Home / About / Threat Intelligence / Windows Privilege Escalation

Overview

A new proof-of-concept (PoC) has been published for a Windows local privilege escalation vulnerability.

At first the vulnerability CVE-2021-41379 was considered to be low impact. The advisory that accompanied Microsoft’s November Patch Tuesday update stated that it can’t be used to gain any extra privileges.

However, after analysing Microsoft’s fix, the security researcher who discovered it was able to bypass the mitigation and was able to use it to gain administrative permissions on the local device.

Impact

A local user can gain local administrator permissions on a fully patched Windows device.

Vulnerability Detection

All current windows devices are affected.

Affected Products

All currently supported versions of Windows.

Containment, Mitigations & Remediations

No known mitigations at this time but the attack requires local privileges.

Indicators of Compromise

PoC

MD5:
f317b6bafb5c6f4c3c9ffb967fd941b5

SHA-1:
509c2115bfbb20e65a08286935cfac1305894ede

SHA-256:
9e4763ddb6ac4377217c382cf6e61221efca0b0254074a3746ee03d3d421dabd

Threat Landscape

A public PoC makes it much easier for attackers to use this exploit in their campaigns but, because it still requires a local account, it won’t be the source of any new network intrusions. This attack has already been seen to be incorporated into criminal’s attack chains.

Mitre Methodologies

T1068 – Exploitation for Privilege Escalation

Further Information

klinix5/InstallerFileTakeOver

VirusTotal