Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion. Today. We're going to be looking at file system permission weakness. So let's go ahead and jump right in.
00:13
So the objectives of today's discussion are as follows we're going to describe file permission are file system permission, weakness. And look at that area we're going to look at How has file system permission? Weakness been used. We're gonna look at some mitigation techniques and then we're going to discuss some detection techniques.
00:33
So with that, let's go ahead and jump right in. So file system permission, weakness. So, as a part of their processes, binaries may automatically execute binaries as needed to perform their functions or other actions. Okay,
00:51
so it is possible for these binaries to be targeted and the binary over written with another binaries were using binary a lot here, but that's how this is laid out and executed by the original process. So, essentially, what happens here is this binary gets over, written by another binary.
01:10
It executes what it thinks is the original process, thereby executing the malicious binary. And so if the original processes running with a higher permission set than the replaced binary will execute
01:26
under the higher permission set. So that means that if the original binary was of lower permission and we replace it with another,
01:33
it may execute with that higher permission set. So
01:37
some areas that could be manipulated in this manner are things like services, and so Windows Service binaries are manipulated. And this is one technique which can be used with respect to file system permission. Weakness On some cases, threat actors can replace a legitimate service, execute herbal
01:56
with their own and use it the game, persistence or
01:59
privilege escalation on account.
02:01
Another way that this can be done is execute herbal installers, and so this takes advantage of a weakness that is common in execute herbal self extracting installer. So the unpacking of these files can result in the execution of untrusted code placed in sub directories and files, which can
02:20
then overwrite binaries used in the installation process. And so
02:24
both of these airways, in which permissions can be manipulated or weak permissions convening Piil eight be manipulated with respect Teoh file systems.
02:37
Now, what are some potential mitigation techniques with respect to this? This vector. So tools like power spoil it can be used to audit systems and identify potential permission weaknesses. And so we'll look at this in our case study.
02:52
But power spoil is both used for bad actors as well as for good. So there are some tools within its, um, scripts that we can run on our systems
03:01
to detect where a threat actor may take advantage of privilege escalation or whether maybe, weaknesses. And so this is a great way for you to kind of get ahead of the curb and identify the low hanging fruit that a threat fruit, their threat actor could take advantage up. Now you can turn off
03:20
you a C privilege escalation for standard users to automatically deny elevation requests
03:25
and limit for a privilege of users to those that are necessary to restrict the ability to make service changes. And so
03:34
if you don't allow your users to elevate or escalate privilege for services or do things of that nature, then that can help to mitigate some risk here and to, you know, make the threat actors drop essentially a little bit harder on their end. Now, what are some detection techniques for this particular victor? Well,
03:52
we can review systems
03:53
looking for changes to binaries and service. Execute a bles as well as do hashing of known good binaries and service. Execute herbal. So doing regular comparisons against a known good database. So
04:08
as long as you maintain trust
04:10
with this known good database,
04:13
any of these binaries or service executed bols that comes back with a bad hash would essentially
04:19
I mean, that it's either been modified outside of the regular process? Or that we've got a threat actor that is potentially trying to take advantage of that service and using it to their advantage. So those airways that you could definitely detect potential modification or attempts to mess with false system permissions.
04:39
So let's do a quick check on learning true or false execute. Herbal installers take advantage of the execution of trusted code placed in sub directories and files.
04:50
So if you need to pause to take a little more time, please do so. There's one word here that makes this a false statement, and that is the word trusted. So execute herbal installers. Take it manage of the execution of untrusted, code
05:05
placed in sub directories and files. And so, in this case, this is a false
05:11
statement.
05:13
So let's go ahead and look at our discussion summary for today
05:16
described. We describe file system permission, weaknesses, looking at services and
05:24
self installing, execute bols and things of that nature. We described how these permission weaknesses can be used, and we looked at that. We talked about some mitigation techniques as well as some detection techniques, again coming back to least privilege as well as using some common tools like powers boy
05:43
to evaluate systems, especially critical systems, to determine
05:46
where they may be taking advantage of, and where file permissions or other directories could be used for threat actor to then do some other form of, like privilege escalation. So always worth taking the time to use some of those tools to evaluate your systems and see where there are areas that you could potentially prevent.
06:04
Ah, threat actor from doing harm and making their job a little bit tougher.
06:09
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor