Hunting for Privilege

Escalation in Windows
Environment

Teymur Kheirkhabarov
Head of SOC R&D at Kaspersky Lab
• Head of SOC R&D at Kaspersky Lab
• Threat Hunter
• Big fan of ELK stack
• Zero Nights / PHDays speaker
• Ex- System Admin
• Ex- Infosec Admin
• Ex- Infosec dept. Head
• Twitter @HeirhabarovT
What are we going to talks about?

Privilege escalation is the result of actions that allows an adversary to obtain a higher level
of permissions on a system or network.

We will look at different methods of local privilege escalation in Windows environment and
how to detect them via logs.
Theory
 Theory. Access token

An access token is an object that describes the

security context of a process or thread.
It is created during logon and never changes* after
creation.
Token contains:
• User SID
• Group SIDs / Restricted group SIDs
• Integrity level (Mandatory label)
• Logon Session SID
• Token type (primary or impersonation)
• Impersonation level
• User privileges list
• Other
 Theory. Mandatory integrity control
Default mandatory policy for all objects: No-Write-Up
Default mandatory policy for processes: No-Write-Up + No-Read-Up
Default implicit integrity level for files – Medium
IL Usage IL SID
Untrusted Anonymous S-1-16-0
Low Everyone. Used by Protected S-1-16-4096
Mode of Internet Explorer
Medium Used by normal applications S-1-16-8192
being launched while UAC is
enabled
High Privileged users (if UAC S-1-16-12288
enabled) or all authenticated
users (if UAC disabled)
System LocalSystem. NetworkService, S-1-16-16384
LocalService
 Theory. Authorization and privilege escalation

Influence
Access Token on Object
Security Descriptor
Subject
User SID Owner SID
Groups SIDs Group SID
Privileges DACL
Integrity Level SACL (obj IL is here) YES

YES
Mandatory Is access Discretionary Is access
Integrity Control granted? Access Control granted?

NO NO
Bypass, using special
Access Access
privileges (Debug, Restore, Denied
Denied
Backup, Take Ownership)
Stored Credentials
Stored Credentials. Files

In case of OS unattended installation, sysprep.inf

answer files may be left in the system.
Base64 “encryption”
These answer files can contain
credentials of the privileged local
accounts (e.g. Administrator):
• C:\sysprep\sysprep.xml
Unattended.xml
• C:\sysprep\sysprep.inf
• C:\sysprep.inf
• C:\unattend.xml Base64
• C:\Windows\Panther\Unattend.xml “encryption”
• C:\Windows\Panther\Unattend\Unat
tend.xml

sysprep.xml
Stored Credentials. Files. Group Policy Preferences
Group policy preferences allows domain admins to create and deploy across the domain local
users and local administrators accounts. In case of usage this function policy preference files are
created. These files are located in the SYSVOL shared directory and any authenticated user in the
domain has read access to these files since it is needed in order to obtain group policy updates.
Policy preference files contain encrypted passwords… But encryption key is hardcoded and
published by Microsoft 

Policy preference files are located:

• C:\ProgramData\Microsoft\Group Policy\History\????\Machine\Preferences\Groups\Groups.xml
• \\????\SYSVOL\\Policies\????\Machine\Preferences\Groups\Groups.xml

Also several other policy preference files can be useful:

• Services\Services.xml
• ScheduledTasks\ScheduledTasks.xml
• Printers\Printers.xml
• Drives\Drives.xml
• DataSources\DataSources.xml
Stored Credentials. Files. Group Policy Preferences

AES decryption routine

“test”
Stored Credentials. Files. Let’s hunt it!
Deception-like approach – usage of fake files with fake credentials. Monitor accesses to these files.

Fake Unattend.xml
Fake policy preference file
Stored Credentials. Files. Let’s hunt it!

