Introduction
As Microsoft continues to harden the Windows operating system, the upcoming release of Windows 11 (version 25H2) introduces a headline feature known as Administrator Protection. Designed to replace the traditional User Account Control (UAC), this new feature aims to provide a more robust and securable mechanism for managing administrator privileges. However, recent security research from Google Project Zero has revealed that even advanced security mechanisms can be susceptible to logic flaws.
For defenders, understanding these vulnerabilities is critical. While the issues have been addressed by Microsoft prior to the official rollout, the techniques used to bypass these controls serve as a vital reminder of the importance of rigorous patch management and the need for defense-in-depth strategies.
Technical Analysis
Administrator Protection represents a significant architectural shift, moving away from the split-token model used by UAC to a more isolated system where administrator rights are only granted on a per-need basis. This isolation is intended to prevent malware from silently gaining high-privilege access without the user's explicit consent.
The Vulnerability
During the Insider Preview builds of Windows 11 25H2, security researchers identified nine separate vulnerabilities within the Administrator Protection feature. The core issue lay in the logic flow handling privilege requests. The researchers discovered methods to manipulate the system into silently approving elevation requests without triggering the intended secure confirmation prompts.
One specific bypass technique involved exploiting the interface between the user mode and the new protection mechanism. By crafting specific requests or manipulating the state of the calling process, an attacker could trick the system into granting full administrator privileges. This constitutes a Privilege Escalation vulnerability, allowing a standard user to completely compromise the local machine.
Affected Systems and Severity
- Affected Product: Windows 11 Insider Preview Builds (leading to 25H2)
- Severity: Critical (Privilege Escalation)
- CVE Status: Specific CVEs were assigned but are generally patched in the Release Preview builds and the final 25H2 release.
Patch Status
Microsoft worked closely with the researchers to remediate these findings. All nine reported bypasses have been fixed in updates released prior to the general availability of Windows 11 25H2. Organizations must ensure they are running the latest patched version of the OS to be protected against these specific bypass methods.
Defensive Monitoring
To detect potential exploitation attempts of privilege escalation vulnerabilities or to verify that your environment is running the patched builds, security teams should implement the following monitoring rules.
SIGMA Rules
The following SIGMA rules can be deployed to your SIEM to detect suspicious privilege escalation activity or unpatched systems.
---
title: Potential Silent Privilege Escalation via Unusual Parent Process
id: 7d9c8f12-4b5a-4a3c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects attempts to elevate privileges where a non-admin parent process spawns a high-privilege child, indicative of a UAC or Admin Protection bypass.
references:
- https://attack.mitre.org/techniques/T1548/002/
- https://projectzero.google/2026/26/windows-administrator-protection.html
author: Security Arsenal
date: 2026-03-01
tags:
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
NewProcessIntegrityLevel: 'High'
ParentProcessName|endswith:
- '\explorer.exe'
- '\cmd.exe'
- '\powershell.exe'
SubjectUserName|contains:
- 'StandardUser' # Placeholder for specific non-admin usernames
filter_legit:
CommandLine|contains:
- '\Windows\System32\'
condition: selection and not filter_legit
falsepositives:
- Legitimate administrative tools launched by admins
level: high
---
title: Potential Administrator Protection Bypass via Token Manipulation
id: 8e0d9a23-1c72-4e3a-b8c5-2d2f3b4c5d6f
status: experimental
description: Detects process creation patterns consistent with Administrator Protection bypass attempts such as token manipulation or UAC bypass techniques.
references:
- https://msrc.microsoft.com/
- https://attack.mitre.org/techniques/T1548/002/
author: Security Arsenal
date: 2026/03/01
tags:
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'fodhelper.exe'
- 'eventvwr.exe'
- 'sdclt.exe'
ParentImage|endswith:
- '\explorer.exe'
- '\cmd.exe'
- '\powershell.exe'
condition: selection
falsepositives:
- Legitimate administrative automation
level: high
KQL Queries (Microsoft Sentinel)
Use these KQL queries to hunt for suspicious process elevation or verify OS build compliance.
// Hunt for suspicious high-integrity processes spawned from explorer.exe
DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName == "explorer.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe")
| where IsElevated == true
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFolderPath, SHA256
// Check device compliance for Windows 11 25H2 updates
DeviceInfo
| where OSPlatform == "Windows"
| where OSVersion contains "10.0.26"
| where tonumber(OSBuildNumber) < 26100 // Adjust build number based on patch release
| project DeviceName, OSVersion, OSBuildNumber, LastSeen
Velociraptor VQL
These VQL artifacts can be used to hunt for endpoint vulnerabilities and suspicious process lineage.
-- Hunt for high integrity processes spawned from common user shells
SELECT Pid, Name, CommandLine, Username, TokenIntegrity, Parent.Pid AS ParentPid, Parent.Name AS ParentName
FROM pslist()
WHERE TokenIntegrity = 'High'
AND Parent.Name IN ('explorer.exe', 'cmd.exe', 'powershell.exe')
AND Name NOT IN ('winlogon.exe', 'services.exe', 'svchost.exe', 'lsass.exe', 'csrss.exe')
-- Identify OS Version to verify patch status
SELECT Fqdn, OSBuild, ReleaseId, Version
FROM info()
WHERE OSBuild < '26100' -- Adjust for the specific patched build
PowerShell Remediation
This script can be used to audit devices for the correct Windows build.
# Check if the system is running the patched version of Windows 11 25H2
$CurrentBuild = [System.Environment]::OSVersion.Version.Build
$RequiredBuild = 26100 # Update this value based on official Microsoft guidance
if ($CurrentBuild -ge $RequiredBuild) {
Write-Output "System is patched. Build: $CurrentBuild"
} else {
Write-Output "WARNING: System is potentially vulnerable. Build: $CurrentBuild (Required: $RequiredBuild)"
}
Remediation
To protect your organization against these vulnerabilities:
- Patch Management: Ensure all Windows 11 endpoints are updated to the latest version of the 25H2 release. Microsoft has patched these vulnerabilities in the final release builds and cumulative updates.
- Insider Builds: Audit your environment for machines running Windows 11 Insider Preview builds. These should be updated to the latest stable channel or strictly controlled in a lab environment.
- Least Privilege: Continue to enforce the principle of least privilege. Administrator Protection is a defense-in-depth measure, not a replacement for removing local admin rights where unnecessary.
- Audit Logs: Ensure that Security auditing is enabled for Process Creation and Privilege Use to detect future bypass attempts.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.