“##r c : \ foobar echo 123 > c : \ foobar \ deleteme1. txt echo 123 > c : \ foobar \ deleteme2. txt scan for duplicates in optimization - > scan specific location and select c : \ foobar. scan specific location. wait for the scan to finish, check our controlled directory and run s…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
83%
“milking the last drop of intego - time for windows to get its lpe introduction it was a sunny sunday afternoon when my colleague mathieu farrell told me about how he discovered three vulnerabilities on the macos version of intego ( available at 1, 2 and 3 ). while browsing their …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
77%
“at \ rpc control \ deleteme2. txt pointing to c : \ config. msi. deletefilew ( ) fails because of nt symlink. fallback to std : : filesystem : : remove ( ) which follows the nt symlink. removedirectoryw ( ) executes as system and deletes c : \ config. msi function returns true, e…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1070.004File Deletion
72%
“technical background intego ' s optimization module intego includes an optimization module that scans for duplicate files and offers to delete them. this feature is usable by unprivileged users and it works as follows : user runs the optimization scan on a specific location. inte…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1485Data Destruction
61%
“technical background intego ' s optimization module intego includes an optimization module that scans for duplicate files and offers to delete them. this feature is usable by unprivileged users and it works as follows : user runs the optimization scan on a specific location. inte…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1070.004File Deletion
52%
“keyboard by pressing ctrl + alt + del. dll is successfully dropped. procmon capture confirms the delete action as system. access to system command prompt. vulnerability analysis analyzing iavservice. exe reveals the issue in the deletion workflow : time - of - check : getfileattr…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1070.004File Deletion
41%
“here, waiting for user to confirm deletion iavfiledeleteex _ killprocessusingfile ( filepath _ wstring _ ptr ) ; temp _ filepath. assign ( * filepath _ wstring _ ptr ) ; / / time - of - use deletion _ succeeded = iavfilesutil _ removefile ( & temp _ filepath ) ; temp _ filepath. …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1548.002Bypass User Account Control
31%
“folder c : \ config. msi via a reparse point. attacker recreates c : \ config. msi and places. rbs and. rbf rollback scripts and files in it. an msi installation is triggered and forced to fail, causing a rollback action. windows installer ( system ) will load rollback files and …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Exploitation of an arbitrary directory deletion via symlink following in the antivirus Intego.