Search for accessing of fake files with stored credentials:

event_id:4663 AND event_data.AccessList:"*%%4416*" AND event_data.ObjectName:("\\{641ECF7F-6AC4-4A63-

BF85-DFDE140E9F89}\\Machine\\Preferences\\Groups\\Groups.xml" "\\Panther\\Unattend.xml")

Fake files with credentials

Stored Credentials. Registry

Adversaries may query the

Registry looking for credentials
and passwords that have been
stored for use by other programs
or services.
For example, these credentials
can be used for automatic logon.

The idea behind the Windows

Auto Login is that a user, specified
in DefaultUserName can logon at
a computer without having to type
their password.
 Stored Credentials. Files/registry. Let’s hunt it!
Deception-like approach – usage of fake files with fake credentials.
Monitor unsuccessful authentication attempts with fake credentials.

Fake groups.xml with fake admin account

Unsuccessful
authentication
attempt with fake
account

Unsuccessful authentication
attempt with fake account
Stored Credentials. Files/registry. Let’s hunt it!
Search for unsuccessful authentication attempts with fake account (that is specified in
fake file with stored credentials):
(event_id:(4625 OR 4648) OR (event_id:4776 AND -event_data.Status:0x0)) AND
event_data.TargetUserName:FakeAccountUserName

Source host

Fake account Destination computer. Inbound unsuccessful login attempt

Fake account Destination host

Source computer. Outbound login attempt
Tricking some privileged processes
into executing arbitrary code
Service registry permissions weakness
Windows stores local service configuration information in the Registry under
HKLM\SYSTEM\CurrentControlSet\Services.
Adversaries can change the service ImagePath, FailureCommand or ServiceDll to point to a different
executable under their control, if the permissions for users and groups are not properly set and allow
access to the Registry keys for a service.

1. Find writeable registry keys for services, using Accesschk

2. Change ImagePath

3. Restart Service
Service registry permissions weakness. Let’s hunt it!
Events, related to changing Services registry keys by non-privileged users

Medium IL shows us that

user is non-privileged
Service registry permissions weakness. Let’s hunt it!
Search for usage of reg or Powershell by non-privileged users to modify service
configuration in registry:

event_id:1 AND event_data.IntegrityLevel:Medium AND ((event_data.CommandLine:*reg* AND

event_data.CommandLine:*add*) OR (event_data.CommandLine:*powershell* AND event_data.CommandLine:("*set-
itemproperty*" "* sp *" "*new-itemproperty*") )) AND event_data.CommandLine:(*ControlSet* AND *Services*) AND
event_data.CommandLine:(*ImagePath* *FailureCommand* *ServiceDll*)

Medium IL shows us that

user is non-privileged
Service registry permissions weakness. Let’s hunt it!
Search for changing Services registry keys by non-privileged users:
source_name:"Microsoft-Windows-Sysmon" AND event_id:13 AND event_data.IntegrityLevel:Medium AND
event_data.TargetObject:(*ControlSet* AND *services*) AND event_data.TargetObject:("\\ImagePath"
"\\FailureCommand" "\\ServiceDll")

Get from memcached

Save to memcached
Cache information about started processes
Using Logstash memcached filter we can cache some information about started processes
for further enrichment of other events:
• Integrity Level
• User
• Command line
• Parent Image

Building information block for caching:

Saving previously built information block in cache (key is concatenation of ProcessGuid and computer_name):
Enrich Sysmon events with additional information about process
Add additional information from cache, that is available only in Process Creation event (User, IL…)

Get information from cache

Enrich event
Enrich Sysmon events with additional information about process

Result of enrichment
with information about
process
Enrich Sysmon process creation events with information
about parent process
Get previously cached information about parent process from cache to enrich process creation events.

Get information from cache

Enrich event
Enrich Sysmon process creation events with information
about parent process

Result of enrichment
with information
about parent process
Service permissions weakness
Service is an operating system object. As any object it has DACL. Sometimes it is possible to
discover services that run with SYSTEM privileges and don’t have appropriate permissions.
Adversaries can use it to elevate privileges by changing the service ImagePath, FailureCommand or
ServiceDll to point to a different executable under their control. It can be done via SCM API or using
sc.exe utility.

