Privilege escalation (privesc/*)
The privesc/* package tree groups primitives that take a
non-elevated user token and produce SYSTEM-context execution.
flowchart TB
subgraph startState [Start state]
Medium["Medium-IL token<br>(typical user)"]
end
subgraph paths [Escalation paths]
UAC["uac/*<br>fodhelper / slui /<br>silentcleanup / eventvwr"]
CVE["cve202430088/*<br>kernel TOCTOU race"]
end
subgraph end [End state]
High["High-IL token (UAC)"]
SYSTEM["NT AUTHORITY\\SYSTEM<br>(token swap)"]
end
Medium -->|admin user, UAC default| UAC
UAC --> High
Medium -->|vulnerable build < 2024-06| CVE
CVE --> SYSTEM
Where to start (novice path):
- Are you Medium-IL admin user? →
uac. UAC bypass methods (FODHelper / SLUI / SilentCleanup / EventVwr) silently elevate to High-IL without a prompt. Pick by build window.- Need full SYSTEM, not just High-IL? → check the host build via
win/version; if pre-June-2024 Windows 10/11,cve202430088. Otherwise you need a different exploit (out of scope here).- Already SYSTEM, want TrustedInstaller? →
win/impersonate.RunAsTrustedInstaller.- The decision tree below covers every common state / target permutation.
Decision tree
| State / question | Path |
|---|---|
| "User is admin, UAC is default-notify, just need elevation." | privesc/uac — pick the bypass that survives the build |
| "Need SYSTEM, host build < June 2024 patch." | privesc/cve202430088 |
| "Already SYSTEM, need TrustedInstaller." | win/impersonate.RunAsTrustedInstaller |
| "Already admin, need elevation without UAC bypass." | win/privilege.ShellExecuteRunAs (visible UAC prompt) |
Per-package pages
- uac.md — four bypass primitives (FODHelper, SLUI, SilentCleanup, EventVwr) with build-window tables.
- cve202430088.md — CVE-2024-30088 kernel TOCTOU race with pre-flight version probe and BSOD-risk caveat.
Pre-flight pattern
import (
"github.com/oioio-space/maldev/win/version"
"github.com/oioio-space/maldev/win/privilege"
)
admin, elevated, _ := privilege.IsAdmin()
switch {
case elevated:
// already there
case admin && !elevated:
// UAC bypass
case !admin:
// CVE path or credential capture
}
if info, _ := version.CVE202430088(); info.Vulnerable {
// kernel race available
}
MITRE ATT&CK rollup
| ID | Technique | Owners |
|---|---|---|
| T1548.002 | Bypass User Account Control | privesc/uac |
| T1068 | Exploitation for Privilege Escalation | privesc/cve202430088 |
| T1134.001 | Token Impersonation/Theft | privesc/cve202430088 (token swap) |
See also
docs/techniques/tokens/— token-level primitivesdocs/techniques/win/version.md— pre-flight version + UBR probedocs/techniques/tokens/— Layer-1 token primitives that gate every privesc path