{
	"id": "512a4150-276d-47a8-99b2-01c47986de5c",
	"created_at": "2026-04-06T00:08:36.265316Z",
	"updated_at": "2026-04-10T03:37:22.823098Z",
	"deleted_at": null,
	"sha1_hash": "9c0e41c2bf83fbe238139197874e4761f63bf993",
	"title": "Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005 | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85294,
	"plain_text": "Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005 | Microsoft Security Blog\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2017-03-27 · Archived: 2026-04-05 12:52:19 UTC\r\nOn March 14, 2017, Microsoft released security bulletin MS17-013 to address CVE-2017-0005, a vulnerability in\r\nthe Windows Win32k component that could potentially allow elevation of privileges. A report from a trusted\r\npartner identified a zero-day exploit for this vulnerability. The exploit targeted older versions of Windows and\r\nallowed attackers to elevate process privileges on these platforms.\r\nIn this article, we walk through the technical details of the exploit and assess the performance of tactical\r\nmitigations in Windows 10 Anniversary Update—released in August, 2016—as well as strategic mitigations like\r\nSupervisor Mode Execution Prevention (SMEP) and virtualization-based security (VBS). We also show how\r\nupcoming Creators Update enhancements to Windows Defender Advanced Threat Protection (Windows Defender\r\nATP) can detect attacker elevation-of-privilege (EoP) activity, including EoP activities associated with the exploit.\r\nTo test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced\r\nattacks, sign up for a free trial.\r\nZero-day elevation-of-privilege exploit\r\nUpon review of its code, we found that this zero-day EoP exploit targets computers running Windows 7 and\r\nWindows 8. The exploit has been created so that it avoids executing on newer platforms.\r\nThe exploit package unfolds in four stages:\r\nStages 1 and 2 – Decryptor and API resolver\r\nTo protect the main exploit code, attackers have encrypted the initial stage PE file using AES-256 algorithm. To\r\nload code for the next stage, a password must be passed as a parameter to the main entry function. Using the\r\nCryptHashData API, the password is used as a key to decrypt the loader for the next stage.\r\nStage 2 acts as an intermediate stage where API resolution is performed. API resolution routines in this stage\r\nresemble how shellcode or position-independent code works.\r\nThe following code shows part of the GetProcAddress API resolution routine. This code appears to obfuscate the\r\nsucceeding payload and stifle analysis.\r\nStage 3 – Avoiding newer platforms\r\nIn stage 3, the exploit package performs environmental checks, specifically to identify the operating system\r\nplatform and version number. The attacker ensures that the exploit code runs on vulnerable systems that have\r\nhttps://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/\r\nPage 1 of 5\n\nfewer built-in mitigations, particularly Windows 7 and Windows 8 devices.\r\nAnalysis of the exploit code reveals targeting of systems running specific versions of Windows:\r\nMajor release version 5\r\nMajor release version 6 and minor version 0, 1, or 2\r\nThese versions map to Windows operating systems between Windows 2000 and Windows 8, notably excluding\r\nWindows 8.1 and Windows 10. Also, upon examination of its architecture-checking routine, we find that the\r\nexploit code targets 64-bit systems.\r\nThe next stage payload is loaded through DLL reflection.\r\nStage 4 – Exploit routine\r\nAfter the environmental checks, the attacker code begins actual exploit of the Windows kernel vulnerability CVE-2017-0005, resulting in arbitrary memory corruption and privileged code execution.\r\nPALETTE.pfnGetNearestFromPalentry corruption\r\nCode execution in the kernel space is made possible by a corrupted pointer in the\r\nPALETTE.pfnGetNearestFromPalentry function. Microsoft security researchers have been closely tracking this\r\nexploitation technique, which is designed to execute code in the kernel courtesy of a malformed PALETTE object.\r\nObserved in an unrelated sample used during the Duqu incident, we have described this relatively old exploit\r\ntechnique in a Virus Bulletin 2015 presentation.\r\nThe exploit code calls the native API NtGdiEngBitBlt to trigger an win32k!XLATEOBJ_iXlate function call that\r\nuses the corrupted handler. This passes the control flow to a previously allocated shellcode. As a comparison, the\r\nexploit code in the Duqu 2.0 case used a GetNearestPaletteIndex call from Gdi32.dll to pass execution to the\r\ncorrupt callback handler. This difference clearly indicates that these two exploits are unrelated, despite similarities\r\nin their code—similarities that can be attributed to the fact that these exploitation techniques are well-documented.