1. Discover service with weak permissions, using Accesschk

2. Change service binPath

3. Restart service
Service permissions weakness. Let’s hunt it!
Events, related to usage of sc utility by non-privileged users to change service configuration.

Usage of sc to restart service

Usage of sc to
change service
binPath

Medium IL shows us that

user is non-privileged
Service permissions weakness. Let’s hunt it!
Search for usage of sc by non-privileged user to change service binPath or Failure command:

source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND event_data.IntegrityLevel:Medium AND

event_data.Image:"\\sc.exe" AND ((event_data.CommandLine:*config* AND event_data.CommandLine:*binPath*)
OR (event_data.CommandLine:*failure* AND event_data.CommandLine:*command*))

Medium IL shows us that

user is non-privileged
Unquoted service path
When a service in Windows is started, OS try to find the location of its executable. In case when
executable path is enclosed in quotes Windows has no question about where to find it. But if the
executable path contains spaces and isn’t surrounded by quotes OS will try to find file and execute it
inside every folder of the path until reach the executable. In this case, the part between the backslash
and the space will be treated as the file name, and the remaining part - as command line arguments.

Finding of service executable

Path with spaces, isn’t surrounded by quotes

Unquoted service path. Exploitation

1. Find vulnerable service

2. Check rights for the

folders in path

3. Drop executable with the name as

part of the folder name prior to space
and restart service
Unquoted service path. Let’s hunt it!
Execution after attack
Unquoted service path. Let’s hunt it!
Execution after attack

Path to the dropped executable Command line arguments

Unquoted service path. Let’s hunt it!
Search for process creation events, where parent is “services.exe”, the beginning of command line in
the quotes doesn’t end with extension and the same as image path without extension. Also there
should be cutted part of a file path in the right side of the command line (after the part in quotes):

{"bool":{"must":[{"query_string":{"query":" event_id:1 AND event_data.ParentImage:\"*\\\\services.exe\"

AND event_data.Image.keyword:*exe AND event_data.CommandLine.keyword:/.*\\\\[\\\\a-zA-Z]+\\\"( |
).+/ AND -event_data.CommandLine:(*svchost* *msiexec* *schtasks* *rundll32*) "}},{"script":{"script":" if
(!doc[\"event_data.CommandLine.keyword\"].empty && !doc[\"event_data.Image.keyword\"].empty) {
String file_path_stripped = doc[\"event_data.Image.keyword\"].value.toLowerCase().replace(\".exe\",\"\");
String[] filecmdline_parts = /\"\\s/.split(doc[\"event_data.CommandLine.keyword\"].value.toLowerCase()); if
(filecmdline_parts.length >= 2 && filecmdline_parts[1].contains(\"\\\\\")) { if
(filecmdline_parts[0].substring(1) == file_path_stripped) { return true; } } return false; } "}}]}}
Modifiable service binary
If the user has permissions to write a file into the folder of where the binary of the service is located
then it is possible to just replace the binary with the a custom payload and then restart the service in
order to escalate privileges.

1. Find service with

writable binary

2. Replace binary
and restart service
 Modifiable service binary. Let’s hunt it!
Non-privileged process (1) 2
drop executable (2), that is
then executed as a service
with the System rights (3)

3
1

Replacing service Modified by non-privileged user file is

binary using xcopy launched as service under SYSTEM

Medium IL shows us that

process isn’t privileged
Modifiable service binary. Let’s hunt it!
Search for dropping of files to Windows/”Program Files” folders by non-privileged processes:

source_name:"Microsoft-Windows-Sysmon" AND event_id:11 AND event_data.IntegrityLevel:Medium

