Hunting For Privilege Escalation in Windows Environment
Hunting For Privilege Escalation in Windows Environment
Escalation in Windows
Environment
Teymur Kheirkhabarov
Head of SOC R&D at Kaspersky Lab
• Head of SOC R&D at Kaspersky Lab
• Threat Hunter
• Big fan of ELK stack
• Zero Nights / PHDays speaker
• Ex- System Admin
• Ex- Infosec Admin
• Ex- Infosec dept. Head
• Twitter @HeirhabarovT
What are we going to talks about?
Privilege escalation is the result of actions that allows an adversary to obtain a higher level
of permissions on a system or network.
We will look at different methods of local privilege escalation in Windows environment and
how to detect them via logs.
Theory
Theory. Access token
Influence
Access Token on Object
Security Descriptor
Subject
User SID Owner SID
Groups SIDs Group SID
Privileges DACL
Integrity Level SACL (obj IL is here) YES
YES
Mandatory Is access Discretionary Is access
Integrity Control granted? Access Control granted?
NO NO
Bypass, using special
Access Access
privileges (Debug, Restore, Denied
Denied
Backup, Take Ownership)
Stored Credentials
Stored Credentials. Files
sysprep.xml
Stored Credentials. Files. Group Policy Preferences
Group policy preferences allows domain admins to create and deploy across the domain local
users and local administrators accounts. In case of usage this function policy preference files are
created. These files are located in the SYSVOL shared directory and any authenticated user in the
domain has read access to these files since it is needed in order to obtain group policy updates.
Policy preference files contain encrypted passwords… But encryption key is hardcoded and
published by Microsoft
“test”
Stored Credentials. Files. Let’s hunt it!
Deception-like approach – usage of fake files with fake credentials. Monitor accesses to these files.
Fake Unattend.xml
Fake policy preference file
Stored Credentials. Files. Let’s hunt it!
Unsuccessful authentication
attempt with fake account
Stored Credentials. Files/registry. Let’s hunt it!
Search for unsuccessful authentication attempts with fake account (that is specified in
fake file with stored credentials):
(event_id:(4625 OR 4648) OR (event_id:4776 AND -event_data.Status:0x0)) AND
event_data.TargetUserName:FakeAccountUserName
Source host
2. Change ImagePath
3. Restart Service
Service registry permissions weakness. Let’s hunt it!
Events, related to changing Services registry keys by non-privileged users
Save to memcached
Cache information about started processes
Using Logstash memcached filter we can cache some information about started processes
for further enrichment of other events:
• Integrity Level
• User
• Command line
• Parent Image
Saving previously built information block in cache (key is concatenation of ProcessGuid and computer_name):
Enrich Sysmon events with additional information about process
Add additional information from cache, that is available only in Process Creation event (User, IL…)
Enrich event
Enrich Sysmon events with additional information about process
Result of enrichment
with information about
process
Enrich Sysmon process creation events with information
about parent process
Get previously cached information about parent process from cache to enrich process creation events.
Enrich event
Enrich Sysmon process creation events with information
about parent process
Result of enrichment
with information
about parent process
Service permissions weakness
Service is an operating system object. As any object it has DACL. Sometimes it is possible to
discover services that run with SYSTEM privileges and don’t have appropriate permissions.
Adversaries can use it to elevate privileges by changing the service ImagePath, FailureCommand or
ServiceDll to point to a different executable under their control. It can be done via SCM API or using
sc.exe utility.
3. Restart service
Service permissions weakness. Let’s hunt it!
Events, related to usage of sc utility by non-privileged users to change service configuration.
Usage of sc to
change service
binPath
2. Replace binary
and restart service
Modifiable service binary. Let’s hunt it!
Non-privileged process (1) 2
drop executable (2), that is
then executed as a service
with the System rights (3)
3
1
1. Calculating file
path fingerprint
2. Caching information
about file modifier
Enrich events with information about last modifier
1. Calculating file
path fingerprint
2. Obtaining
information from
cache
Finding services,
Finding writeable registry keys
which we can control
2. MSI launching
1 2
Always Install Elevated. Let’s hunt it!
Always Install Elevated policy is enabled – in this case if non privileged user runs MSI (1), Windows
Installer service will try to install it with SYSTEM privileges (2)
1 2
Always Install Elevated. Let’s hunt it!
Search for chain of events: request to start MSI from non privileged user (1) –> Windows
Installer service try to install MSI packages with SYSTEM privileges (2):
source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND ( (event_data.Image:("\\Windows\\Installer\\"
AND *msi* AND *tmp) AND event_data.User:"NT AUTHORITY\\SYSTEM") OR (event_data.Image:"\\msiexec.exe"
AND -event_data.User:"NT AUTHORITY\\SYSTEM" AND -event_data.IntegrityLevel:System) )
2
Always Install Elevated. Let’s hunt it!
Events, related to the spawning of cmd/Powershell from MSI package. It is anomaly activity
Always Install Elevated. Let’s hunt it!
Search for spawning of cmd or Powershell by MSI package:
source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND event_data.Image:("\\cmd.exe"
"\\powershell.exe") AND event_data.ParentImage:("\\Windows\\Installer\\" AND *msi* AND *tmp)
Search for spawning of processes from cmd/Powershell, spawned from MSI package:
source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND event_data.ParentImage:("\\cmd.exe"
"\\powershell.exe") AND event_data.ParentOfParent:("\\Windows\\Installer\\" AND *msi* AND *tmp)
Kernel and driver vulnerabilities
Windows Kernel and 3rd-party drivers exploits
Windows Kernel and 3rd-party drivers vulnerabilities can allow an attacker to execute arbitrary code
in the kernel mode. The goal of kernel or driver exploitation is often to somehow gain higher
privileges (in the most cases SYSTEM).
winlogon.exe cmd.exe
System User
Process Process
Windows Kernel exploits
2. Vulnerability exploitation
3rd-party drivers exploits
Capcom driver vulnerability expliotation example (this driver was distributed with
Capcom's Street Fighter V computer game)
2. Vulnerability exploitation
Windows Kernel and 3rd-party drivers exploits. Token stealing
Token before exploitation Token after exploitation
Windows Kernel and 3rd-party drivers exploits. Token stealing
Let’s hunt it!
Process was started with non-SYSTEM token and Medium IL but spawns the child process with SYSTEM rights!
Windows Kernel and 3rd-party drivers exploits. Token stealing
Let’s hunt it!
Search for spawning of child processes with SYSTEM privileges by parents with non-
SYSTEM privileges and Medium integrity level:
source_name:"Microsoft-Windows-Sysmon" AND event_id:1 AND event_data.ParentIntegrityLevel:Medium AND
(event_data.IntegrityLevel:System AND event_data.User:"NT AUTHORITY\\SYSTEM")
Token before
swapping
1. Installing
mimidrv.sys driver
Token after
2. Performing token swapping swapping
to SYSTEM via installed driver
Token of
4. Checking spawned cmd
current rights
Token swapping, using Mimikatz driver. Let’s hunt it!
Spawning child process under SYSTEM by process with High integrity level
Save to memcached
Abusing Windows privileges
Abusing privileges
Privilege How it can be used for elevation
SeDebugPrivilege A user with this privilege can open any process on the system without regard to the
security descriptor present on the process
SeImpersonatePrivilege These privileges can be used to act behalf of another user via impersonation
SeAssignPrimaryPrivilege mechanism, It can be used to impersonate thread or to spawn process using an
elevated token
SeTakeOwnershipPrivilege This privilege allows a holder to take ownership any securable object (even process)
SeRestorePrivilege A user assigned this privilege can replace any file on the system with her own or
change any registry key
SeBackupPrivilege A user assigned this privilege can read any file on the system or any registry key
SeLoadDriver A malicious user could use this privilege to execute arbitrary code in the kernel
SeCreateTokenPrivilege This privilege can be used to generate tokens that represent arbitrary user accounts
with arbitrary group membership and privileges assignment
SeTcbPrivilege A malicious user can use this privilege to create new logon session that includes the
SIDs of more privileged groups or users in the resulting token
Abusing debug privilege
2. Check groups
membership
Abusing debug privilege. Code injection.
