files.
1.Click batch file
even if individual weakness are small,
but it will be very dangerous depending on the combination.
• This fixed in Build 15063.(Creators Update)
• CompMgmtLauncher still loads a third party dll.
• CompMgmtLauncher does not escalate to administrator privileges.
Microsoft does not want to pay me the reward.