Windows Privilege Escalation (Part 1 of 2)

By Ashwin Venugopal -

 









Introduction

The term "privileges" refers to the ability of a particular account to carry out actions that are relevant to the system. The Windows operating system make use of access tokens making these privileges functional. The token itself comprises of all the information including the user privileges, to effectively define the security environment of a particular user. The Security Identification (SID), is a special number allocated to each object including tokens like a user or group account. These SIDs are updated and created by the Windows Local Security.

In addition to privileges, Windows also uses an integrity mechanism. It is an essential part of the Windows security architecture and offers application processes and secure objects different integrity levels. Hence, the level of confidence of operating system in running apps or secure objects can be described by this. Also, APIs might be restricted to a certain integrity level. 

Windows Privileges

An access control mechanism called User Account Control (UAC) has been launched by Microsoft along with Windows Vista and Windows Server 2008. However, Microsoft does not see it as a security border. UAC compels programs and tasks to function in the context of a non-administrative account, until an administrator grants elevated access. It will prevent installers, illegitimate programs, and system setting changes from being made without the authorization of an administrative account. UAC can prevent any program from silently doing an activity that might have a system-wide impact.

UAC has two distinct modes- credential prompt and consent prompt. If UAC is active and an ordinary user tries to carry out an administrative operation, like installing a new program, the user will encounter the credential prompt. So, to accomplish the work, an administrator user credentials are required. However, in case of an administrator user who tries to accomplish the same thing, a simple permission question is sent. In this case, the user only has to acknowledge that the job should be finished, user credentials are not required again. 

Registry

In order to limit access to Windows components including services, files, and registry entries, Microsoft Windows offers a wide range of fine-grained rights and privileges. The privileges can also be elevated via weak registry permissions. Registry is a system-defined component where applications and system defined components can save and retrieve configuration data. It is a hierarchical database housing necessary information for Windows and the programs and services it runs to function.

A penetration tester can perform the following operations via Registry Editor:

  1. Find a value, key, subkey, or subtree.
  2. Add a value or a subkey.
  3. Change a value.
  4. Remove or rename a value or a subkey.

Registry hive is a logical collection of registry keys, subkeys, and values loaded into the memory when an operating system is launched or a user signs in. Registry entries used to execute malicious payloads might prove helpful to the penetration testers. They may switch the service's starting executable from the one that was initially specified to the one that can be controlled by exploiting vulnerabilities in registry permissions. This will allow them to run unauthorized malware. 

Registry's enumeration can be done by various tools and ways. One of them is Accesschk.exe. It is a command line tool used for inspecting actual permissions on files, registry, services, and other objects. Another way to enumerate is via PowerShell. It can be used to locate user rights and complete authority over the service registry entry in the Access Control List (ACL).

In the end, pen tester can look for permissions of users and groups regarding malicious payload creation. An authorized user has complete access to the service and may alter the image path for service, create an executable shell and install it on the victim's computer. Then, edit the service registry key to an executable. 

Conclusion

This part offers a detailed introduction of the Windows Privilege Escalation and Registry.





























































Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more