Provadys Offsensive Security Blog


An introduction to privileged file operation abuse on Windows

Published on Wed 20 March 2019 by @clavoillotte

This is a (bit long) introduction on how to abuse file operations performed by privileged processes on Windows for local privilege escalation (user to admin/system), and a presentation of available techniques, tools and procedures to exploit these types of bugs.

UAC bypass via elevated .NET applications

Published on Fri 15 September 2017 by @clavoillotte

.NET Framework can be made to load a profiling DLL or a COM component DLL via user-defined environment variables and CLSID registry entries, even when the process is elevated. This behavior can be exploited to bypass UAC in default settings on Windows 7 to 10 (including the latest RS3 builds) by making an auto-elevate .NET process (such as MMC snap-ins) load an arbitrary DLL.