Roadmapping Privilege Escalation in Windows Systems
Securing Your Assets against Privilege Escalation Attacks
And the award for the most confusing cybersecurity phrase out there goes to “privilege escalation”, a term which, as balking as it might sound, is oftentimes confused with obtaining higher privileges via a veto-like, sysadmin-controlled process. Since we like nothing more than to sink our teeth into something like this, today’s article won’t be an article, but long-winded disambiguation of privilege escalation. So, what is privilege escalation, how many types of privilege escalations are there, and, most importantly why is this bad? Stick around to find the answer to these questions and more. Enjoy!
What is Privilege Escalation?
Let’s talk about the elephant in the room – privilege escalation. So, in cyber-lingo, privilege escalation is a malicious attempt at gaining unauthorized access to sensitive information by taking over a user’s account that has the necessary privileges to view or commit modifications to the said information.
Let’s break this down a bit – let’s say that user A, who’s working for company XYZ, has been given access to a financial database. Because user A is a finance officer, he’s been cleared to perform a set of company-defined operations on the financial database (e.g., read, write, open, but not delete). Fellow B, who’s in no way affiliated to XYZ, wishes to tap into the company’s financial database for whatever nefarious purpose.
Using various TTPs, B successfully takes over user A’s account and gains access to the database. This a great example of a vertical privilege escalation. You’ve guessed – there’s also a horizontal privilege escalation. So, how do you set them apart? Well, in vertical privilege escalation, you’re dealing with the ‘accountphage’ type of behavior.
Basically, you chew the user out of his or her account. Horizontal privilege escalations are a bit more challenging compared to vertical ones since they require a deep understanding of how operating systems work.
Wait! Isn’t that prerequisite for both ops? Yes and no – of course, you’ll need some tech background to figure out how account takeover tools work and identify the backdoors and vulnerability that would enable you, as the hacker, to perform the said operation. In vertical P.E., you don’t need to elevate rights (i.e. obtain the credentials necessary to access another informational class) because the account you’re about to take over has all the credentials necessary to access that particularly sensitive area.
Anyway, in horizontal privilege escalation, you will need to take over and, at the same time, elevate those privileges. No doubt some ‘Mission Impossible’ right there, but very doable if you have the right tools. In most case HEP cases, the attacker would rely on phishing or spearphishing to infiltrate the victim’s machine and hacking tools such as Metasploit to gain SYSTEM-level (root) access. And that’s where the fun begins.
So far, we’ve covered the whats and whys. Let’s tackle the hows. One word – vulnerabilities. OS-embedded vulnerabilities, hidden backdoors, or even user permission misconfigurations can facilitate the threat actor’s entry.
Please keep in mind that there’s no such thing as an operating system with zero vulnerabilities – Linux has them, macOS has them, and the list goes on; won’t even bother talking about Windows. To make things even worse than they already are, some tools are fine-tuned to sniff out these vulnerabilities. And yes, most of them are legitimate.
To recap: we have two types of privilege escalation – vertical and horizontal. In VPE (vertical privilege escalation), the attacker aims at taking over an account that has higher privileges. On the other hand, in HPE (horizontal privilege escalation) the hacker will first take over an account and then try to gain system-level rights. Both types of operations are achieved by taking advantage of existing operating system vulnerabilities.
With that out of way, let’s now talk about some of the common and common privilege escalation attacks.
System admins waste 30% of their time manually managing user
rights or installations
Heimdal™ Privileged Access
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
Privilege Escalation Attacks and Ways of Countering Them
Finally, we’ve arrived at the fun part – chalking up the list of privilege escalation attacks. Any favorite? Hit the comments section and let me know. Also, if there’s an attack I’ve missed, leave the name in the comment and I’ll get back to you. Without further ado, here’s what you’re up against.
Windows Sticky-Key attack
I’ll kick it off with my all-time favorite privilege escalation attack – Sticky Keys for sticky fingers. For those of you who don’t know what sticky keys are, try pressing the “Shift” key five times. You get a short beep and a screen pops up asking you to configure ‘sticky’ behavior. Pretty useful for users who can’t work their way around key combos, but very frustrating if you’re into gaming. Hint: enable autorun the game’s menu.
Anyway, regarding this particular attack, its beauty lies in its simplicity – you really don’t need that computer-native to carry it out. Here’s the gig: using the ‘enable sticky keys feature’ you can bypass normal endpoint auth and gain system-level privileges. Sounds crazy, but it really works, and here’s how to do it. Please note that what I’m about to show you is for educational purposes only! You can try it out on your personal machine, but please refrain from doing this on your work machine or whatever.
