Exploiting Environment Variables in Scheduled Tasks for UAC Bypass By James Forshaw of Google Project Zero Link: https://twitter.com/tiraniddo/status/864245310440316928 Link: https://twitter.com/tiraniddo/status/864245503432806401 Blog Article: https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html
Just realized this: Damn... EDIT: Auto-elevated to Admin command prompt on my Creators Update machine despite having UAC on highest setting without any prompt. The blog also provides a method to mitigate this exploit.
Yep using task scheduler was already used , seems still a viable attack vector. Again we see cmd and Powershell used. If blocked (as i do), it won't work.
A few others in the past. By no means all of the known ways. https://breakingmalware.com/vulnera...rivileges-by-environment-variables-expansion/ https://breakingmalware.com/vulnera...nd-elevation-environment-variables-revisited/ https://www.invincea.com/2017/03/powershell-exploit-analyzed-line-by-line/