AND (event_data.TargetFilename:("\\Program Files\\" "\\Program Files (x86)\\") OR
event_data.TargetFilename.keyword:/.\:\\[W|w][I|i][N|n][D|d][O|o][W|w][S|s]\\.*/) AND -
event_data.TargetFilename:(*temp*)

Get from memcached

Modifiable service binary. Let’s hunt it!
Search for execution as service with System rights of file, that was dropped by non-privileged user:

source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND event_data.ParentImage:"\\services.exe" AND

event_data.User:"NT AUTHORITY\\SYSTEM" AND event_data.ImageModifierIntegrityLevel:Medium

Key for getting

information about
dropped file from
cache

Key for caching information

about dropped file
Caching information about modified/created executables

1. Calculating file
path fingerprint

2. Caching information
about file modifier
Enrich events with information about last modifier

1. Calculating file
path fingerprint

2. Obtaining
information from
cache

3. Enrich event with

information about last modifier
Enrich events with information about last modifier
Using Logstash memcached filter it is possible to cache information about created files for
further enrichments of other events:

Example of enrichment with

information about last file modifier
Privilege escalation via weak permissions. Accesschk tool
usage. Let’s hunt it!
Events, related to usage of AccessChk utility to check rights on different objects.

Finding services,
Finding writeable registry keys
which we can control

Metadata shows us, that it is Metadata shows us, that

renamed AccessChk it is renamed AccessChk
Privilege escalation via weak permissions. Accesschk tool
usage. Let’s hunt it!
source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND event_data.IntegrityLevel:Medium AND
(event_data.Product:*accesschk* OR event_data.Description:(*Reports effective permissions*))
Always Install Elevated
Windows environments provide a group policy setting which allows a regular user to install a
Microsoft Windows Installer Package (MSI) with system privileges. This can be discovered in
environments where a standard user wants to install an application which requires system privileges
and the administrator would like to avoid to give temporary local administrator access to a user.
Always Install Elevated. Exploitation

1. Get current status of

Always Install Elevated Policy

2. MSI launching

3. Shell with the

System privileges
Always Install Elevated. Let’s hunt it!
Always Install Elevated policy is disabled – in this case if non privileged user runs MSI (1), Windows
Installer service will try to install it with privileges of the current user (2)

1 2
Always Install Elevated. Let’s hunt it!
Always Install Elevated policy is enabled – in this case if non privileged user runs MSI (1), Windows
Installer service will try to install it with SYSTEM privileges (2)

1 2
Always Install Elevated. Let’s hunt it!

Search for chain of events: request to start MSI from non privileged user (1) –> Windows
Installer service try to install MSI packages with SYSTEM privileges (2):
source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND ( (event_data.Image:("\\Windows\\Installer\\"
AND *msi* AND *tmp) AND event_data.User:"NT AUTHORITY\\SYSTEM") OR (event_data.Image:"\\msiexec.exe"
AND -event_data.User:"NT AUTHORITY\\SYSTEM" AND -event_data.IntegrityLevel:System) )

2
Always Install Elevated. Let’s hunt it!
Events, related to the spawning of cmd/Powershell from MSI package. It is anomaly activity
Always Install Elevated. Let’s hunt it!
Search for spawning of cmd or Powershell by MSI package:
source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND event_data.Image:("\\cmd.exe"
"\\powershell.exe") AND event_data.ParentImage:("\\Windows\\Installer\\" AND *msi* AND *tmp)

Search for spawning of processes from cmd/Powershell, spawned from MSI package:
source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND event_data.ParentImage:("\\cmd.exe"
"\\powershell.exe") AND event_data.ParentOfParent:("\\Windows\\Installer\\" AND *msi* AND *tmp)
Kernel and driver vulnerabilities
Windows Kernel and 3rd-party drivers exploits
Windows Kernel and 3rd-party drivers vulnerabilities can allow an attacker to execute arbitrary code
in the kernel mode. The goal of kernel or driver exploitation is often to somehow gain higher
privileges (in the most cases SYSTEM).