\r\nThe exploit uses dynamically constructed syscall code snippets to call native Windows APIs.\r\nOnce the shellcode is executed, the exploit uses a common token-swapping technique to obtain elevated,\r\nSYSTEM privileges for the current process. This technique is often observed in similar EoP exploits.\r\nMitigation and detection\r\nAs previously mentioned, this zero-day exploit does not target modern systems like Windows 10. If environmental\r\nchecks in the exploit code are bypassed and it is forced to execute on such systems, our tests indicate that the\r\nexploit would be unable to completely execute, mitigated by additional layers of defenses. Let’s look at both the\r\ntactical mitigations—medium-term mitigations designed to break exploitation techniques—as well as the strategic\r\nmitigations—durable, long-term mitigations designed to eliminate entire classes of vulnerabilities—that stop the\r\nexploit.\r\nhttps://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/\r\nPage 2 of 5\n\nTactical mitigation – prevention of pfnGetNearestFromPalentry abuse\r\nThe use of PALETTE.pfnGetNearestFromPalentry as a control transfer point has been tracked by Microsoft\r\nsecurity researchers for quite some time. In fact, this method is on the list tactical mitigations we have been\r\npursuing. In August 2016, with the Windows 10 Anniversary Update, Microsoft released tactical mitigation\r\ndesigned to prevent the abuse of pfnGetNearestFromPalentry. The mitigation checks the validity of PALETTE\r\nfunction pointers when they are called, ensuring that only a predefined set of functions are called and preventing\r\nany abuse of the structure.\r\nStrategic mitigations\r\nOther than the described tactical mitigation, this exploit could also be stopped in Windows 10 by SMEP, ASLR\r\nimprovements in Windows kernel 64-bit, and virtualization-based security (VBS).\r\nSupervisor Mode Execution Prevention (SMEP)\r\nSMEP is a strategic mitigation feature supported by newer Intel CPUs and adopted since Windows 8.\r\nWith SMEP, bits in the page table entry (PTE) serve as User/Supervisor (U/S) flags that designate the page to be\r\neither in user mode or kernel mode. If a user-mode page is called from kernel-mode code, SMEP generates an\r\naccess violation and the system triggers a bug check that halts code execution and reports a security violation.\r\nThis mechanism broadly stops attempts at using user-mode allocated executable pages to run shellcode in kernel\r\nmode, a common method used by EoP exploits.\r\nStrategic mitigation like SMEP can effectively raise the bar for a large pool of attackers by instantly rendering\r\nhundreds of EoP exploits ineffective, including old-school exploitation methods that call user-mode shellcode\r\ndirectly from the kernel, such as the zero-day exploit for CVE-2017-0005.\r\nTo check whether a computer supports SMEP, one can use the Coreinfo tool. The tool uses CPUID instructions to\r\nshow the sets of CPUs and platforms that should support the feature. The following screen shows that the tested\r\nCPU supports SMEP. SMEP is supported on Windows 8 and later.\r\nWindows kernel 64-bit ASLR improvements\r\nAlthough attackers are forced to work harder to create more sophisticated exploits with SMEP, we do know from\r\nstudies shared in security conferences and documented incidents that there are ways to potentially bypass SMEP\r\nmitigation. These bypass mechanisms include the use of kernel ROP gadgets or direct PTE modifications through\r\nread-write (RW) primitives. To respond to these foreseeable developments in exploitation techniques, Microsoft\r\nhas provided Windows kernel 64-bit ASLR improvements with the Windows 10 Anniversary Update and has\r\nmade SMEP stronger with randomized kernel addresses, mitigating a bypass vector resulting from direct PTE\r\ncorruption.\r\nVirtualization-based security (VBS)\r\nhttps://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/\r\nPage 3 of 5\n\nVirtualization-based security (VBS) enhancements provide another layer of protection against attempts to execute\r\nmalicious code in the kernel. For example, Device Guard blocks code execution in a non-signed area in kernel\r\nmemory, including kernel EoP code. Enhancements in Device Guard also protect key MSRs, control registers, and\r\ndescriptor table registers. Unauthorized modifications of the CR4 control register bitfields, including the SMEP\r\nfield, are blocked instantly.