We all know what privilege escalation is and it's types. But do you know how it happens ?
Let’s explore three of the most common PE techniques.
1. Manipulating access tokens
This PE technique exploits the way Windows manages admin privileges. Normally, Windows makes use of access tokens to determine the owners of all running processes, e.g. when a thread interacts with a securable object or tries to perform a system task that requires certain privileges.
Adversaries can leverage access tokens through three methods:
a. Impersonate or steal a token
b. Create Process with a Token
c. Make and Impersonate Token
2. Bypassing User Account Control
UAC limits application software to standard user permissions until an administrator authorizes an increase of privileges. However, this mechanism has security gaps. If the UAC protection level of a computer is set to anything but the highest level, some Windows programs are allowed to elevate privileges or execute Component Object Model (COM) objects that are elevated without prompting a user first. An example of this is use of rundll32.exe to load a specifically crafted Dynamic Link Library (DLL), which loads a COM object that already has elevated privileges. This performs file operations even in protected directories and opens the UAC mechanism to compromise from attackers.
3. Using valid accounts
Adversaries can use Credential Access techniques (e.g. Credential Dumping, Account Manipulation and other) to obtain the credentials of specific user accounts, or steal them through social engineering.
Please refer the below link for more information:
https://blog.netwrix.com/2018/09/05/what-is-privilege-escalation/
Happy Learning !!
No comments:
Post a Comment