Step 1. Get access to a machine. To pull off this trick, you will need to have PHYSICAL access to the machine. Also, make sure that the ‘practice’ machine can boot to or from a repair disk.
Step 2. Make a copy of the sethc.exe file. This particular file will pop up in the task manager every time you invoke the sticky keys function. Make a local backup of the file because you’ll need to fix the backdoor later. To do that, fire up your Command Prompt and type in the following command:
Copy c:\windows\system32\sethc.exe c:\
This will make a copy of the sethc.exe file on your C partition.
Step 3. Replace sethc.exe with cmd.exe. Once you’re done with the backup part (see step 2), type in the following command in the same CMD window:
Copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
Don’t need to confirm the operation. The </y> argument pre-approves it.
Step 4. Restart your machine. After your machine has booted up, mash the “SHIFT” key five times. If everything’s done right, a CMD window should appear on your screen. But it’s not just any CMD window – it’s THE (magic) CMD window that grants you system-level privileges.
Go ahead and knock yourself out; from here, you can create a (fake) admin account, install a secret backdoor, and much more.
Purloining stored credentials aka Credential Dumping
You know how it goes: trash for the machine, gold for the hacker. Credential dumping is a great way of recovering (hashed) credentials from key system locations. Compared to the sticky-key attack, credential dumping is a bit more challenging since it requires tools, time, and, of course, the nose of a bloodhound. So, how does this work? Well, all machines running Windows cache login credentials in various locations.
Basically, if you know where to look, you can easily pull out stuff like admin login passwords, master passwords for local passphrase vaults, and so on. In theory, everything sounds easy, but that’s not the case here – sure, you can get your hands on credential dumps.
You still need to figure a way to ‘unhash’ those passwords. Think of it this way – credential dumping is like searching every thrash can in your city, hoping that you come across a piece of paper that holds the key-code to the warehouse housing your dream PC or something.
Backtracking a bit, the question at hand would be – “where does one go if one wants to find credential dumps?” There are few places, but you need some heavy-duty tools to siphon the living daylights out of those dumps. Most threat actors home in on LSASS (Local Security Authority Subsystem Service).
Notorious for its many flaws, LSSAS is a treasure trove of credentials, the likes of which can be extracted in plaintext with tools such as Mimikatz. Normally, LSASS would cache login credentials used to access system resources. Without this service, the user would be required to supply the user+pass on each log-in. Anyway, to pull this off, you would need to create a dump from the machine’s LSASS process, store it in a secure location, and use Mimikatz or similar tools to dump these credentials.
Credential dumping becomes even more efficient when WDDigest’s up and running on your machine. WDDigest is a legacy protocol and used for user authentication in Windows. Bear with me: if WDDigest is up and running, a threat actor can tamper with its registry key and instruct LSASS to cache plain-text passphrases. Beautiful, isn’t it? At this point, all you’ll need to do is to extract those passwords and use them to bend the will of your victim.
Some other places worth looking into:
- DCC (Domain Cache Credentials), MSCACHE, and MSCASH hash. All of these locations are used by Windows-running systems to cache the late ten hashes of the credentials used for client-side authentication. Extracting and unhashing these registry keys helps you obtain plaintext passwords.
- NTDS.dit (Active Directory Database). Talk about juicy targets – NTDS.dit or the Active Directory’s database is the royal road to stealing every username and password used with the domain network. Steal this file and you can impersonate anyone, including admins. The trouble with NTDS.dit is that displacement or replication is next to impossible because the file is in use most of the time. What to do? Go for the shadow copy, of course.
- Clipboard. Remember the first time you had to set up a password manager? Do all those tedious minutes spend copy-pasting everything from one or more notepad documents? Well, everything stored in the Clipboard can be recovered with the right tool. Clipboard dumping is a no-sweat solution because the almighty Clipboard stores everything in plaintext. There are plenty of tools out there capable of extracting passwords and usernames stored in the clipboard. One of Securethelogs’ tech writers actually came up with a PowerShell tool that does just that. Check out this article to see how it works.
- Keylogger’s backlog. Keyloggers never fail to live up to their expectations. If you manage to plant one of these bad boys inside the machine, you can exfiltrate any type of credential. And yes, every keylogger has a password-logging component that makes it easier to organize and review and ogle over your ill-gotten booty.
