From 2017 to 2021, Microsoft disclosed a total of 28 in-the-wild Windows LPE 0days, most of which are Windows kernel LPE vulnerabilities. These vulnerabilities are often used by top level APT and could cause great harm. For security vendors, it is very challenging to capture an in-the-wild Windows kernel LPE 0day.
At the beginning of 2020, we made a decision to capture an in-the-wild Windows kernel LPE 0day. In order to achieve it, we studied a large number of historical cases. We then developed an effective Windows LPE vulnerability detection method.
This talk will focus on our story of how to hunt in-the-wild Windows LPE during 2020 and 2021: why we think this is possible, how we study historical cases, how we use learning experience to develop a detection method, and how we continuously improve the method to make it more accurate and effective. By using this method, we successfully captured two in-the-wild Windows LPE 0day and an in-the-wild Windows LPE 1day.
We will also compare the advantages and disadvantages of our method with other vendors' methods, and give some insights into the trend of Windows LPE 0day in the future.