- SID = Identifiers for identities executing actions (principals)
- Example:
S-1-5-211180699209-877415012-3182924384-1004S= Indicated that this is a SID1= SID specification version number5= Identifier authority211180699209-877415012-3182924384= Domain or local computer identifier1004= Relative ID
- Any group or user that was manually created (i.e., not included in Windows by default) will have a Relative ID of 1000 or greater.
- Wel known SID's
- Windows defines some built in SIDs
IsWellKnownSidfunction,WELL_KNOWN_SID_TYPEenumeration
S-1-1-0= Everyone - all usersS-1-2-0= Local - users who log on physicallyS-1-5-18= Local System- Local system accountS-1-5-20= Network Service - Network service accountS-1-5-19= Local Service - Local service accountS-1-5-32-544= Administrators - Administrators group
- Windows defines some built in SIDs
- Check which SIDS are logged onto the system. Open registry and open
HKEY_USERS
- Access token = Kernel object indentifying the security context of a process or thread
- Process token is called Primary Token
- Thread token is called Impersonation Token
- Describes priviliges, accounts, groups associated with the process/thread
- Lsass creates initial token representing the logging user and hand it to WinLogon
- Can create a token with the
LogonUserfunction- Or with one stroke, call
CreateProcessWithLogonW
- Or with one stroke, call
- With a process handle open with at least
PROCESS_QUERY_INFORMATION- Call
OpenProcessTokento obtain the token
- Call
- With a thread handle open with at least
THREAD_QUERY_INFORMATION- Call
OpenThreadTokento obtain the token
- Call
- The
GetTokenInformationAPI- Many token information classes available
- Token handle must be open with
TOKEN_QUERYaccess mask
- The
SetTokenInmformationAPI - Other, more specific API's:
AdjustTokenPrivileges
- The right of an account to perform some system-level operation. Microsoft's Documentation
- User rights assignments list Link
- Stored in the access token
- The command
whoami /privlists the privileges of the current user/process. - Administrators can use Active Directory or the Local Security Policy Editor to grant or remove privileges. (Local Policies --> User Rights Assignment)
- Most privileges are disabled by default. Must enable before utilization. This is used as a precaution so privileges are not used by mistake
- Certain API's check if a privilege exists and enabled before allowin operations to proceed.
- Commonly abused privileges: link
SeBackupPrivilege- This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file.
Attacker Tradecraft: Collection.SeCreateTokenPrivilege- Required to create a primary token.
Attacker Tradecraft: Privilege EscalationSeDebugPrivilege- Required to debug and adjust the memory of a process owned by another account.
Attacker Tradecraft: Privilege Escalation; Defense Evasion; Credential AccessSeLoadDriverPrivilege- Required to load or unload a device driver.
Attacker Tradecraft: Persistence; Defense EvasionSeRestorePrivilege- Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file.
Attacker Tradecraft: Persistence; Defense EvasionSeTakeOwnershipPrivilege- Required to take ownership of an object without being granted discretionary access.
Attacker Tradecraft: Persistence; Defense Evasion; CollectionSeTcbPrivilege- This privilege identifies its holder as part of the trusted computer base. Some trusted protected subsystems are granted this privilege.
Attacker Tradecraft: Privilege Escalation
- An Object is created with a Security Descriptor, this determines who can do what with that object.
- Formats:
AbsoluteandSelf Relative - When a caller requests access to an object, the object manager checks with the security system if the caller can obtain a handle to the object
- Exists out of:
- Owner SID
- Discretionary Access Control List (DACL)
- Specifies who has what access to the object
- System Access Control List (SACL)
- Specifies which operations by which users should be logged in the security audit log
- Access Control List contains:
- Header
- Zero or more Access Control Entry (ACE) structures
- Each ACE Contains a SID and an Access Mask
- Determining Access (Simplified)
- If the object has no DACL (NULL) then it has no protection - The access is allowed
- If the caller has the take-ownership privilege, then a write-access is granted
- If the caller is the owner of the object, then a read-control and write DACL access is granted
- Each ACE in the DACL is examined from first to last
- If an access allowed for that SID is present, access is granted to the object with the relevant access mask
- If an access denied for that SID is present, access is denied to the object
- if the end of the DACL is reached, access is denied
- Retrieving security descriptors by handle
GetKernelObjectSecurityGetUserObjectSecurity(Desktops and Window Stations)
- Retrieving security descriptors by name
GetFileSecurityGetNameSecurityInfo
- The
SECUCURITY_DESCRIPTORstructure should be treated as opaque. Enforced by the fact thatPSECURITY_DESCRIPTORis typed asPVOID. - API's:
GetSecurityDescriptorLengthGetSecurityDescriptorControlGetSecurityDescriptorOwnerGetSecurityDescriptorDaclGetSecurityDescriptorSacl
- Security Descriptor Definition Language (SDDL)
- Conversion
ConvertSecurityDescriptorToStringSecurityDescriptorConvertStringSecurityDescriptorToSecurityDescriptor
- Is formatted like:
O:owner_sidG:group_sidD:dacl_flags(string_ace1)(string_ace2)…(string_acen)S:sacl_flags(string_ace1)(string_ace2)…(string_acen)
- Example:
O:S-1-5-21-3800247982-3998391507-3990260446-1001G:S-1-5-21-3800247982-3998391507-3990260446-513D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-3800247982-3998391507-3990260446-1001)
- Check Link for ACE type, ACE Flags, Permissions explanation and syntax!
- Conversion
- Setting Security descriptor
SetKernelObjectSecurity(Most generic)SetSecurityInfo(Accepts SD components)SetFileSecurity(specific for files, but considered obsolete)SettNamedSecurityInfo(for named objects, including files)
- Building / modifying a security descriptor
SetSecurityDescriptorOwnerSetSecurityDescriptorDacl- Can change part of the SD without building from scratch.
- Not a security boundary
- Can be easily bypassed Link to bypasses
- Goal was running applications with standard user rights and not as administrator
- Allows applications to elevate to administrator rights when needed
- Has different levels which can be changed in "User Account Control Settings"
- Running a process elevated
- Right click and select "Run as Administrator"
- Call the
ShellExecuteExAPI with therunasverb - Add manifest file requesting administratitive rights
- Three levels:
System(Highest),High,Medium,Low- Represented as SIDS
- Not all processes running with the same user necessarily have the same power
- Integrity level is called "Mandatory Integrity Control" in the access token
- Running as Standard User sets integrity level to
Medium - Running as Administrator sets integrity level to
High - Services running under one of the 3 service accounts have integrity level of
System
- Running as Standard User sets integrity level to
- There is no write up.
Lowcant write toMediumfor example.
- Launching a process with a different user
CreateProcessAsUser, requires theSeAssignPrimaryTokenprivilege, mostly usefull from a serviceCreateProccessWithLogonW, requires no special privileges, user must be allowed to log on interactively
- Launching a process elevated
- Call
ShellExecuteorShellExecuteEx
- Call
- A thread can impersonated by obtaining an impersonation token.
SetThreadTokenAPI- How to get an impersonation token:
DuplicateTokenExLogonUserImpersonateLoggedOnUser
- Stop impersonating
RevertToSelf