Windows Privilege Escalation (Part 1 of 2)

By Ashwin Venugopal -

 









Introduction

The term "privileges" refers to the ability of a particular account to carry out actions that are relevant to the system. The Windows operating system make use of access tokens making these privileges functional. The token itself comprises of all the information including the user privileges, to effectively define the security environment of a particular user. The Security Identification (SID), is a special number allocated to each object including tokens like a user or group account. These SIDs are updated and created by the Windows Local Security.

In addition to privileges, Windows also uses an integrity mechanism. It is an essential part of the Windows security architecture and offers application processes and secure objects different integrity levels. Hence, the level of confidence of operating system in running apps or secure objects can be described by this. Also, APIs might be restricted to a certain integrity level. 

Windows Privileges

An access control mechanism called User Account Control (UAC) has been launched by Microsoft along with Windows Vista and Windows Server 2008. However, Microsoft does not see it as a security border. UAC compels programs and tasks to function in the context of a non-administrative account, until an administrator grants elevated access. It will prevent installers, illegitimate programs, and system setting changes from being made without the authorization of an administrative account. UAC can prevent any program from silently doing an activity that might have a system-wide impact.

UAC has two distinct modes- credential prompt and consent prompt. If UAC is active and an ordinary user tries to carry out an administrative operation, like installing a new program, the user will encounter the credential prompt. So, to accomplish the work, an administrator user credentials are required. However, in case of an administrator user who tries to accomplish the same thing, a simple permission question is sent. In this case, the user only has to acknowledge that the job should be finished, user credentials are not required again. 

Registry

In order to limit access to Windows components including services, files, and registry entries, Microsoft Windows offers a wide range of fine-grained rights and privileges. The privileges can also be elevated via weak registry permissions. Registry is a system-defined component where applications and system defined components can save and retrieve configuration data. It is a hierarchical database housing necessary information for Windows and the programs and services it runs to function.

A penetration tester can perform the following operations via Registry Editor:

  1. Find a value, key, subkey, or subtree.
  2. Add a value or a subkey.
  3. Change a value.
  4. Remove or rename a value or a subkey.

Registry hive is a logical collection of registry keys, subkeys, and values loaded into the memory when an operating system is launched or a user signs in. Registry entries used to execute malicious payloads might prove helpful to the penetration testers. They may switch the service's starting executable from the one that was initially specified to the one that can be controlled by exploiting vulnerabilities in registry permissions. This will allow them to run unauthorized malware. 

Registry's enumeration can be done by various tools and ways. One of them is Accesschk.exe. It is a command line tool used for inspecting actual permissions on files, registry, services, and other objects. Another way to enumerate is via PowerShell. It can be used to locate user rights and complete authority over the service registry entry in the Access Control List (ACL).

In the end, pen tester can look for permissions of users and groups regarding malicious payload creation. An authorized user has complete access to the service and may alter the image path for service, create an executable shell and install it on the victim's computer. Then, edit the service registry key to an executable. 

Conclusion

This part offers a detailed introduction of the Windows Privilege Escalation and Registry.





























































Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more