4 ‐ Privilege Escalation

One key feature of this approach, is that we found some very interesting things can be done without a specific privilege escalation flaw. Also, work is under way to port existing credential access tools over to this framework, with the intent of being novel and evasive (see section 6), meaning credentials obtained from discovery and credential access may be sufficient for many attacks to succeed at performing administrative actions.

In general, privilege escalation techniques are fairly transient in nature, with new CVEs coming out all the time (and hopefully patched soon after). So, the more generic concept here for red teams / penetration testers is to take the most recent escalation CVE and deliver it via AutoIT to see if it evades AV/EDR detection. Let's face it, at the end of the day, a lot of detection is just regex, so if you change the attack a bit - sometimes it slips through. If this is a red team party, I say BYOPE to make it fun and interesting every time.

What does this mean from a detection engineering and defensive perspective? The fundamental discipline should be to red/purple team the latest escalation attacks a variety of different ways - tuning controls, writing rules, and adapting response procedures based upon what is learned. The question we all need to ask is, what can we detect that is universal to a bad occurrence, which is consistent across all the different ways that undesirable outcome is initiated. Remember that sometimes this can be chains of occurrences that are particularly meaningful when they all happen in a certain sequence.