\r\nWindows Defender ATP detections\r\nWith the upcoming Creators Update release, Windows Defender ATP will be able to detect attempts at a SMEP\r\nbypass through CR4 register modifications. Windows Defender ATP will monitor the status of the CR4.SMEP bit\r\nand will report inconsistencies. In addition to this, Windows Defender ATP will detect token-swapping attempts by\r\nmonitoring the state of the token field of a process structure.\r\nThe following screenshot shows Windows Defender ATP catching exploit code performing the token-swapping\r\ntechnique to elevate privileges.\r\nConclusion: Resiliency with mitigation and behavioral detection\r\nThe zero-day exploit for CVE-2017-0005 shied away from newer systems because it would have simply been\r\nstopped and would have only managed to get unnecessary exposure. Attackers are not so much focusing on legacy\r\nsystems but avoiding security enhancements present in modern hardware and current platforms like Windows 10\r\nAnniversary Update. While patches continue to provide single-point fixes for specific vulnerabilities, this attacker\r\nbehavior highlights how built-in exploit mitigations like SMEP, the ASLR improvements, and virtualization-based\r\nsecurity (VBS) are providing resiliency.\r\nWindows Defender ATP with Creators Update—now available for public preview—extends defenses further by\r\ndetecting exploit behavior on endpoints. With the upcoming enhancements, Windows Defender ATP could raise\r\nalerts so that SecOps personnel are immediately made aware of EoP activity and can respond accordingly. Read\r\nour previous post about uncovering cross-process injection to learn more about how Windows Defender ATP\r\ndetects sophisticated breach activity.\r\nIn addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively\r\ngathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-\r\n0005 exploit. Comprehensive threat intelligence about activity groups and their attack methods are available to\r\nWindows Defender ATP customers.\r\nWindows Defender ATP is built into the core of Windows 10 Enterprise and can be evaluated free of charge.\r\nMatt Oh\r\nWindows Defender ATP Research Team\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows\r\nDefender Security Intelligence.\r\nhttps://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/\r\nPage 4 of 5\n\nFollow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.\r\nSource: https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/\r\nhttps://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/"
	],
	"report_names": [
		"detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005"
	],
	"threat_actors": [
		{
			"id": "9e6186dd-9334-4aac-9957-98f022cd3871",
			"created_at": "2022-10-25T15:50:23.357398Z",
			"updated_at": "2026-04-10T02:00:05.368552Z",
			"deleted_at": null,
			"main_name": "ZIRCONIUM",
			"aliases": [
				"APT31",
				"Violet Typhoon"
			],
			"source_name": "MITRE:ZIRCONIUM",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "74d9dada-0106-414a-8bb9-b0d527db7756",
			"created_at": "2025-08-07T02:03:24.69718Z",
			"updated_at": "2026-04-10T02:00:03.733346Z",
			"deleted_at": null,
			"main_name": "BRONZE VINEWOOD",
			"aliases": [
				"APT31 ",
				"BRONZE EXPRESS ",
				"Judgment Panda ",
				"Red Keres",
				"TA412",
				"VINEWOOD ",
				"Violet Typhoon ",
				"ZIRCONIUM "
			],
			"source_name": "Secureworks:BRONZE VINEWOOD",
			"tools": [
				"DropboxAES RAT",
				"HanaLoader",
				"Metasploit",
				"Mimikatz",
				"Reverse ICMP shell",
				"Trochilus"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "dc7ee503-9494-4fb6-a678-440c68fd31d8",
			"created_at": "2022-10-25T16:07:23.349177Z",
			"updated_at": "2026-04-10T02:00:04.552639Z",
			"deleted_at": null,
			"main_name": "APT 31",
			"aliases": [
				"APT 31",
				"Bronze Vinewood",
				"G0128",
				"Judgment Panda",
				"Red Keres",
				"RedBravo",
				"TA412",
				"Violet Typhoon",
				"Zirconium"
			],
			"source_name": "ETDA:APT 31",
			"tools": [
				"9002 RAT",
				"Agent.dhwf",
				"AngryRebel",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"GrewApacha",
				"HOMEUNIX",
				"HiKit",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"Moudour",
				"Mydoor",
				"PCRat",
				"PlugX",
				"RedDelta",
				"Roarur",
				"Sakula",
				"Sakula RAT",
				"Sakurel",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434116,
	"ts_updated_at": 1775792242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c0e41c2bf83fbe238139197874e4761f63bf993.pdf",
		"text": "https://archive.orkl.eu/9c0e41c2bf83fbe238139197874e4761f63bf993.txt",
		"img": "https://archive.orkl.eu/9c0e41c2bf83fbe238139197874e4761f63bf993.jpg"
	}
}