Security researchers Matt Nelson and Matt Graeber have discovered a unique method of bypassing the Windows User Access Control (UAC) security system on Windows 10 and allow malicious files to execute without alerting users that something strange had happened.
Their method doesn't involve a complicated mechanism that implies a privileged file copy or any code injection, but only taking advantage of an already existing Windows scheduled task that's set up to run with the highest privileges available.
That scheduled task is associated with the Disk Cleanup utility, a built-in Windows app for helping users clean and manage their hard drives. The scheduled task is described as: "Maintenance task used by the system to launch a silent auto disk cleanup when running low on free disk space."
UAC bypass uses basic DLL hijacking technique
The two researchers
discovered that when Windows 10 would run this task, it would execute the Disk Cleanup app, which would copy a set of files in a folder at "
C:Users<username>AppDataLocalTemp".
