Windows Privilege Escalation (Part 1 of 2)

 









Introduction

The term "privileges" refers to the ability of a particular account to carry out actions that are relevant to the system. The Windows operating system make use of access tokens making these privileges functional. The token itself comprises of all the information including the user privileges, to effectively define the security environment of a particular user. The Security Identification (SID), is a special number allocated to each object including tokens like a user or group account. These SIDs are updated and created by the Windows Local Security.

In addition to privileges, Windows also uses an integrity mechanism. It is an essential part of the Windows security architecture and offers application processes and secure objects different integrity levels. Hence, the level of confidence of operating system in running apps or secure objects can be described by this. Also, APIs might be restricted to a certain integrity level. 

Windows Privileges

An access control mechanism called User Account Control (UAC) has been launched by Microsoft along with Windows Vista and Windows Server 2008. However, Microsoft does not see it as a security border. UAC compels programs and tasks to function in the context of a non-administrative account, until an administrator grants elevated access. It will prevent installers, illegitimate programs, and system setting changes from being made without the authorization of an administrative account. UAC can prevent any program from silently doing an activity that might have a system-wide impact.

UAC has two distinct modes- credential prompt and consent prompt. If UAC is active and an ordinary user tries to carry out an administrative operation, like installing a new program, the user will encounter the credential prompt. So, to accomplish the work, an administrator user credentials are required. However, in case of an administrator user who tries to accomplish the same thing, a simple permission question is sent. In this case, the user only has to acknowledge that the job should be finished, user credentials are not required again. 

Registry

In order to limit access to Windows components including services, files, and registry entries, Microsoft Windows offers a wide range of fine-grained rights and privileges. The privileges can also be elevated via weak registry permissions. Registry is a system-defined component where applications and system defined components can save and retrieve configuration data. It is a hierarchical database housing necessary information for Windows and the programs and services it runs to function.

A penetration tester can perform the following operations via Registry Editor:

  1. Find a value, key, subkey, or subtree.
  2. Add a value or a subkey.
  3. Change a value.
  4. Remove or rename a value or a subkey.

Registry hive is a logical collection of registry keys, subkeys, and values loaded into the memory when an operating system is launched or a user signs in. Registry entries used to execute malicious payloads might prove helpful to the penetration testers. They may switch the service's starting executable from the one that was initially specified to the one that can be controlled by exploiting vulnerabilities in registry permissions. This will allow them to run unauthorized malware. 

Registry's enumeration can be done by various tools and ways. One of them is Accesschk.exe. It is a command line tool used for inspecting actual permissions on files, registry, services, and other objects. Another way to enumerate is via PowerShell. It can be used to locate user rights and complete authority over the service registry entry in the Access Control List (ACL).

In the end, pen tester can look for permissions of users and groups regarding malicious payload creation. An authorized user has complete access to the service and may alter the image path for service, create an executable shell and install it on the victim's computer. Then, edit the service registry key to an executable. 

Conclusion

This part offers a detailed introduction of the Windows Privilege Escalation and Registry.





























































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)