Windows mechanisms of Access Control
Security Identifier (SID)
Access tokens
Mandatory Integrity Control
User Account Control
SIDs
each local user/group has SID
each domain user/group has SID
used to check authorization
“S-R-X-Y“
R is revision, always 1
X is identifier authority, usually 5 -> NT Authority issued SID
Y is RID (ID of group/user)
RID < 1000: built-in users/groups
Access token (security context) or a user
a logged in user has a access token, which contiains SIDs and more
sometimes called security context
each process/thread started by a user is assinged with this token -> primary token
Impersonation token
can be assigned to threads
the thread might have another security context than its process
windows maintains different levels of “integrity” -> it a access hierachy:
integrity levels are inherited (e.g. processes obtain the level of the user)
Objects with lower integrity can not write to objects with higher integrity
Integrity levels can prevent an process to access an object even though its SIDs would allow access
Starting in Windows Vista, we have the following levels:
System (kernel,…)
High (Elevated users)
Meidum (Standard users)
Low (Sandboxed processes)
User Account Control (UAC)
protecting os because most processes are started with standard user privileges (even though admins launched it)
admins have two access tokens
filtered admin token: standard privileges
admin token: used if user wants to perform privileged operation -> UAC prompt to enter password
Power shell loggging
PowerShell Transcirption (“over the shoulder looking logs”
PowerShell Script Block Logging
Clear-History
this cmdlet only clears the history of the current user
if PSReadlin is active, those logs are still accesible…
Windows service
long-running background executable
managed by the service control manager
each service has certian permissions (can be defined by the user starting the service)
Service Binary Hijacking
binary of service can be overwritten
after restart/reboot the malicious binary is executed
Service DLL Hijacking
DLL of service is writeable
after restart/update the malicious DLL is executed
DLL search order
MS implements a specific order, where DLLs are searched
Exe files sometimes load missing DLLs. This does not always break the execution but only limit its functionality
in such a case, the attacker can place a malicious DLL in any of the deinfed DLL search paths
Unquoted serves paths
Assume services starts exe at:
C:\Program Files\My Program\My Service\service.exe
If the path in the service definintion is not in quotes and contains whitespaces, the following logic is used to find the exe:
C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Program\My.exe
C:\Program Files\My Program\My service\service.exe
Scheduled Tasks
run if tiggers are hit
e.g. time, os event, …
important for priv esc:
who runs the task?
what are the triggers?
what actions are executed?
SeImpersonatePrivilege
named pipes: method for local/remote inter process communication
server creates named pipe
client connects to named pipe
server process can impersonate the client if privilege is set
Exploit:
trick privileged proccess into connecting as a client to an attacker-controlled named pipe
impersonate the client -> obtain token for privileged process
Last changeda year ago