A new method that allows you to track applications to control access to accounts (UAC) in Windows 10, described in detail security security by Matt Nelson.
Over the past few months, Nelson has described in detail the exit technique, which is very different from previous devices, the new method “does not rely on the IFileOperation / DLL hijacking approach.” Because Microsoft binary files automatically increase due to their manifest, the researcher decided to study the problem with the sdclt.exe tool associated with the “Backup and Restore” tool in Windows.
In his post, Pierluigi Paganini described the study of Matt Nelson. However, one thing that this method does not take into account, however, are the parameters, which means that the attacker must put the payload on the disk. In addition, the expert published the PoC script to demonstrate this method, he explained that the attack can be prevented by setting the level of account control “Always notify” or by removing the current user from the “Local Administrators” group.