Learn Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 4

    Privilege Escalation

    Links to all parts:
    Part 1. Getting Initial Access
    Part 2. Execution
    Part 3. Persistence
    Part 4. Privilege Escalation
    Part 5. Defense Evasion
    Part 6. Credential Access
    Part 7. Discovery.
    Part 8. Lateral Movement.

    Privilege escalation is the result of actions that allow an attacker or malicious program to obtain a higher level of permissions in the attacked system or network. Privilege escalation techniques describe the methods by which an adversary, after gaining unprivileged access to an attacked system, using various “weaknesses” of a system can gain local administrator, system or root rights. The use by attackers of user accounts with access rights to specific systems or permissions to perform certain operations can also be considered an escalation of privileges.

    The author is not responsible for the possible consequences of applying the information set forth in the article, and also apologizes for possible inaccuracies made in some formulations and terms. The published information is a free retelling of the contents of MITER ATT & CK .

    It is important to cancel that some of the techniques described in the ATT @ CK matrix are simultaneously included in several stages of the attack chain, for example, DLL search interception can be used both to secure access by unauthorized execution of a malicious DLL and to increase privileges by launching the DLL in the process, working in the context of a more privileged user.

    Access Token Manipulation

    System: Windows
    Rights: User, Administrator
    Description:Attackers can use Access Tokens to perform actions in various user or system security contexts, thus avoiding detection of malicious activity. An adversary can use the Windows API functions to copy access tokens from existing processes (Token stealing), for this he must be in the context of a privileged user (for example, an administrator). The theft of access tokens is commonly used to elevate privileges from the administrator level to the System level. An adversary can also use an account access token for authentication on a remote system, if this account has the necessary permissions on the remote system.
    Consider several ways to abuse access tokens:
    • Theft and impersonation of tokens. Impersonation of tokens is the ability of the OS to start threads in a security context other than the context of the process to which this thread belongs. In other words, the personification of tokens allows you to perform any actions on behalf of another user. An adversary can duplicate an access token using the DuplicateTokenEX function and use ImpersonateLoggedOnUser to call a thread in the context of a logged-in user, or use SetThreadToken to assign an access token to a stream.
    • Create a process using an access token. An attacker can create an access token using the DuplicateTokenEX function and then use it with CreateProcessWithTokenW to create a new process that runs in the context of the impersonated user.
    • Obtaining and impersonating access tokens. An adversary, having a username and password, can create a login session using the LogonUser API function , which will return a copy of the session access token of a new session, and then use the SetThreadToken function to assign a token to the thread. Metasploit Meterpreter and CobaltStrike have tools to manipulate access tokens to elevate privileges.

    Protection recommendations: In order to make full use of the above tactics, an attacker must have system administrator rights, so do not forget to limit the privileges of ordinary users. Any user can trick access tokens if they have legitimate credentials. Limit the ability for users and groups to create access tokens:
    GPO: Computer Configuration> [Policies]> Windows Settings> Security Settings> Local Policies> User Rights Assignment: Create a token object
    Also determine who can replace the process tokens of local or network services:
    GPO : Computer Configuration> [Policies]> Windows Settings> Security Settings> Local Policies> User Rights Assignment: Replace a process level token

    Modification of executable files of applications "accessibility features of Windows" (Accessibility Features)

    System: Windows
    Rights: Administrator
    Description: Accessibility applications (screen magnifier, on-screen keyboard, etc.) can be launched using key combinations before a user logs on to the system. An attacker can replace the startup files of these programs or change the way they are launched and open a command console or get a backdoor without logging in.
    • C: \ Windows \ System32 \ sethc.exe - launched by 5-fold pressing the Shift key;
    • C: \ Windows \ System32 \ utilman.exe - launched by pressing the combination of Win + U.

    In WinXP and later versions, sethc.exe and utilman.exe can be replaced, for example, with cmd.exe, then when you press the desired key combination, cmd.exe starts before entering Windows with System privileges.
    In Vista and later versions, you need to change the registry key that configures cmd.exe or another program as a debugger, for example, for ultiman.exe. After editing the registry and pressing the desired key combination on the login screen or when connecting to the host via RDP, cmd.exe with System rights will be executed.
    There are also Windows programs that can be used to implement this attack technique:
    • C: \ Windows \ System32 \ osk.exe;
    • C: \ Windows \ System32 \ Magnify.exe;
    • C: \ Windows \ System32 \ Narrator.exe;
    • C: \ Windows \ System32 \ DisplaySwitch.exe;
    • C: \ Windows \ System32 \ AtBroker.exe.

    Security recommendations: Configure the start of mandatory network authentication for remote users before creating an RDP session and displaying the login screen ( enabled by default in Windows Vista and later ). Use the Remote Desktop Gateway to manage connections and configure RDP security.

    Modifying the AppCert DLLs Key

    System: Windows
    Rights: Administrator, System
    Description: DLLs specified in the AppCertDLLs key value are loaded into each process that calls the frequently used API functions: CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, WinExec . The AppCertDLLs key value can be abused by causing a malicious DLL to load and running certain processes. AppCertDLLs is stored in the following registry key:
    HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Session Manager .

    Protection recommendations: Use all possible means of blocking potentially dangerous software and downloading unknown DLLs, such as AppLocker and DeviceGuard.

    Modification of the AppInit DLLs Key

    System: Windows
    Rights: Administrator, System
    Description: DLLs specified in the AppInit_DLLs key value are loaded into each process that user32.dll loads. In practice, this is almost every program.
    AppInit_DLLs is stored in the following registry keys:
    • HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows;
    • HKEY_LOCAL_MACHINE \ Software \ Wow6432Node \ Microsoft \ Windows NT \ CurrentVersion \ Windows.

    The AppInit_DLLs key value can be abused to exceed privileges by loading malicious DLLs and starting certain processes. AppInit_DLLs functionality is disabled in Windows 8 and later when Secure Boot is activated.

    Protection recommendations: Consider using an OS version no earlier than Windows 8 and enabling secure boot. Use all sorts of means to block potentially dangerous software and download unknown DLLs, such as AppLocker and DeviceGuard.

    Abuse of Application Compatibility Subsystem (Application Shimming)

    System: Windows
    Rights: Administrator
    Description: Microsoft Windows Application Compatibility Infrastructure / Framework was created to ensure compatibility of programs with Windows updates and OS code changes. The compatibility system uses the so-called shim ("gaskets") - libraries that act as a buffer between the program and the OS. Using the shim cache, the system determines the need for shim gaskets (stored as a .sdb database). Various .sdb files store various procedures for intercepting application code, processing it, and then redirecting it to the OS. The list of all shim-gaskets installed by the installer (sdbinst.exe) is stored by default in:
    • % WINDIR% \ AppPatch \ sysmain.sdb ;
    • HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ AppCompatFlags \ InstalledSDB .

    Custom shim databases are stored in:
    • % WINDIR% \ AppPatch [64] \ Custom;
    • HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ AppCompatFlags \ Custom .

    To ensure protection in user mode, the ability to change the OS kernel using shim-gaskets is excluded, and administrator rights are required to install them. However, some shim pads can be used to bypass User Account Control (UAC), DLL injection, disable Data Execution Prevention and Srtucture Exception Handling , as well as intercept memory addresses. An attacker using shim-gaskets can increase privileges, install backdoors, disable OS protection, such as Windows Defender.

    Protection recommendations: There are not many ways to prevent Application shiming. Disabling application compatibility is not recommended in order to avoid problems with the stability of the OS. Microsoft released KB3045645, which will remove the "auto-elevate" flag in the sdbinst.exe file to prevent the use of the shim system to bypass the UAC.

    Bypass User Account Control

    System: Windows
    Rights: User, Administrator
    Description: There are many ways to bypass UAC, the most common of which are implemented in the UACMe project . New ways to bypass UAC are regularly discovered, such as abusing the system application eventvwr.exe , which can execute a binary file or an elevated script. Malicious programs can also be embedded in trusted processes by which UAC allows privilege escalation without prompting a user.
    To bypass the UAC using eventvwr.exe, the key in the Windows registry is modified:
    [HKEY_CURRENT_USER] \ Software \ Classes \ mscfile \ shell \ open \ command .
    To bypass UAC using sdclt.exe, the keys in the Windows registry are modified:
    [HKEY_CURRENT_USER] \ Software \ Microsoft \ Windows \ CurrentVersion \ App Paths \ control.exe;
    [HKEY_CURRENT_USER] \ Software \ Classes \ exefile \ shell \ runas \ command \ isolatedCommand.

    Protection recommendations: Remove users from the local administrator group on the protected systems. If possible, enable the highest level of protection in the UAC settings.

    DLL Search Interception (DLL Search Order Hijacking)

    System: Windows
    Rights: User, Administrator, System
    Description: The technique consists in exploiting vulnerabilities in the algorithm for searching applications for the DLL files they need to work ( MSA2269637 ). Often, the DLL search directory is the working directory of the program, so attackers can replace the source DLL with a malicious one with the same file name.
    Remote attacks on DLL searches can be carried out when the program installs its current directory in a remote directory, for example, a network share. Also, attackers can directly change the method of searching and loading DLLs by replacing .manifest or .local files, which describe DLL search parameters. If the attacked program works with a high level of privileges, then the malicious DLL loaded by it will also be executed with high rights. In this case, the technique can be used to increase privileges from the user to the administrator or System.

    Protection recommendations: Prevent remote DLL loading (enabled by default in Windows Server 2012+ and available with updates for XP + and Server 2003+). Enabling safe search mode DLL, which will limit the search directories to directories like% SYSTEMROOT% before performing a DLL search in the current application directory.
    Enabling Safe Search DLL:
    Computer Configuration> [Policies]> Administrative Templates> MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode.
    The corresponding registry key is
    HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ SafeDLLSearchMode.

    Consider auditing a protected system to fix DLL deficiencies using tools such as PowerUP in PowerSploit. Do not forget about blocking malicious and potentially dangerous software, as well as following Microsoft recommendations .

    Dylib Search Interception (Dylib Hijacking)

    Система: macOS
    Права: Пользователь
    Описание: Техника основана на уязвимостях алгоритмов поиска динамических библиотек dylib в macOS и OS X. Суть заключается в определении dylib, которые подгружает атакуемое приложение и последующем размещении вредоносной версии dylib с тем же именем в рабочей директории приложения. Это приведёт к загрузке приложением dylib, которая размещена в рабочем каталоге программы. При этом вредоносная Dylib будет выполнятся с правами доступа атакуемого приложения.

    Рекомендации по защите: Запрет записи пользователями файлов в каталоги поиска dylib. Аудит уязвимостей с помощью Dylib Hijacking Scanner от Objective-See.

    Эксплуатация уязвимостей для повышения привилегий (Exploitation for Privilege Escalation)

    System: Windows, Linux, macOS
    Rights: User
    Description: Opponents can increase privileges in the attacked system using vulnerabilities in software.

    Protection recommendations: Regular software updates on all protected workstations, servers, network equipment and other devices connected to the protected network. Analyze the types of threats, vulnerabilities, and exploit programs that can be used against the protected organization. Exploit protection systems such as the Windows Defender Exploit Guard (WDEG) for Windows 10 or the Enhanced Mitigation Experience Toolkit (EMET) for earlier versions of Windows are also recommended .

    h3EWM Injection (Extra Window Memory Injection)
    System: Windows
    Rights: Administrator, System
    Description: The technique is to abuse the additional memory of the Windows window, the so-called Extra Window Memory (EWM). The EWM size is 40 bytes, suitable for storing a 32-bit pointer and is often used to indicate a reference to procedures. Malicious programs during the attack chain can place a pointer to malicious code in the EWM, which will subsequently be launched by the infected application process.

    Protection Recommendations: Учитывая, что техники EWM-инъекций основаны на злоупотреблении функциями разработки ОС усилия по защите необходимо направить на предотвращение запуска вредоносных программ и инструментов злоумышленников. Хорошей практикой является выявление и блокирование потенциально-опасного ПО с помощью AppLocker, организации белого списка приложений или применения политик ограничения программного обеспечения Software Restriction Policies.

    Недостатки разрешений на уровне файловой системы (File System Permissions Weakness)

    System: Windows
    Rights: User, Administrator
    Description: The essence of the technique is to replace executable files that are automatically launched by various processes (for example, when the OS boots up or at a certain time, if the rights to the executable files are configured incorrectly). After the spoofing, the malicious file will be launched with the process rights, so if the process has a higher access level, the attacker will be able to escalate the privileges. In this technique, attackers can attempt to manipulate the Windows service binary files.
    Another variant of the attack is associated with the lack of algorithms in the work of self-extracting installers. During the installation process, installers often unpack various useful files, including .dll and .exe, into the% TEMP% directory, however, they may not set the appropriate permissions to restrict access to the unpacked files, which allows attackers to perform file spoofing and, as a result, increase privileges or bypass account control, as some installers run with extended privileges.

    Protection Recommendations:Account rights restriction so that only administrators can manage the services and interact with the binary files used by the services. Disable UAC privilege escalation options for standard users. UAC settings are stored in the following registry key:
    • [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System] .

    To automatically reject privilege escalation requests, you must add a key:
    • "ConsentPromptBehaviorUser" = dword: 00000000.

    To control the work of installers, you need to add a key:
    • "EnableInstallerDetection" = dword: 00000001 , which will require a password to install programs.

    Intercepting Windows API Feature Calls (Hooking)

    System: Windows
    Rights: Administrator, System
    Description: Windows API functions are usually stored in DLLs. The technique of hooking is to redirect calls to API functions by:
    • Hook procedures - procedures built into the OS that execute code when various events are called, for example, keystrokes or moving the mouse;
    • Modifications to the address table (IAT), which stores pointers to API functions. This will allow you to “trick” the attacked application, forcing it to launch a malicious function;
    • Direct change of function (splicing), during which the first 5 bytes of the function are changed, instead of which the transition to a malicious or other function determined by the attacker is inserted.

    Like injections, attackers can use hooking to execute malicious code, mask its execution, access the memory of the attacked process and increase privileges. Attackers can capture API calls that include parameters that contain authentication data. Hooking is usually used by rootkits to hide malicious activity in the system.

    Protection Recommendations:Interception of events in the OS is part of the normal operation of the system, so any restriction of this functionality may adversely affect the stability of legitimate applications, such as anti-virus software. Efforts to prevent the use of interception techniques need to focus on the earlier stages of the attack chain. You can detect malicious hooking activity by monitoring calls to the SetWindowsHookEx and SetWinEventHook functions, using rootkit detectors, and analyzing anomalous behavior of processes.

    IFEO Injection (Image File Execution Options Injection)

    System: Windows
    Rights: Administrator, System
    Description: The Image File Execution Options (IFEO) mechanism allows you to run a program debugger instead of a program, previously specified by the developer in the registry:
    • HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options / [executable]
    • HKLM \ SOFTWARE \ Wow6432Node \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ [executable] , where [executable] is the executable binary of the debugger.

    Подобно инъекциям, значением [executable] можно злоупотреблять запуская произвольный код, чтобы повысить привилегии или закрепиться в системе. Вредоносные программы могут использовать IFEO на для обхода защиты, регистрируя отладчики, которые перенаправляют и отклоняют различные системные приложения и приложения безопасности.

    Рекомендации по защите: Описываемая техника основана на злоупотреблении штатными средствами разработки ОС, поэтому какие-либо ограничения могут вызвать нестабильность работы законного ПО, например, приложений безопасности. Усилия по предотвращению применения техники IFEO-инъекций необходимо сосредоточить на более ранних этапах цепочки атаки. Обнаружить подобную атаку можно с помощью мониторинга процессов с флагами Debug_process и Debug_only_this_process .

    Launch Daemon (Launch Daemon) >

    System: macOS
    Rights: Administrator
    Description: The technique consists in changing the parameters of the system-level launch services - Launch Daemon, specified in the plist-files, by the attacker When the system boots, the Launchd process loads the parameters of services (daemons) from plist files located in the following directories:
    • / System / Library / LaunchDeamons;
    • / Library / LaunchDeamons.

    Launch Daemon can be created with administrator privileges, but run under the root account, so an attacker can escalate privileges. The permissions of the plist files must be root: while, however, the script or program specified in it may have less strict permissions. Therefore, an attacker can modify the executable files specified in plist, and thus modify the current system services to secure the system or escalate privileges.

    Security Tips : Limit user privileges so that only authorized administrators can create Launch Daemon. Consider monitoring how plist files are created on your system using applications such as KnockKnock.

    New Services

    System: Windows
    Rights: Administrator, System
    Description: Name access to the system, attackers can create new services and configure them to start automatically. The service name can be masked using names specific to the operating system. Services can be created with administrator privileges, but run on behalf of System. Services can be created from the command line, using remote access tools with interoperability with the Windows API, or using standard Windows and PowerShell management tools.

    Security recommendations: Limit user rights to create new services so that only authorized administrators can do this. Apply AppLocker and Software Restriction Policy .

    Path Interception

    System: Windows
    Rights: User, administrator, system
    Description: The technique of intercepting a path is to place the executable file in a directory from which the application will launch it instead of the target file. An attacker can use the following methods:
    • Nonexistent paths. The paths to the service executable files are stored in the registry keys and can have one or more spaces, for example, C: \ Program Files \ service.exe , if the attacker creates the file C: \ Program.exe in the system , then Windows will start it instead of processing the path service target file.
    • Incorrect configuration of environment variables. If in the PATH variable the path C: \ example precedes c: \ Windows \ System32 and the file C: \ example \ net.exe exists , then when the net command is called, C: \ example \ net.exe will be executed , and not c: \ Windows \ System32 \ net.exe .
    • Interception of the search order (Search order hijacking). When the full path to the executable file is not specified, Windows, as a rule, searches for the file with the specified name in the current directory, then searches the system directories. For example, the file “example.exe”, when executed, starts cmd.exe with arguments to execute the net use command. The attacker can place the net.exe file in the example.exe location directory and it will be launched instead of the c: \ Windows \ System32 \ net.exe utility . In addition, if the attacker places the net.com file in the directory with the net.exe file, then Windows will execute net.com in accordance with the execution order defined in the PATHEXT system variable.

    File search order interception is also used to execute DLLs using the Search Hijacking DLL technique .

    Security recommendations: Quotation marks indicate paths specified in configuration files, scripts, the PATH variable, service settings, and shortcuts. Remember the search order of executable files and use only full paths. Clean up the old registry keys left over from the remote software so that no keys are left in the registry that point to non-existent files. Establish a ban on writing by users of the system to the root directory C: \ and Windows system directories, limit write permissions to directories with executable files.

    Modification of Plist files (Plist Modification)

    System: macOS
    Rights: User, Administrator
    Description: Attackers can modify plist-files, indicating in them their own code for its execution in the context of another user. The plist property files located in / Library / Preferences are run with elevated privileges, and the plist files from ~ / Library / Preferences are run with user privileges. Security Tips

    : Prevent plist files from being modified by making them read-only.

    Modification of Port Monitors in the Print Manager (Port Monitors)

    System: Windows
    Rights: Administrator, System
    Description: An attacker can arrange for the execution of an arbitrary DLL on behalf of System every time Windows boots up using abuse of the Print Manager settings (Spoolsv.exe). To interact with print devices, Spoolsv.exe uses the so-called port monitors - these are DLL libraries that use low-level commands to be sent to print devices via LAN, USB, LPT or COM-interface. The above DLLs are stored in C: \ windows \ system32 and registered in the registry:
    HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Print \ Monitors .
    Port Monitor can be installed using the AddMonitor API or directly by editing the above registry key.

    Protection recommendations: Organize blocking of potentially dangerous software and use application launch control tools.

    Code Injection into a Process (Process Injection), Ten Process Injection Techniques

    System: Windows, Linux, macOS
    Rights: User, administrator, system, root
    Description: Process injection is a method of executing arbitrary code in the address space of a separate living process. Running code in the context of another process allows you to access the memory of the injected process, system / network resources, and possibly elevated privileges. Process injections can also be used to avoid possible detection of malicious activity by security means. Techniques for implementing injections into processes are based on the abuse of various mechanisms that ensure multithreading of program execution in the OS. The following are some approaches to injecting code into a process.

    • DLL injections. They are performed by writing the path to the malicious DLL inside the process and then executing it by creating a remote thread (Remote thread - a thread that runs in the virtual address space of another process). In other words, the malware writes the DLL to the disk and then uses a function like CreateRemoteTread, which will call the LoadLibrary function in the injected process.
    • PE-injections (Portable executable injection) are based on the abuse of memory execution features of PE-files, such as DLL or EXE. Malicious code is written to the process without writing any files to disk, and then execution is called using the additional code or by creating a remote stream.
    • Thread execution hijacking involves injecting malicious code or DLL paths directly into the process thread. Like the Process Hollowing technique, the flow must first be suspended.
    • Injection into an Asynchronous Procedure Call (APC) injection involves embedding malicious code in the APC Queue of a process thread. One of the methods of APC injection, called “Earle Bird injection”, involves the creation of a suspended process in which malicious code can be written and launched to the process entry point through APC. AtomBombing is another injection option that uses APC to invoke malicious code previously written to the global atom table.
    • Инъекции в локальное хранилище потока (Thread Local Storage (TLS) injection) предполагают манипуляции с указателями памяти внутри исполняемого PE-файла для перенаправления процесса на вредоносный код.

    Mac и Linux
    • Системные переменные LD_RPELOAD, LD_LIBRARY_PATH (Linux), DYLIB_INSERT_LIBRARIES (macOS X) или интерфейс прикладного программирования dlfcn (API) могут использоваться для динамической загрузки библиотеки (общего объекта) в процесс, который в свою очередь может использоваться для перехвата вызовов API из запущенных процессов.
    • Системный вызов Ptrace может использоваться для подключения к запущенному процессу и изменения во время его выполнения.
    • / proc / [pid] / mem provides access to the process memory and can be used to read / write arbitrary data, however this method is rarely used due to the complexity of its implementation.
    • VDSO (Virtual dynamic shared object) capture allows you to inject code while executing ELF binaries by manipulating the code stubs from linux-vdso.so.
    Malicious programs typically use code injection into a process to access system resources, which allow an attacker to gain a foothold in the system and perform other changes in the attacked environment. More complex samples can perform multiple process injections to make it difficult to detect.

    Protection Recommendations:Methods for injecting code into processes are based on the abuse of regular OS functions that can directly impact unstable operation of legitimate software and security products. Efforts to prevent the use of interception techniques need to focus on the earlier stages of the attack chain. Use tools to block potentially dangerous software, such as AppLocker. Use Yama as a preventive measure against code injection in ptrace, limiting the use of ptrace to privileged users only. Additional security measures may include the deployment of kernel security modules that provide advanced access control and process restriction. Such tools include SELinux, grsecurity, AppArmor.

    SID History Injection

    System: Windows
    Rights: Administrator, system
    Description: Whenever an object is moved from one domain to another, a new SID is created, which becomes the main objectSID. Previous SIDs continue to be stored in the sIDHistory property, thus ensuring that the rights that the object had before the cross-domain migration are preserved. Attackers with administrator rights can insert previously collected SIDs into SID-History to perform an action on behalf of more privileged access groups or accounts, such as domain administrators.

    Protection Recommendations:On Windows Server OS version 2003 and higher, SID Filtering is enabled by default, which involves deleting or filtering all SIDs except a trusted domain, but this option can be deliberately disabled to allow cross-domain access.
    The main methods for filtering SID:
    • Disabling SIDHistory in the trust settings (trusts) between domain forests using the command: netdom trust / domain: / EnableSIDHistory: no ;
    • Application of SID Filter Quarantining . This ensures that an object containing a SID other than the trusted domain cannot authenticate with the trusting domain. SID Filter Quarantining is applied to external trusts by executing the command: netdom trust / domain: / quarantine: yes.
    Using SID Filtering between domains in the same forest is not recommended. If the domain in the forest is unreliable, then it should not be a member of the forest, in such a situation, you must first divide the trusted and unreliable domains into separate forests, and then apply SID Filtering for trusts between forests.

    Scheduled Task

    System: Windows
    Rights: User, Administrator, System
    Description: Utilities such as at, schtasks and the Windows Task Scheduler can be used to schedule programs and scripts to run at a specific date and time. A task can be scheduled on a remote system, provided that RPC is used for authentication and printer and file sharing is enabled. Scheduling tasks on a remote system requires administrator privileges. An attacker could use remote code execution to gain System privileges or to start a process under a specific account.

    Protection Recommendations:Limit user privileges. The use of tools, such as PowerUP module in PowerSploit, which can be used to find weaknesses in the resolution of scheduled tasks. Disabling the ability to start tasks on behalf of System, disabling the option " Allow server operators to schedule tasks " in the security policy , and the setting " Assign user rights: Increase scheduling priority "

    Weaknesses in Service Registry Permissions Weakness

    Система: Windows
    Права: Администратор, System
    Описание: Если разрешения пользователей и групп позволяют изменять в реестре Windows значения ключей, в которых хранятся параметры служб, то злоумышленники могут напрямую модифицировать ключи, в которых хранятся пути к исполняемым файлам запуска служб или использовать различные инструменты управления службами — sc.exe, PowerShell или Reg. Атакующие так же могут менять параметры, связанные с отказом служб, например, FailureCommand, указывающие команду, которая будет выполнятся в случае отказа или преднамеренного повреждения службы. Параметры служб хранятся в HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services.

    Рекомендации по защите:Make sure that users of the protected system cannot change keys in the registry that store the parameters of system components. Use all possible means of blocking potentially dangerous software, for example, Windows AppLocker.

    Setuid and Setgid

    System: Linux, macOS
    Rights: User
    Description:Setuid and Setgid are permission flags on Unix systems that allow the user to run executable files with the rights of the owner or group of the executable file. If the application must be run as root, then instead of creating an entry in the sudo file, the user can specify the Setuid or Setgid flag. Opponents can abuse the Setuid and Setgid flags to execute a shell escape (when a console application uses a file open in another application) or take advantage of the application vulnerability with the Setuid and Setgid flags and execute code in the context of various users. When viewing the file attributes with the ls -l command, the above flags are indicated by the symbol "s" instead of "x". The chmod utility can set the Setuid and Setgid flags using the chmod 4777 command [file]or chmod u + s [file] .

    Protection recommendations: Keep the number of programs with the Setuid and Setgid flags set to a minimum.

    Startup Items

    System: macOS
    Rights: Administrator
    Description: An attacker can use the obsolete, but still running macOS Sierra, mechanism for autostarting applications using StartupItems to configure the launch of his code with root privileges at boot time. StartupItems is a directory in / Library / Startupitems , a command script, and StartupParameters.plist properties file. The script and properties file must be at the top of the hierarchy: / Library / Startupitems / [MyStartupItem] .

    Protection recommendations: Since the StartupItems mechanism is obsolete, the prohibition of writing to the / Library / Startupitems / directory will allow you to avoid creating startup items.


    System: Linux, macOS
    Rights: User
    Description: Opponents may take advantage of Sudo configuration flaws to execute commands on behalf of other users or spawn processes with higher privileges. Sudo options are stored in the / etc / sudoers file, elevated privileges are required to edit this file. The sudoers file describes which commands users can run on behalf of other users or groups, this allows users to work most of the time with minimal privileges and only increase privileges if necessary. However, in the sudoers file, you can specify users for whom a password will not be requested: username ALL = (ALL) NOPASSWD: ALL .

    Security Tips : The sudoers file should be edited so that users always enter a password when executing sudo. Auditd on Linux can generate a warning whenever the real and effective user IDs do not match (this happens when the user uses sudo).

    Sudo caching

    System: Linux, macOS
    Rights: User
    Description: Various malware, such as OCX Proton Malware , may abuse sudo settings to execute code as root without entering a password. Since the sudo toolkit was created for system administration, it has some useful functions such as timestamp_timeout - this parameter stores the amount of time in minutes between sudo starts during which the command will not prompt for the root password. Sudo has been able to cache credentials for some time. The timestamp of the last start of Sudo is stored in / var / db / sudoand serves to determine the specified timeout. In addition, there is a tty_tickets variable that processes each new terminal session in isolation, so the timeout in one instance of the console will not affect the timeout in another instance.

    Protection recommendations: Set the timestamp_timeout = 0 parameter so that the system requires a root password every time sudo is run. Turn on the tty_tickets parameter to prevent the attack from being implemented through command-line sessions.

    Valid accounts

    Description: Attackers can steal the credentials of a specific user or service account using the credential access techniques, capture the credentials during the intelligence process using social engineering. Compromised credentials can be used to bypass access control systems and gain access to remote systems and external services, such as VPN, OWA, Remote Desktop, or to gain elevated privileges on specific systems and areas of the network. If the scenario is successful, attackers can refuse malware to make it difficult to detect. Also, attackers can create accounts using predefined names and passwords to maintain backup access in case of unsuccessful attempts to use other means.

    Protection recommendations: Apply a password policy, follow the recommendations for designing and administering a corporate network to limit the use of privileged accounts at all administrative levels. Regular checks of domain and local accounts and their rights in order to identify those that could allow an attacker to gain wide access. Monitoring account activity using SIEM systems.

    Web shell

    System: Windows, Linux, macOS
    Description: Web Shell can be used by an attacker as a gateway to access your network or redundant access to the attacked system, as a backup mechanism for securing in case of detection and blocking of the main access channels to the attacked environment.

    Protection Recommendations:Make sure that your external web servers are regularly updated and that there are no known vulnerabilities that allow attackers to upload a file or script to the server with subsequent execution. Verify that the permissions of accounts and groups with server management rights do not match the accounts on the internal network that can be used to log in to the web server, launch the Web shell, or pin to the Web server. Web Shell is hard to detect because they do not initiate connections and their server side can be small and harmless, for example, the PHP version of the China Chopper Web shell looks like a line:
    [? php eval ($ _POST ['password']);]

    Also popular now: