16. Windows PrivEsc

• Security Identifier (SID)

• Access tokens

• Mandatory Integrity Control

• User Account Control

• each local user/group has SID

• each domain user/group has SID

• used to check authorization

“S-R-X-Y“

• R is revision, always 1

• X is identifier authority, usually 5 -> NT Authority issued SID

• Y is RID (ID of group/user)

  • RID < 1000: built-in users/groups

• a logged in user has a access token, which contiains SIDs and more

  • sometimes called security context

• each process/thread started by a user is assinged with this token -> primary token

• can be assigned to threads

• the thread might have another security context than its process

• windows maintains different levels of “integrity” -> it a access hierachy:

  • integrity levels are inherited (e.g. processes obtain the level of the user)

  • Objects with lower integrity can not write to objects with higher integrity

  • Integrity levels can prevent an process to access an object even though its SIDs would allow access

• Starting in Windows Vista, we have the following levels:

  • System (kernel,…)

  • High (Elevated users)

  • Meidum (Standard users)

  • Low (Sandboxed processes)

• protecting os because most processes are started with standard user privileges (even though admins launched it)

• admins have two access tokens

  • filtered admin token: standard privileges

  • admin token: used if user wants to perform privileged operation -> UAC prompt to enter password

• PowerShell Transcirption (“over the shoulder looking logs”

• PowerShell Script Block Logging

• this cmdlet only clears the history of the current user

• if PSReadlin is active, those logs are still accesible…

• long-running background executable

• managed by the service control manager

• each service has certian permissions (can be defined by the user starting the service)

• binary of service can be overwritten

• after restart/reboot the malicious binary is executed

• DLL of service is writeable

• after restart/update the malicious DLL is executed

• MS implements a specific order, where DLLs are searched

• Exe files sometimes load missing DLLs. This does not always break the execution but only limit its functionality

  • in such a case, the attacker can place a malicious DLL in any of the deinfed DLL search paths

Assume services starts exe at:

C:\Program Files\My Program\My Service\service.exe

If the path in the service definintion is not in quotes and contains whitespaces, the following logic is used to find the exe:

• C:\Program.exe

• C:\Program Files\My.exe

• C:\Program Files\My Program\My.exe

• C:\Program Files\My Program\My service\service.exe

• run if tiggers are hit

  • e.g. time, os event, …

• important for priv esc:

  • who runs the task?

  • what are the triggers?

  • what actions are executed?

• named pipes: method for local/remote inter process communication

  • server creates named pipe

  • client connects to named pipe

  • server process can impersonate the client if privilege is set

• Exploit:

  • trick privileged proccess into connecting as a client to an attacker-controlled named pipe

  • impersonate the client -> obtain token for privileged process