Access token manipulation
Riddle me this, riddle me that: what the hack is an access manipulation token? An access token is an object that “encapsulates the security identity of process or a thread”. Basically, your Wonka-issued golden ticket to a system process. Of course, threat actors can use this authentication procedure to their advantage in order to impersonate a user, escape detection, and perform various actions on the victim’s machine. Red Team Notes’ article on access token manipulation, defines three types of privilege escalation attacks via token manipulation:
- Token Theft – this method involves creating a new access token for the purpose of impersonating a legitimate token.
- Generate Process via token creation – the threat actor creates a token and uses it to force-run a process on the victim’s machine. This process will operate under a legit security context, one associated with a legit user.
- Make & Bake – once the legit user logs off, the threat actor will invoke a new logon session (usually using the LogonUser command in a CMD window). The function will then pass the threat actor a copy of the session’s token. Finally, this newly-obtained token can be tied to a thread.
NTLM relay or Hot-Tater Attack
A highly sophisticated attack that involves exploiting vulnerabilities found in the NTML relay and the local NBNS Spoofer. Seriously thinking about putting together a piece about the hot potato attack, because there’s a lot of ground to cover. Let me give you a quick run-down: the scope is to obtain NT AUTHORITY\SYSTEM privileges on the victim’s machine.
‘Hot-tatting’ a target is a triphasic process: interrogating the NBNS spoofer, requesting a fake WPAD proxy server, and MITMing the NTLM protocol. The result: the threat actor persuades the victim’s machine to authenticate via the NTML protocol. The auth process’s details are sent to the attacker who, by this time, would have gained system-level privileges.
Always install elevated
This privilege escalation method is the stuff that dreams are made off – basically, you grant users pseudo-admin rights, by allowing them to install ‘work-related software, but without actually bestowing the administrator mantel upon them. So, what does this mean? It means that user X, who’s not an admin, can run stuff on his\her machine that would otherwise require admin-type rights.
To pull this off, you need a crash-course on Group Policies. More specifically, the one about AlwaysInstallElevated. If enabled, and it always is, it will allow the user to run custom and non-custom .msi packages with user-type privileges. And because malicious .msi packs are easy to craft, you can always execute a pack of your own that adds your name to the admin’s list. Check out this POC article on Microsoft’s website to see the exploitation in action.
Unquoted service paths
The last attack on this list is called unquoted service path and it basically means turning a service path into an argument line that can be filled with anything. This type of attack is leveraged in order to gain System-level privileges. Now, you need to know that process paths are encased in quotes. Whenever a service starts, it will look up the path of the executable.
If the path to that executable, the service will start normally, else the service will interpret that as a break and nothing happens. Now, to pull this off, you will need to target a service that runs with local admin privileges and, of course, has an unquoted path. The break can be replaced with a malicious script or something. So, when the system reboots and the service attempts to run access a certain executable following a pre-defined service path, it will also run the malicious script stored in the form of an argument.
Your perimeter network is vulnerable to sophisticated attacks.
Heimdal™ Threat Prevention
solution that will keep your systems safe.
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Securing Your Assets against Privilege Escalation Attacks
Here are my recommendations on how to secure your corporate assets against privilege escalations.
- Symptomatic treatment.
- Windows Sticky Key attack. Mitigation: prevent the launch of sticky keys. Go to HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys\Flags in your Windows registry and change the value from “510” to “510”. This will add encryption protection to your Windows partition.
- Credential dumping. Mitigation(s): increase password complexity, enable PPL (Protect Process Light) for LSA, check Domain controller backups, restrictor disable NTLM, add a user to the Protected Users list in your Access Directory.
- Access Token Manipulation. Bar user groups or users from creating tokens. Enforce least-privilege principle and police admin accounts.
- Hot-Tater attack. Mitigation (not yet proven): Enable SMB Signing.
- AlwaysInstallElevated. Mitigation: change the registry value of HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\ AlwaysInstallElevated from “1” to “0”
- Unquoted service paths. Mitigation: audit of all program config files, script, and path environment variables.
2. Complete protection. To cover for all attack vectors, I recommend Heimdal™ Security Threat Prevention Network to filter out inbound and outbound DNS traffic junk, Heimdal™ Security Email Security to sort out phishing emails, and, of course, Heimdal™ Privilege Access Management + Application Control to root out fake admin rights, prevent access token creations, and de-elevate residual admin rights.
That’s all from me. Hope you’ve enjoyed this ‘little’ repartee on privilege escalation attacks. As always, for beer donation, questions or complaints hit the comments section or shoot an email. Stay safe!