FireF0X

Thoughts about "Process Doppelganging" and proof-of-concepts, http://www.kernelmode.info/forum/viewtopic.php?f=15&t=4879 …

IceID trojan downloader with embedded tiraniddo (token manipulation) and CMSTPLUA UAC bypasses, both copied from uacme together with PEB patch, http://www.kernelmode.info/forum/viewtopic.php?f=16&p=31078#p31077 …

Collection of UAC bypasses based on <HKCU\Volatile Environment@SYSTEMROOT> registry hijack, https://bytecode77.com/hacking/exploits …, note: this should be somewhat fixed in Windows 10 RS3 1709, and work everywhere on 1703 and below.

Good news, 17035 seems fixed shell and this method is now fully working on RS4.

IColorDataProxy (Color Management) undocumented COM interface represents another UAC bypass via ability to execute custom display calibrator from HKLM entry (which can be easily controlled by another MS backdoor interface ICMLuaUtil), this works from Win7 up to recent Win10 RS4).

/ or as result of Windows Shell API/components redesign.

Windows 10 RS4 17025 sdclt (kickoffelev exefile hkcu) uac bypass no longer works. They seems managed to fix it from the 2nd attempt. /cont

So you want to say being a part of AV botnet can lead to stealing your data? Wow, rly? Windows Defender "Microsoft SpyNet" anyone?

*38 "Command line" of course, typo

Well you can disregard above tweet as it seems another cascade of fun *bug-features* added in 16273. I'll look more when I've time.

NtLoadEnclaveData bug has been fixed in public 16273 build.https://twitter.com/hFireF0X/status/887930221466443776 …

UAC bypass based on wow64 logger functionality is apparently no longer works starting from win10 16273 build, everything else works as b4.

CMLuaUtil interface also offers more interesting functions such as: initiate system shutdown, write access to registry (set/del values/keys)

Note: above requires PEB patch or work from inject.