Possible kernel shellcodes, that can be used for LPE:

• Token stealing (replacing token of some
process with SYSTEM token);
• Nulling out ACLs (null DACL means that
everybody can access an object);
• Changing objects’ ACLs (gives full access to
arbitrary object, e.g. to the process with SYSTEM
privileges, disable auditing);
• Changing tokens (new groups, new “super”
privileges, increasing integrity level, changing user
SID);
Windows Kernel and 3rd-party drivers exploits. Token stealing
How it works:
• Enumerate EPROCESS structures in kernel memory;
• Find the EPROCESS address of the privileged (SYSTEM) process;
• Find the EPROCESS address of the current process;
• Read ACCESS TOKEN from the privileged process;
• Replace ACCESS TOKEN of the current process with ACCESS TOKEN of the privileged process.

winlogon.exe cmd.exe

System User

Process Process
Windows Kernel exploits

1. Discovery of missing patches

2. Vulnerability exploitation
3rd-party drivers exploits
Capcom driver vulnerability expliotation example (this driver was distributed with
Capcom's Street Fighter V computer game)

1. Find vulnerable driver

2. Vulnerability exploitation
Windows Kernel and 3rd-party drivers exploits. Token stealing
Token before exploitation Token after exploitation
Windows Kernel and 3rd-party drivers exploits. Token stealing
Let’s hunt it!
Process was started with non-SYSTEM token and Medium IL but spawns the child process with SYSTEM rights!
Windows Kernel and 3rd-party drivers exploits. Token stealing
Let’s hunt it!
Search for spawning of child processes with SYSTEM privileges by parents with non-
SYSTEM privileges and Medium integrity level:
source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND event_data.ParentIntegrityLevel:Medium AND
(event_data.IntegrityLevel:System AND event_data.User:"NT AUTHORITY\\SYSTEM")

Get from memcached

Save to memcached
Token swapping, using Mimikatz driver

Token before
swapping

1. Installing
mimidrv.sys driver
Token after
2. Performing token swapping swapping
to SYSTEM via installed driver

3. Spawning cmd under

SYSTEM acciunt

Token of
4. Checking spawned cmd
current rights
Token swapping, using Mimikatz driver. Let’s hunt it!
Spawning child process under SYSTEM by process with High integrity level

Parent process started

under account with high IL

Child process started

under SYSTEM account
Token swapping, using Mimikatz driver. Let’s hunt it!
Search for spawning child process under SYSTEM by process with High integrity level
source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND event_data.ParentIntegrityLevel:High AND
(event_data.IntegrityLevel:System AND event_data.User:"NT AUTHORITY\\SYSTEM")

Get from memcached

Save to memcached
Abusing Windows privileges
 Abusing privileges
Privilege How it can be used for elevation
SeDebugPrivilege A user with this privilege can open any process on the system without regard to the
security descriptor present on the process
SeImpersonatePrivilege These privileges can be used to act behalf of another user via impersonation
SeAssignPrimaryPrivilege mechanism, It can be used to impersonate thread or to spawn process using an
elevated token
SeTakeOwnershipPrivilege This privilege allows a holder to take ownership any securable object (even process)
SeRestorePrivilege A user assigned this privilege can replace any file on the system with her own or
change any registry key
SeBackupPrivilege A user assigned this privilege can read any file on the system or any registry key
SeLoadDriver A malicious user could use this privilege to execute arbitrary code in the kernel
SeCreateTokenPrivilege This privilege can be used to generate tokens that represent arbitrary user accounts
with arbitrary group membership and privileges assignment
SeTcbPrivilege A malicious user can use this privilege to create new logon session that includes the
SIDs of more privileged groups or users in the resulting token
Abusing debug privilege

