“I’ve previously blogged about two different bypass techniques, and this post will highlight an alternative method that also doesn’t rely on the IFileOperation/DLL hijacking approach.” reads a blog post published by Nelson. “This technique works on Windows 10 build 15031, where the vast majority of public bypasses have been patched.”
The expert explained that there are several signed binaries in Microsoft OS that auto-elevate due to their manifest. Nelson analyzed them and focused its investigation on sdclt.exe, which is the process associated with the Backup and Restore tool in Windows.
He discovered that sdclt.exe auto-elevates due to its manifest only in Windows 10.
The sdclt.exe starts control.exe to open up a Control Panel item in high-integrity context, the process obtains the path to control.exe by querying the App Path key for it within the HKEY_CURRENT_USER hive.
“Looking again at the execution flow, sdclt.exe queries the App Path key for control.exe within the HKEY_CURRENT_USER hive.” explained Nelson.
“Calls to HKEY_CURRENT_USER (or HKCU) from a high integrity process are particularly interesting. This often means that an elevated process is interacting with a registry location that a medium integrity process can tamper with,”
An attacker can modify the key that is retrieved by the sdclt.exe query, the expert managed to have cmd.exe returned to the query.
The method doesn’t allow for using parameters, in order to exploit it the attacker has to place the