Privilege escalation (privesc/*)

← maldev README · docs/index

The privesc/* package tree groups primitives that take a non-elevated user token and produce SYSTEM-context execution.

flowchart TB
    subgraph startState [Start state]
        Medium["Medium-IL token<br>(typical user)"]
    end
    subgraph paths [Escalation paths]
        UAC["uac/*<br>fodhelper / slui /<br>silentcleanup / eventvwr"]
        CVE["cve202430088/*<br>kernel TOCTOU race"]
    end
    subgraph end [End state]
        High["High-IL token (UAC)"]
        SYSTEM["NT AUTHORITY\\SYSTEM<br>(token swap)"]
    end
    Medium -->|admin user, UAC default| UAC
    UAC --> High
    Medium -->|vulnerable build < 2024-06| CVE
    CVE --> SYSTEM

Decision tree

State / questionPath
"User is admin, UAC is default-notify, just need elevation."privesc/uac — pick the bypass that survives the build
"Need SYSTEM, host build < June 2024 patch."privesc/cve202430088
"Already SYSTEM, need TrustedInstaller."win/impersonate.RunAsTrustedInstaller
"Already admin, need elevation without UAC bypass."win/privilege.ShellExecuteRunAs (visible UAC prompt)

Per-package pages

  • uac.md — four bypass primitives (FODHelper, SLUI, SilentCleanup, EventVwr) with build-window tables.
  • cve202430088.md — CVE-2024-30088 kernel TOCTOU race with pre-flight version probe and BSOD-risk caveat.

Pre-flight pattern

import (
    "github.com/oioio-space/maldev/win/version"
    "github.com/oioio-space/maldev/win/privilege"
)

admin, elevated, _ := privilege.IsAdmin()
switch {
case elevated:
    // already there
case admin && !elevated:
    // UAC bypass
case !admin:
    // CVE path or credential capture
}

if info, _ := version.CVE202430088(); info.Vulnerable {
    // kernel race available
}

MITRE ATT&CK rollup

IDTechniqueOwners
T1548.002Bypass User Account Controlprivesc/uac
T1068Exploitation for Privilege Escalationprivesc/cve202430088
T1134.001Token Impersonation/Theftprivesc/cve202430088 (token swap)

See also