{ "id": "d08ae292-2520-4b1e-8a93-2a87f4f80eaa", "created_at": "2026-04-06T00:11:31.159421Z", "updated_at": "2026-04-10T13:12:14.826413Z", "deleted_at": null, "sha1_hash": "69ccd58be5db5b962fe57fd81ecefe74c981f89c", "title": "ALPC Local PrivEsc - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46052, "plain_text": "ALPC Local PrivEsc - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 14:53:02 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ALPC Local PrivEsc\n Tool: ALPC Local PrivEsc\nNames ALPC Local PrivEsc\nCategory Exploits\nType 0-day\nDescription\n(ESET) On August 27, 2018, a so-called zero-day vulnerability affecting Microsoft Windows\nwas published on GitHub and publicized via a rather acerbic tweet.\nIt seems obvious that this was not part of a coordinated vulnerability disclosure and there was\nno patch at the time this tweet (since deleted) was published to fix the vulnerability.\nIt affects Microsoft Windows OSes from Windows 7 to Windows 10, and in particular the\nAdvanced Local Procedure Call (ALPC) function, and allows a Local Privilege Escalation\n(LPE). LPE allows an executable or process to escalate privileges. In that specific case, it\nallows an executable launched by a restricted user to gain administrative rights.\nInformation\nMalpedia\nLast change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool ALPC Local PrivEsc\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=28800477-058d-4f60-bdab-719858a266dc\nPage 1 of 2\n\nPowerPool [Unknown] 2018  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=28800477-058d-4f60-bdab-719858a266dc\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=28800477-058d-4f60-bdab-719858a266dc\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=28800477-058d-4f60-bdab-719858a266dc" ], "report_names": [ "listgroups.cgi?u=28800477-058d-4f60-bdab-719858a266dc" ], "threat_actors": [ { "id": "62985c5c-6938-4365-8432-29573e99ecf4", "created_at": "2022-10-25T16:07:24.075092Z", "updated_at": "2026-04-10T02:00:04.859737Z", "deleted_at": null, "main_name": "PowerPool", "aliases": [], "source_name": "ETDA:PowerPool", "tools": [ "ALPC Local PrivEsc", "FireMaster", "PowerDump", "PowerSploit", "Quarks PwDump", "SMBExec" ], "source_id": "ETDA", "reports": null }, { "id": "adee5dfb-98d1-488f-969d-48eed28cd7e4", "created_at": "2023-01-06T13:46:38.799427Z", "updated_at": "2026-04-10T02:00:03.105089Z", "deleted_at": null, "main_name": "PowerPool", "aliases": [ "IAmTheKing" ], "source_name": "MISPGALAXY:PowerPool", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434291, "ts_updated_at": 1775826734, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/69ccd58be5db5b962fe57fd81ecefe74c981f89c.pdf", "text": "https://archive.orkl.eu/69ccd58be5db5b962fe57fd81ecefe74c981f89c.txt", "img": "https://archive.orkl.eu/69ccd58be5db5b962fe57fd81ecefe74c981f89c.jpg" } }