Debug privilege (SeDebugPrivilege) allows access to any

process or thread, regardless of the process’s or thread’s
security descriptor (except for protected processes).
In case of non-administrative account this privilege can be
obtained via kernel exploitation or insecure configuration
(direct granting SeDebugPrivilege to non-administrative
accounts).
How it can be used in the context of privilege escalation:
• Reading memory of any process ;
• Writing to the memory of any process;
• Spawning process with arbitrary parent.
Abusing debug privilege. Code injection
3. Injecting meterpreter DLL into winlogon.exe process
1. Discovering user
privileges

2. Check groups
membership
Abusing debug privilege. Code injection.
Let’s hunt it!
Anomalies, that can be used for hunting:
• Injection to the process with higher privileges;
• Injected code – is address of LoadLibraryA(W) from
kernel32.dll.
Abusing debug privilege. Code injection. Let’s hunt it!
Search for injections into the processes with SYSTEM privileges by processes with Medium or
High integrity levels:

source_name:"Microsoft-Windows-Sysmon" AND event_id:8 AND event_data.SourceIntegrityLevel:(Medium

High) AND event_data.TargetUser:"NT AUTHORITY\\SYSTEM" AND event_data.TargetIntegrityLevel:System

Get from memcached Get from memcached

Save to memcached Save to memcached

Source process creation event Target process creation event

Abusing debug privilege. Code injection. Let’s hunt it!
Loading by process with SYSTEM rights of DLL, that was dropped by process with Medium IL

The sane approach

can be used for
detection of EoP via
DLL Hijacking
Abusing debug privilege. Code injection. Let’s hunt it!

Search for loading by process with SYSTEM rights of DLL, that was dropped by process with
Medium IL:
source_name:"Microsoft-Windows-Sysmon" AND event_id:7 AND event_data.IntegrityLevel:System AND
event_data.User:"NT AUTHORITY\\SYSTEM" AND event_data.ImageLoadedModifierIntegrityLevel:Medium

Get from memcached Get from

memcached

Save to
memcached
Abusing debug privilege. Create process with arbitrary parent
CreateProcess Win32 API allows to assign the parent
of a newly spawned process via the
PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
attribute. This facility is used by UAC when elevated
processes are launched by AppInfo service to look like
being launched from non-elevated process that would
have been the parent, had there been no elevation.
Abusing debug privilege. Create process with arbitrary parent
How it works
4. Inherit winlogon.exe
process token

winlogon.exe process.exe child.exe

1. OpenProcess
User
System Debug 3. CreateProcess System
2. Process handle Privilege

Process Process Process

Abusing debug privilege. Create process with arbitrary parent
Mimikatz process::runp
Abusing debug privilege. Create process with arbitrary parent
Let’s hunt it!
Spawning of unusual child processes by different system processes. Unusual parent-child combinations

Lsass.exe spawn cmd.exe Winlogon.exe spawn powershell.exe

Abusing debug privilege. Create process with arbitrary parent
Let’s hunt it!
Search for spawning of unusual child processes by different system processes:
event_id:1 AND source_name:"Microsoft-Windows-Sysmon" AND event_data.ParentImage:("\\winlogon.exe"
"\\services.exe" "\\lsass.exe" "\\csrss.exe" "\\smss.exe" "\\wininit.exe" "\\spoolsv.exe" "\\searchindexer.exe")
AND event_data.Image:("\\cmd.exe" "\\powershell.exe") AND event_data.User:"NT AUTHORITY\\SYSTEM“ AND
-event_data.CommandLine:(*route* *ADD*)
Abusing impersonation
Impersonation is the ability of a thread to execute in a security context
that is different from the context of the process that owns the thread.
ServerApp.exe
Using impersonation process can act behalf of other user.
User A The server thread uses an access token representing
Primary the client's credentials to obtain access to the objects to
token which the client has access.

Process Related privileges:

• SeImpersonatePrivilege
• SeAssignPrimaryPrivilege

User A User B User C

Primary Impersonation Impersonation
token token token
Thread 1 Thread 2 Thread 3
Abusing impersonation
Abusing impersonation. Difference between
CreateProcessAsUser and CreateProcessWithTokenW

SeAssignPrimaryPrivilege
is required

SeImpersonatePrivilege
is required
Abusing impersonation. Tricking privileged process connect to us

PrivProc.exe Parent.exe Child.exe

1. Influence
on process User A
System 5. CreateProcessWithToken System
Primary token
Primary Impersonation or CreateProcessAsUser Primary

Endpoint
token privilege token
2. Connection
Process Process Process
3. ImpersonateSecurityContext
Most actions by the thread are or ImpersonateNamedPipeClient
done in the security context of or DdeImpersonateClient
or RpcImpersonateCliet
the thread's impersonation.
But if an impersonating thread System
calls the CreateProcess function,
Impersonation
the new process inherits the
token
primary token of the process.
Thread
Abusing impersonation. Rotten Potato
Bad news for defenders (good for offenders ) – currently ANY user can obtain impersonation
SYSTEM token by tricking the SYSTEM account into performing authentication to some TCP listener
user control!
Good news for defenders (bad for offenders) – to use obtained token SeImpersonatePrivilege or
SeAssignPrimaryPrivilege is required (to call the ImpersonateSecurityContext function)…

https://foxglovesecurity.com/2016/09/26/rotten-potato-
privilege-escalation-from-service-accounts-to-system/
Abusing impersonation. LOCAL/NETWORK SERVICE
privileges
By default services accounts have impersonation privileges

SeImpersonatePrivilege SeAssignPrimaryPrivilege
Abusing impersonation. LOCAL/NETWORK SERVICE tokens
Abusing impersonation. MSSQL/IIS accounts token
Abusing impersonation. Service account –> SYSTEM

EoP using Rotten

Potato technique
1. Checking current privileges (NETWOR SERVICE)

2. Downloading
JucyPotato tool
3. Downloading binary to run with elevated privileges

4. Launching JucyPotato tool

5. Using obtained SYSTEM token to start downloaded

binary via CreateProcessWithTokenW API 6. Pwned! 
Abusing impersonation. Service account –> SYSTEM
Let’s hunt it!
Network/Local service account starts process with SYSTEM rights
Abusing impersonation. Service account –> SYSTEM
Let’s hunt it!
Search for spawning SYSTEM processes by processes, started with Network or Local service account:

source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND event_data.User:"NT AUTHORITY\\SYSTEM"

AND event_data.ParentUser:("NT AUTHORITY\\NETWORK SERVICE" "NT AUTHORITY\\LOCAL SERVICE") AND -
event_data.CommandLine:(*rundll32* AND *DavSetCookie*)

Get from Save to memcached

memcached
Webshell/xp_cmdshell. Let’s hunt it!
Spawning cmd/powershell (or other unusual child) by server application
Webshell/xp_cmdshell. Let’s hunt it!
Search for cmd/powershell (or other unusual child) by server application:

source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND event_data.Image:("\\cmd.exe" "\\powersehll.exe"

"\\wscript.exe" "\\cscript.exe") AND event_data.ParentImage:("\\httpd.exe" "\\sqlserver.exe" "\\jbosssvc.exe"
"\\w3wp.exe" "\\httpd.exe" "\\nginx.exe" "\\php-cgi.exe" "\\tomcat8.exe" "\\tomcat7.exe" "\\tomcat6.exe"
"\\tomcat5.exe" "\\tomcat.exe") AND -event_data.CommandLine:(*sendmail*)
Abusing impersonation. Named pipe impersonation
Meterpreter/Cobalt Strike getsystem (technique 1 – fileless)

