Exploitation for Priv-Esc × Microsoft Windows 10 (up to build 22621)

A publicly-reported instance of Exploitation for Priv-Esc bypassing Microsoft Windows 10 (up to build 22621), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows 10 (up to build 22621)

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2024-02-07

Config / version noted

Not stated

Provenance

research.checkpoint.com
disclosed 2024-02-07 · original source · via raw

Reported as

Raspberry Robin uses kernel LPE exploits... The CVE-2023-36802 exploit is a Type Confusion in Microsoft Streaming Service Proxy... allowing SYSTEM escalation.

Mechanism

Raspberry Robin uses kernel LPE exploits encrypted with RC4, injected into cleanmgr.exe via KernelCallbackTable injection. The CVE-2023-36802 exploit is a Type Confusion in Microsoft Streaming Service Proxy triggered via specific IOCTLs on the mkssrv device, allowing SYSTEM escalation. The malware only deploys exploits matching the victim's Windows build.

Detection & mitigation

Monitor for unexpected OleView.exe execution with unsigned or invalidly signed DLLs in non-standard directories. Detect KernelCallbackTable injection into cleanmgr.exe and anomalous IOCTL calls to the mkssrv device. Apply the CVE-2023-36802 patch and use EDR behavioral rules to block process injection and privilege escalation attempts.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.