UNCLASSIFIED

Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • temp-sg-branch
2 results
Blame History Permalink
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
09-windows-priv-persist-cover.adoc 8.24 KiB

Windows Privilege Escalation & Persistance

Rationale

Privilege escalation and maintaining persistence are among the many post-exploitation skills and tasks that attackers must grasp. Attackers and defenders need to understand how privilege escalation can occur and how persistence can be maintained on a system. This understanding allows attackers to move freely through a network, and allows defenders to prevent privilege escalation, detect attacker movement, and detect/prevent attacker persistence mechanisms.

background

Objectives

  • Identify and perform privilege escalation and integrity-level elevation

  • Familiarization with OS auditing and logging

  • Perform log cleaning and blending in

  • Identify aritfacts

Modes & Levels

Kernel Mode vs. User Mode

Privileged vs. Unprivileged

background

Windows Access Control Model

  • Access Tokens:

Security Identifier (SID) associations and Token associations

  • Security Descriptors:

    • DACL

    • SACL

    • ACEs

background

Dll Search Order

Executables check the following locations:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

  • The directory the the Application was run from

  • The directory specified in in the C+ function GetSystemDirectory()

  • The directory specified in the C+ function GetWindowsDirectory()

  • The current directory

background

Windows Integrity Mechanism

Integrity Levels

  • Untrusted - Anonymous SID access tokens

  • Low - Everyone SID access token (World)

  • Medium - Authenticated Users

  • High - Administrators

  • System - System services (LocalSystem, LocalService, NetworkService)

background

User Account Control (UAC)

  • Always Notify

  • Notify me only when programs try to make changes to my computer

  • Notify me only when programs try to make changes to my computer (do not dim my desktop)

  • Never notify

background

DEMO: Checking UAC Settings

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
background

AutoElevate Executables

Requested Execution Levels:

  • asInvoker

  • highestAvailable

background

Privilege Escalation

Actions that allows an adversary to obtain a higher level of permissions on a system or network.

background

Scheduled Tasks & Services

Items to evaluate include:

  • Write Permissions

  • Non-Standard Locations

  • Unquoted Executable Paths

  • Vulnerabilities in Executables

  • Permissions to Run As SYSTEM

background

DEMO: Finding vulnerable Scheduled Tasks

schtasks /query /fo LIST /v
background

DEMO: DLL hijacking

  • Identify Vulnerability

  • Take advantage of the default search order for Dll

  • NAME_NOT_FOUND present in executables system calls

  • Validate permissions

  • Create and transfer Malicious Dll

background

DEMO: Finding vulnerable Services

wmic service list full
background

DEMO: Vulnerable services

  • Identify Vulnerability

  • Validate permissions

  • Validate Executable Paths

  • Replace with Malicious File

background

Other Vulnerabilities

  • Unpatched Kernel Vulnerabilities

  • Unpatched Systems

  • Unpatched Applications

background

DEMO: SYSTEM Access and Defeating Protections

The objective of this is to provide yourself unrestricted access to a system, and identify methods to execute malicious activity through a basic command line prompt.

  • Sysinternals

  • Schedule Task

  • UAC Bypass

background

Persistance

System changes or binary uploads that provide adversary continued access to system.

Survives:

Reboots, Credential changes, DHCP IP reassignment, Etc.

  • Considerations include:

    • File naming

    • File location

    • Timestomping

    • Port selection

background

Registry

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

  • Run

  • RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\``

  • Run

  • RunOnce

What is the Difference?

Do you need to blend in?

background

Scheduled Tasks

Permission Levels Considerations

What is your objective?

Do you need to blend in?

background

Services

At Startup

Perform Multiple Functions

Typically require Administrative Access

background

Covering Tracks

When does planning start?

  • Prior, after, before == know the system

    • What will happen if I do X == logs

    • Checks == where are things

    • Hide == file locations, names, times

background

Considerations

  • Artifacts

    • Determine which events will create a log

    • Event logging: Applications, Security, Setup, System

  • Blending In

  • TimeStomping

background

System usage

Where should you run commands from?

  • Locally

  • Remotely

Are system resources a important, and how can we check them?

wmic, net, netstat
background

DEMO: Audit Logging

  • Shows all audit category setting

auditpol /get /category:*

  • What does the below command show?

auditpol /get /category:* | findstr /i "success failure"
background

Microsoft Event IDs (Some Important Ones)

  • 4624/4625 successful/failed login

  • 4720 account created

  • 4672 administrator equivalent user logs on

  • 7045 Service creation

background

DEMO: Event Logging

Storage: c:\windows\system32\config\ FileType: .evtx/.evt

wevtutil el
wmic ntevent where "logfile="<LOGNAME>" list full
Get-Eventlog -List
background

PowerShell Logging

  • Windows CLI CMD history is per instance (doskey /history)

  • Powershell can be set to log sessions

    • 2.0 little evidence == nothing about what was executed

    • 3.0 Module logging (EventID 4103)

    • 4.0 Module logging

    • 5.0 Can set module, script block (EvnetID 4104) and transcription

background

DEMO: Additional Logging

  • Determine PS version (bunch of ways)

reg query hklm\software\microsoft\powershell\3\powershellengine\

powershell -command "$psversiontable"

  • Determine if logging is set (PowerShell and WMIC)

reg query [hklm or hkcu]\software\policies\microsoft\windows\powershell

reg query hklm\software\microsoft\wbem\cimom \| findstr /i logging
    # 0 = no | 1 = errors | 2 = verbose

WMIC Log Storage:

%systemroot%\system32\wbem\Logs\``
background

DEMO: Manipulating Logs and Files

  • Find FIles and Alter File attributes:

forfiles /P c:\windows\system32 /S /D +05/14/2019

wmic datafile where name='c:\\windows\\system32\\notepad.exe' get CreationDate, LastAccessed, LastModified

copy /b filename.ext +,,

$(Get-Item file.ext).lastaccesstime=$(date) |$(Get-Item test.txt).lastaccesstime=$(Get-Date "07/07/2004")

  • Clear Event Logs:

wevtutil clear-log Application

Clear-Eventlog -Log Application, System
background

DEMO: Windows Covering Tracks with Persistance

  • Lets add a backdoor hidden in plain sight

background

This GitLab instance is accredited for unclassified information without any handling caveats (releasable content only)