Windows Privilege Escalation
1 Global Definition
Windows Privilege Escalation is the process of exploiting weaknesses in the Windows operating system, services, or misconfigurations to gain higher privileges than initially granted. Typically, attackers escalate from a normal user to SYSTEM or Administrator level. This is a critical step after initial compromise in order to gain full control of a Windows environment.
1.1 Common Attack Vectors
- Unpatched Vulnerabilities: Exploiting flaws such as EternalBlue.
- Service Misconfigurations: Services running with weak permissions can be hijacked.
- Credential Dumping: Extracting passwords and hashes from LSASS.
- Token Impersonation: Abusing access tokens of privileged accounts to impersonate them.
- DLL Hijacking: Injecting a malicious DLL into a privileged process.
- Unquoted Service Paths: Exploiting poorly defined service paths to run malicious executables.
1.2 Real-World Impact
- Full System Control: Escalation to SYSTEM allows attackers to disable defenses, install malware, or maintain persistence.
- Lateral Movement: Privileged access enables attackers to move across the network using stolen credentials.
- Credential Harvesting: Once admin, attackers can dump domain credentials with Mimikatz.
- Persistence: Attackers may add backdoors, new admin accounts, or scheduled tasks.
1.3 Exploitation Techniques
-
Kernel Exploits: Leveraging vulnerabilities in the Windows kernel for privilege escalation.
Example:
MS16-032. - Bypassing UAC: Exploiting flaws in User Account Control.
- Scheduled Tasks: Hijacking scheduled tasks that run with elevated privileges.
- Service Binary Replacement: Replacing or modifying executables of vulnerable services.
- Access Token Manipulation: Stealing or forging tokens to impersonate privileged users.
1.4 Defense Strategies
- Keep Windows systems updated with the latest security patches.
- Apply the principle of least privilege (no unnecessary admin rights).
- Enable Credential Guard to protect authentication data.
- Monitor services for suspicious modifications.
- Harden permissions on critical directories and registry keys.
- Use endpoint detection tools to identify privilege escalation attempts.
1.5 Why It Matters
Privilege escalation is a crucial step in almost every cyber attack. Without escalating privileges, attackers are limited in their actions. With SYSTEM or Administrator access, they can fully compromise endpoints, spread laterally, and control entire networks. Understanding these techniques is vital for penetration testers and defenders alike.