Let’s hunt it!
Anomalies, that can be used for hunting:
• Injection to the process with higher privileges;
• Injected code – is address of LoadLibraryA(W) from
kernel32.dll.
Abusing debug privilege. Code injection. Let’s hunt it!
Search for injections into the processes with SYSTEM privileges by processes with Medium or
High integrity levels:
Search for loading by process with SYSTEM rights of DLL, that was dropped by process with
Medium IL:
source_name:"Microsoft-Windows-Sysmon" AND event_id:7 AND event_data.IntegrityLevel:System AND
event_data.User:"NT AUTHORITY\\SYSTEM" AND event_data.ImageLoadedModifierIntegrityLevel:Medium
Save to
memcached
Abusing debug privilege. Create process with arbitrary parent
CreateProcess Win32 API allows to assign the parent
of a newly spawned process via the
PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
attribute. This facility is used by UAC when elevated
processes are launched by AppInfo service to look like
being launched from non-elevated process that would
have been the parent, had there been no elevation.
Abusing debug privilege. Create process with arbitrary parent
How it works
4. Inherit winlogon.exe
process token
SeAssignPrimaryPrivilege
is required
SeImpersonatePrivilege
is required
Abusing impersonation. Tricking privileged process connect to us
Endpoint
token privilege token
2. Connection
Process Process Process
3. ImpersonateSecurityContext
Most actions by the thread are or ImpersonateNamedPipeClient
done in the security context of or DdeImpersonateClient
or RpcImpersonateCliet
the thread's impersonation.
But if an impersonating thread System
calls the CreateProcess function,
Impersonation
the new process inherits the
token
primary token of the process.
Thread
Abusing impersonation. Rotten Potato
Bad news for defenders (good for offenders ) – currently ANY user can obtain impersonation
SYSTEM token by tricking the SYSTEM account into performing authentication to some TCP listener
user control!
Good news for defenders (bad for offenders) – to use obtained token SeImpersonatePrivilege or
SeAssignPrimaryPrivilege is required (to call the ImpersonateSecurityContext function)…
https://foxglovesecurity.com/2016/09/26/rotten-potato-
privilege-escalation-from-service-accounts-to-system/
Abusing impersonation. LOCAL/NETWORK SERVICE
privileges
By default services accounts have impersonation privileges
SeImpersonatePrivilege SeAssignPrimaryPrivilege
Abusing impersonation. LOCAL/NETWORK SERVICE tokens
Abusing impersonation. MSSQL/IIS accounts token
Abusing impersonation. Service account –> SYSTEM
2. Downloading
JucyPotato tool
3. Downloading binary to run with elevated privileges
Meterpreter getsystem
How it works:
1. Creates a named pipe;
2. Creates and starts service, that spawn a cmd.exe
under SYSTEM which then connects to created Cobalt Strike getsystem
named pipe;
3. After cmd had connected to the pipe,
impersonates SYSTEM security context, using
ImpersonateNamedPipeClient function.
Abusing impersonation. Named pipe impersonation
Meterpreter getsystem (technique 2 with file dropping)
How it works:
1. Creates a named pipe;
2. Drops special DLL with code to
connect to named pipe;
3. Creates and stars service, that
spawn a rundll32.exe under
SYSTEM which then executes
code from DLL;
4. Code from DLL connects to the
created named pipe;
5. After cmd had connected to the
pipe, impersonates SYSTEM
security context, using
ImpersonateNamedPipeClient
function.
Abusing impersonation. Named pipe impersonation
Meterpreter/Cobalt Strike getsystem. Let’s hunt it!
Search for services installation events, where Image Path and command line point to the Meterpreter
getsystem command execution (redirection cmd output to the named pipe, specific rundll32 command line):
2. Executes cmd
with SYSTEM token