Meterpreter getsystem

How it works:
1. Creates a named pipe;
2. Creates and starts service, that spawn a cmd.exe
under SYSTEM which then connects to created Cobalt Strike getsystem

named pipe;
3. After cmd had connected to the pipe,
impersonates SYSTEM security context, using
ImpersonateNamedPipeClient function.
Abusing impersonation. Named pipe impersonation
Meterpreter getsystem (technique 2 with file dropping)
How it works:
1. Creates a named pipe;
2. Drops special DLL with code to
connect to named pipe;
3. Creates and stars service, that
spawn a rundll32.exe under
SYSTEM which then executes
code from DLL;
4. Code from DLL connects to the
created named pipe;
5. After cmd had connected to the
pipe, impersonates SYSTEM
security context, using
ImpersonateNamedPipeClient
function.
Abusing impersonation. Named pipe impersonation
Meterpreter/Cobalt Strike getsystem. Let’s hunt it!
Search for services installation events, where Image Path and command line point to the Meterpreter
getsystem command execution (redirection cmd output to the named pipe, specific rundll32 command line):

(event_id:7045 OR (event_id:1 AND event_data.ParentImage:"\\services.exe")) AND ((event_data.CommandLine:(*cmd*

*COMSPEC*) AND event_data.CommandLine:"*echo *" AND event_data.CommandLine:*pipe* AND
event_data.CommandLine.keyword:/.*\\\\.\\..*/) OR (event_data.CommandLine:*rundll* AND
event_data.CommandLine.keyword:/.*\.dll,a \/p:.*/))
Abusing impersonation. Named pipe impersonation
Meterpreter/Cobalt Strike getsystem. Let’s hunt it!
Spawning process under SYSTEM account by parents with High integrity level
 Abusing impersonation + debug privileges. Steal token of
other process via DuplicateToken(Ex)
PrivProc.exe Parent.exe Child.exe
1.DuplicateToken or
System DuplicateTokenEx User A System
Primary token
3.2. CreateProcessWithToken
Primary Impersonation or CreateProcessAsUser Primary
token Debug privileges token
2. TokenHandle
Process Process Process
3.1. SetThreadToken
or ImpersonateLoggedOnUser In this case also if an impersonating
thread calls the CreateProcess function,
the new process inherits the primary
System token of the process rather than the
Impersonation impersonation token of the calling thread.
token
Thread
Abusing impersonation + debug privileges. Incognito

Well-known Incognito tool https://github.com/fdiskyou/incognito2

1. Lists available tokens

2. Executes cmd
with SYSTEM token

3. Checks current rights

– we are the SYSTEM 
Abusing impersonation + debug privileges. Incognito
Let’s hunt it!
Spawning process under SYSTEM account by parents with High integrity level
Abusing impersonation + debug privileges. Tokenvator
Let’s hunt it!
Search for spawning process under SYSTEM account by parents with High integrity level:
event_id:1 AND source_name:"Microsoft-Windows-Sysmon" AND event_data.IntegrityLevel:System AND
event_data.User:"NT AUTHORITY\\SYSTEM" AND event_data.ParentIntegrityLevel:(Medium High)
Generic detector of token swapping
Search for spawning child process under account, which is different from parent process
(excluding parent processes for which such activity is legitimate – runas tool for example):

{"bool":{"must":[{"query_string":{"query":" event_id:1 AND event_data.ParentIntegrityLevel:(High Medium Low)

AND -event_data.Image:\"\\runas.exe\" AND -(event_data.Image:\"rundll32.exe\" AND
event_data.CommandLine:*RunAsNewUser_RunDLL*) "}},{"script":{"script":" doc[\"event_data.User.keyword\"] !=
doc[\"event_data.ParentUser.keyword\"] "}}]}}

Enrichment using logstash

memcached filter plugin
Generic detector of privilege escalation to SYSTEM
Search for spawning whoami tool under SYSTEM account

source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND event_data.Image:"\\whoami.exe"

AND event_data.IntegrityLevel:System AND event_data.User:"NT AUTHORITY\\SYSTEM"
Summing Up
Questions?