Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion.
00:06
Today. We're going to be looking at exploitation for privilege escalation.
00:11
So let's go ahead and jump over to our objectives.
00:15
So today we're going to describe for you what exploitation for privilege escalation is within the minor attack framework. We're also going to look at. How has exploitation for privilege escalation been used as farce Teoh si ves or something of that nature?
00:33
We're going to look at some mitigation techniques, and then we're going to look at some detection techniques as well. So with that, let's go ahead and jump right into our definition.
00:45
So exploitation for privilege escalation when a threat actor takes advantage of a software vulnerability through things such as programming errors, service, air
00:56
operating system, air and Colonel Air. Now there are probably other examples not mentioned here, but these are some primary ones that were brought up. And so the reason for these types of exploits is to allow the threat actor to conduct a technique of course known as privilege escalation.
01:12
And in this case, we are escalating privilege and circumventing controls or restrictions put on us through operations such as
01:21
least privilege. So in practice, this is when a threat actor can essentially take a nun privileged or user level account and work to gain system or root level permissions. And so
01:34
we, as standard users don't look to try to elevate our permissions outside of the scope of what we should, because
01:42
in most cases that would be against company policy would be abuse of our position, trust and those systems. But a threat actor isn't bound to those same things. And so when a threat actor gets onto a system,
01:55
they're looking to gain access to a much information as possible in as little time as possible. So they will take advantage of any method they can in order to get what they want are achieved their own goals.
02:08
And so some examples of privilege escalation vulnerabilities.
02:14
In this case, we've got C ve 2015 17 01 And so this particular see ve eyes an elevation of privilege vulnerability that exists in the wind 32 kernel mode, and it and this is when this particular area does not properly handle objects in memory.
02:32
And so it is a local privilege escalation, vulnerability, so threat actors would need to access the system
02:40
prior to being able to exploit the vulnerability. And so this is just an example of some systems that are impacted by this particular vulnerability. Now it's been around since 2015 which is what this part of the sea ve tells us, and then, in most cases, these numbers are arbitrary.
02:57
But we at least know that this has been around since 2015 and so we should have patched or updated our systems so that we're no longer impacted by this local privilege. Escalation vulnerability. Now the other side to this again is that word local. So a threat actor would have to circumvent
03:16
layers of controls, hopefully
03:20
in order to get to the system. Now we have talked about time and time again that users are the weakest link we have a tendency to trust. We have a tendency to want to click on things. We could be curious.
03:35
And so if the user population in this case is not properly trained and they execute a link or executed payload with their current user level privilege that allows a threat actor access to the system,
03:47
then they would circumvent all other controls. Now, hopefully we have Anna Mars and things of that nature in place. It could catch known bad variants, but if they're using a link or some type of command line type script or something of that nature that runs or executes when the user interacts with the payload,
04:05
that may circumvent those controls as well. But what are some mitigating techniques that we can use in this case that are specific to privilege? Escalation, exploitation? So we can implement application isolation in San Boxing and essentially, virtualization and applications segmentation may further mitigate this as well.
04:25
So when a user goes to execute something
04:28
or do something with a particular application, maybe that is vulnerable or is not it can be isolated. And in a position where, even if a threat actor were able to take advantage of it or do something to that nature, it would mitigate the risk and reduce the impact of that particular vulnerability. On that system,
04:47
we could also update software apply patches, which is kind of an age old remedy
04:53
regularly, especially to those that are known to be vulnerable. So this vulnerability has been out since 2015 or been you know, the community has been aware of it since 2015.
05:02
So
05:03
it makes sense that at this point we should be patched in that with Windows seven becoming dust in the wind. And you know Microsoft won't be applying security patches and things that nature to it any longer.
05:15
It makes sense that when we get rid of those systems that we're now running current operating systems and he should be taken care of. But
05:26
they, you know, with newer operating systems, comes new vulnerabilities and things we don't know yet. So doing some of this isolation reducing privileges for end users training in users, updating systems as vendor notices and releases become available
05:43
makes sense and helping to mitigate some of the risk associated with privilege Escalation.
05:48
Now, what are some potential detection takings? Well, we can evaluate systems that are performing in a manner that indicates potential tampering with components. So if your system crashes regularly, if there are other stability issues,
06:02
maybe we need to take a deeper dive and look for modifications or changes. It could be related to privilege, escalation or the exploitation of the system.
06:12
In addition, we can implement monitoring that looks for a normal user behavior or behavior in general and and normal process behavior
06:20
by alerting on those things individually
06:25
may not be an indicator of compromise. But if we can tie that behavior together and kind of weave a bigger picture,
06:32
we may be able to detect, you know, malicious threat actor or something of that nature that we can then
06:38
get off that system.
06:40
Now let's do a quick check on learning true or forced false Wow exploitation for privilege. Escalation is when a threat actor takes advantage of a vulnerability in a system that can be exploited to potentially provide system mobile access.
06:57
All right, well, if you need some additional time, please pause this video. So exploitation for privilege escalation is, in fact, when a threat actor takes advantage of a vulnerability in the system
07:09
that can be exploited to potentially provide system level access. And so this is a true statement within the context of this discussion.
07:18
So, in some rate, today we described exploitation for privilege escalation, and essentially, this is when vulnerable software services air, taking it manage of
07:29
and from out of user with escalated privilege.
07:31
We look at the particular see ve associated with on issue in how calls are handled and the Win 32
07:41
Peace. And we noted that an update has been provided to the systems impacted and should have been applying. At this point in time,
07:50
we looked at mitigation techniques, and we discussed detection techniques as well. Again,
07:57
it's all about defense in depth at this point, so privilege escalation in most cases require some form of local access. There may be some remote manipulation that can be done prior to ah, user actually being on the system
08:11
that would escalate their privilege by
08:13
in a few of the vulnerabilities that I've looked at associated with privilege escalation,
08:18
the majority of them include a need to have local access
08:22
and do some form of further manipulation. And so you would probably be looking at us pretty sophisticated individual, or at least someone who's targeting specific systems that are known for these types of vulnerabilities. To take that in mind
08:39
as you continue through researching your systems and looking for ways to mitigate risk. Definitely keeping them up to date is probably one of the easier ways to help mitigate some of the privilege escalation vulnerabilities that are out there.
08:50
So with that in mind, I want to thank you for your time today,
08:56
and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor