The new Belkasoft Triage T release is focused on getting administrative rights in the event you are logged in as a non-privileged user.
During an on-site investigation or responding to a cyber incident, it may not be possible to run your tools as an administrator. This presents a number of limitations:
- You cannot make a proper memory (RAM) dump, since this typically requires kernel-mode driver load and thus, administrative rights (note: you can execute a user-mode dump, which is better than nothing)
- You cannot analyze folders of users other than your current one
- You cannot obtain some information or copy files locked by the system
With the help of the new version of Belkasoft T, you can try elevating your user rights from that of a standard user to that of an admin user, by exploiting some methods available for the following versions of Microsoft Windows operating systems:
- Windows 10 1803: all builds up to 17134.1967 (included), before the update on Feb 9, 2021
- Windows 10 1809: all builds up to 17763.1728 (included), before the update on Feb 9, 2021
- Windows 10 1903: all builds
- Windows 10 1909: all builds up to 18363.1350 (included), before the update on Feb 9, 2021
- Windows 10 2004: all builds up to 19041.789 (included), before the update on Feb 9, 2021
- Windows 10 20H2: all builds up to 19042.789 (included), before the update on Feb 9, 2021
Our new version of Belkasoft T automatically detects when you are running under a non-privileged user account, and, if the system being investigated matches one in the list above, will enable you to elevate your privileges.
You will have two options: to attempt elevated user-rights or to continue with the current user-rights. For the elevated rights, the tool will attempt to obtain administrator rights and re-run with admin user-rights. The admin user-rights will enable you to gather a significantly larger volume of information.
Apart from the privilege escalation, the new version of the tool has updates for multiple artifacts, which were also updated in Belkasoft X. The list of updated artifacts are available here.