Microsoft Windows allows for the automatic loading of a
profiling COM object during the launch of a CLR process based on
certain environment variables ostensibly to monitor execution. In
this case, the authors abuse the profiler by pointing to a payload
DLL that will be launched as the profiling thread. This thread will
run at the permission level of the calling process, so an
auto-elevating process will launch the DLL with elevated
permissions. In this case, they use gpedit.msc as the auto-elevated
CLR process, but others would work, too.
Read more https://packetstormsecurity.com/files/155404/bypassuac_dotnet_profiler.rb.txt
