Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion today. We're looking at our case study on privilege escalation. So today's title is two for the price of one. So the reason I'm using that two for the price of one is back in the
00:19
month of July. In 2019
00:21
there were two privilege escalation vulnerabilities zero day, mind you vulnerabilities that were fixed. And so this is great news for those of us who are in the consulting and blue team spectrum.
00:38
Bad news for those of us that are Red Team are doing things that are illicit or illegal with respect to
00:44
compromising systems. So in these cases
00:48
si ve 2019 11. 32 see ve 2019 080 win 32 k Elevation of privilege. Vulnerability. So this vulnerability took advantage of a component the Win 32 component
01:04
that fails to properly handle objects in memory.
01:08
And so if this was exploited, it would allow you to run arbitrary code, install programs you and change delete data, create new accounts with full user rights. And so there was a lot to look forward to if you were able to take advantage of this now, it did require that you had to run some specifically crafted applications.
01:27
Okay, that could exploit this.
01:30
And you had to make sure that you would, uh, you know, Hannah long in into the system. And so in this case, you had to be local right
01:41
now for Microsoft SPL, while 64 elevation of privilege, vulnerability, local elevation of privilege. Okay, accidentally route do that. But it was local, all right. And this was working with the SPL while 64 xy, which handles certain calls.
01:57
And so an attacker who was able to exploit this could elevate privilege on the affected machine from a low integrity to mid integrity range.
02:06
So by itself, it did not allow arbitrary code execution. However, it could allow code to be run if the attacker used it in combination with another vulnerability.
02:16
So this
02:17
again required something very specific.
02:22
Okay, you had to be local, so that brings it up to for two here.
02:28
Okay. What did they have in common?
02:30
You have to be on the system locally, toe execute these privilege escalation type attacks, at least in these two cases, right?
02:38
So what can we do
02:43
from our perspective and with the tools that are available to us to try and mitigate and Attackers capability with respect to taking advantage of these privileges or these vulnerabilities.
02:54
So privilege escalation is all about finding processes or services or whatever the case may be that we can take advantage of
03:05
because they maybe were configured for again functionality and not so much security and use them to our advantage. And so there's a tool that I ended up running on my local system. And so I spun up my Cali Lennox instance, and I got a Web server started. And at that point I was running
03:24
this power split directory or are serving it up.
03:28
And so there's an area in here called priv sec.
03:32
Okay, so improve sec.
03:35
There's this particular set of scripts.
03:39
Now, as you see here, we were in the directory. So what I did now, I took some liberties here, right, because in this case, I'm not trying to maybe play the part of the threat actor. I'm trying to use the tools than a threat actor might use to take advantage of my system. So power shell right out the gate.
04:00
There were some things that I had to do. Okay, so I had to go in
04:04
and I had to change my execution policy
04:10
to an unrestricted state. Now, in order to do that, I had to run an elevated prompt because my user account without doing so didn't allow me to change those permissions.
04:21
Now I could run as administrator, do things like that with my account. But in order to change my execution policy, I had to run it in an administrative mode.
04:31
So that's one way that we could potentially prevent an attacker because we talked about power show. We talked about not allowing unrestricted things to be run.
04:41
In this case, I'm aware of where this is coming from and what it's doing. And as soon as I finished, I reverted these changes.
04:47
Now I took this particular directory and I imported the particular scripts into Power shell. And so, after doing that,
05:01
I ran the following commands, invoke all checks with the dash. Their HTML report was the output. So it went through and ran everything
05:14
in that. So there were two things that I did. I ran at with the full administrative privilege
05:19
And then I ran it with local or with just the local account. And so you might be asking yourself, That's cool. So what kind of outputs did we get? What were the results of that? So when I ran it as administrator,
05:33
it got pretty much
05:35
anything you could think of.
05:39
And so it's starting from the top here. Unquoted service path. So it identified a service where we could potentially abuse or hijack a path here and essentially that would be just replacing it with maybe the payload. In that instance,
05:51
we've got service execute herbal permissions here, so it again provides the service name, the path, the modifiable
05:59
file. Okay, the start name and then the abuse function.
06:05
We've got service permissions
06:09
and looking through that and what could be taken advantage of in these areas. And so this list is huge
06:15
as far as what we could take advantage of and do, because again, we've got administrative privilege here, paths where we could potentially take advantage of dll hijacks registry auto runs that we could take advantage of vulnerable, scheduled tasks that we could potentially take advantage of. And so this was a pretty big
06:34
list
06:35
But chances are if I've already got an administrative prompt,
06:40
I probably would use some of this for persistence, but not so much for proved privilege escalation. If I've already got that high level of privilege now is my standard user,
06:49
right? I can. I'm in the local administrative group,
06:54
so technically I could right click run as administrator, good to go by the being. But if I couldn't and I was just a local user, there might be some capability in a few of these areas a lot more limited. There's no school and required here,
07:06
and I could take advantage of maybe this unquoted service path or hijacking Miss DLL or this particular registry on a run.
07:16
So
07:17
for me, my goal as a member of the blue team and the red team on some occasions would be to run something of this nature on my systems, especially my critical systems at a minimum,
07:32
and determine
07:34
what a threat actor might be able to take advantage of
07:39
what I could do to limit their capabilities or better protect that system
07:44
and where there would be things that need to continue to run,
07:48
identify them, mark them is as being
07:53
manipulate herbal or something that could be taken advantage of. And if something happens to that system, have mechanisms in place that could identify those particular areas is being touched. And at that point that might, you know, speed up our ability to identify a threat actor and recover from that attack. So I encourage you
08:11
to look at some tools that are out there for identifying these types of potential risks with respect to privilege escalation,
08:18
get approval and maybe run a few of them on your systems, or look at your golden images after getting everything installed. That would be business appropriate
08:28
and see if there's anything there that could be taken advantage of and what you could potentially do to reduce your risks. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor