This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.

1. Protecting Your Gold
Will Schroeder, Specter Ops
Standard Image Analysis With PowerShell

2. Agenda
• PowerUp
• Common Privesc Primitives
• Service (Binary) Permissions
• %PATH% hijacking
• Processes, Threads, and User Rights
• Autoruns
• Provisioning Leftovers/Grab Bag
• “Rotten Potato“
• Custom Software Analysis

3. • Discovery
• Delivery
• Exploitation
• C2 Installation
• Privilege Escalation
• Lateral Movement
• Data Collection
• Data Exfiltration
Cyber Kill Chain
Discovery Delivery Exploitation C2
Installation
Privilege
Escalation
Lateral
Movement
Data
Exfiltration
Data
Collection

4. Privilege Escalation
• Most attackers (and us) try to find a way
to escalate privileges to local
administrator/SYSTEM after initial access
is gained
• Everyone isn’t a local admin any more!
• The two main approaches tend to be
0day/exploits and the abuse of
misconfigurations
• You should examine your gold base system
images every time there’s a major change!

5. • A self-
contained
PowerShell
tool that
automates the
audit and
exploitation
of a number of
common
privilege
escalation
PowerUp

6. • Now part of PowerSploit
(.PrivescPowerUp.ps1)
• Strict Version 2 compatibility
• (Now) doesn’t start any additional
processes, nor does it depend on any
external binaries
• I.E. uses ChangeServiceConfig() instead of
“set Svc binPath= malicious command”
• Uses PSReflect for Win32 API access
PowerUp’s Approach

7. • Services are a defined Windows securable
object
• So we can use QueryServiceObjectSecurity()
• Services themselves sometimes have
misconfigured permissions (rare, but it
happens)
• More common are misconfigured permissions
on the binary associated with the service
• If an unprivileged user can replace the
binary for a service, they can gain code
execution when the service/machine restarts
• PowerUp:
Vulnerable Services

8. • When a Windows application tries to load
a particular .DLL, it searches specific
locations in a predefined order
1. The directory from which the application is
loaded
2. The 32-bit system directory
(C:WindowsSystem32)
3. The 16-bit system directory
(C:WindowsSystem)
4. The Windows directory (C:Windows)
5. The current working directory
6. Any directories that are listed in the PATH
environment variable
Sidenote: DLL Load Order

9. • When a process tries to load a DLL, there
is a predefined search order for the DLL
location
• The last search location is any folder in
%PATH%
• One service on Windows 7 (IKEEXT) tries
to load a DLL that doesn’t exist
(wlbsctrl.dll)
• Translation: if we can write to any
folder in %PATH% on a Windows 7 machine
(like C:Python27) we can escalate
%PATH% Hijacking

10. • Processes and threads are securable
objects as well
• Something we’re going to look more heavily
heavily into this year
• User Rights include specific privileges
Processes, Threads, and User
Rights

11. • Anything that’s set to automatically run
in a (potentially) elevated context is a
candidate for hijacking
• For the registry:
• Enumerate all autoruns in HKLM
• Check if the current user can modify any
binary or arguments for any discovered
autoruns
• PowerUp: Get-ModifiableRegistryAutoRun
• For scheduled tasks:
• Enumerate scheduled tasks where the current
user can modify any file in the associated
Hijacking Autoruns and Scheduled
Tasks

12. • We occasionally find left over
Unattended.xml answer files that have
passwords set for local account
provisioning
• PowerUp: Get-UnattendedInstallFile
• Some Group Policy Preference files
contain a decryptable cpassword attribute
(Get-GPPPassword…)
• These GPOs are sometimes cached on the host
• PowerUp: Get-CachedGPPPassword
Provisioning Leftovers

13. • If
[HKLM|HKCU|SOFTWAREPoliciesMicrosoftW
indowsInstallerAlwaysInstallElevated is
set, all .MSI files run elevated…
• PowerUp: Get-RegistryAlwaysInstallElevated
Misc. Grab-bag

14. • In late 2016, researchers from FoxGlove
Security released an attack called
“Rotten Potato”
• This allows you to escalate from a
service account (or any account with
SeImpersonatePrivilege) to SYSTEM
• It does this by abusing a bug class disclosed
by James Forshaw
• DCOM/RPC is tricked into authenticating with
NTLM to the same endpoint, and the resulting
token is impersonated from an account with
impersonation privileges
Rotten Potato

15. • Custom internal development is the most
common root cause of escalation vectors
we find
• Why? Security is hard! Same with a SDL!
• Part of our standard process is to search
for any custom/internally developed
software on any machines we gain initial
access to
• Bonus points if it’s C#!
• This is actually very similar to dynamic
malware analysis!
Custom Software Analysis

16. Analysis Demo

17. Summary
• Privilege escalation is sometime that most
actors attempt during their attack chain
• You should examine your gold image whenever
there’s a major modification!
• Misconfigurations are often unintentionally
introduced due to custom development or third-
party applications
• PowerUp automates the checks for most of
these misconfigurations
• You can analyze any custom-developed
software pretty easily using existing
malware dynamic analysis techniques!

18. • Now: 15 min break
• Grab a coffee
• Stay here to enjoy next presentation
• Change track and switch to another room
• Ask me questions or meet me in a breakout
session room afterwards
Next Steps...

19. Questions?

20. • Will Schroeder (@harmj0y)
• http://blog.harmj0y.net | will [at]
harmj0y.net
• Red teamer and offensive engineer for
Specter Ops
• Co-founder:
• Veil-Framework | Empire/EmPyre | BloodHound
• Developer of:
• PowerView | PowerUp | current PowerSploit
developer
• Microsoft CDM/PowerShell MVP
• Veteran trainer
About_Author