Does anybody know how Emotet/Trickbot gets from a non-admin user to SYSTEM on Windows 7?
-
-
This is little more complicated than a simple process hollowing. Levergaes “double process hollowing” technique based on Windows Native API, leveraging the “svchost.exe” system process as a way to make privilege escalation & inject mal code . Sadly Win API poorly documented
-
Spent 4 hours searching github. Double process hollowing to priv esc is nowhere to be found. My OSCP exam is 3 weeks, so if you have working code remember sharing is caring.
#tistheseason - 2 more replies
New conversation -
-
-
Right, the process that spawns the hollowed process can only have the same security tokens as the original process, so there is no LPE part of hollowing, there must be more to it, is it running system? then the entry point must also be running system.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
