Recently, several new techniques have become available that allow an attacker to exploit legitimate Windows services to escalate low-level privileges on the system relatively easily and gain full control.
Antonio Cocomazzi, a system engineer at SentinelOne, warns that the new exploit will take advantage of the same or similar Windows service features that attackers have previously exploited and will work with some of the latest versions of the operating system. Cocomazzi described some techniques at a briefing at this week’s Black Hat Asia 2021 Virtual Conference.
For organizations, the biggest problem dealing with these attacks is to retain spoofing privileges and exploit services that exist by design in the Windows operating system, Cocoazzi tells Dark Reading. According to Cocomazzi, these services are enabled and available by default and play a key role in implementing web servers, database servers, mail servers, and other services.
“These recent technologies allow attackers to exploit even the latest updated Windows systems,” he says.
Exploits, known as “juicy potatoes,” continue to be the most common way for attackers to elevate privileges on Windows systems using legitimate Windows services, Cocoazzi said. SentinelOne has observed evidence that this exploit is being used in multiple APT campaigns, he adds.
There are no signs that new and updated technologies are actually being used, but that does not mean that they are not being actively used.
“Given the recent discoveries of these technologies, it’s only a matter of time before they are discovered. [and] It will be used by attackers in future attacks, “he says.
Juicy Potato is an exploit that allows attackers with low-level service privileges to gain system-level access on Windows systems. This exploit takes advantage of a Windows impersonation privilege setting called “SeImpersonatePrivilege”. Microsoft first introduced this feature in Windows 2000 SP4. Ironically, “An unauthorized server impersonates a client“Connect to them remotely via a remote procedure call or what is known as a named pipe.
On a service-enabled system, an attacker only needs to download the JuicyPotato tool and use it to execute selected malicious code, such as configuring a reverse shell payload. is.
“Juicy Potato tricks the DCOM activation service into making privileged and authenticated RPC calls to a malicious RPC server under the control of an attacker,” says Cocoazzi.
It then takes several steps that allow an attacker to steal tokens that allow them to perform malicious activities with system-level privileges.
Microsoft has fixed an exploit in a newer version of the software. However, JuicyPotato will continue to work on all updated Windows Servers up to version 2016 and on all updated Windows client machines up to version 10 and build 1803. Also, new versions of so-called Potato family exploits such as Rogue Potato and Juicy 2 are available, bypassing Microsoft’s fix to shut down Juicy Potato, Cocoazzi said.
In addition, several other exploits are available that allow an attacker to exploit impersonation privilege settings and other Windows services to gain system-level access on Windows systems. Examples include RogueWinRM, PrintSpoofer, and impersonation of network services. Each of these tools exploits a variety of Windows services and mechanisms to give an attacker the most privileged access on a Windows machine. NT authority / system privilege.
“In recent years, one of the most used / exploited exploits for privilege escalation from service breaches was Juicy Potato,” he says. “Since then, we have seen other exploits that exploit the same concept. Forcing more privileged services to authenticate resources under the control of the attacker, and the attacker steals and uses the privileged authentication. I will be able to do it. ”
The most powerful threat
Cocomazzi describes Rogue Potato and Print Spoofer as the two most powerful Windows privilege escalation techniques currently available to attackers. This is because exploits work on all Windows client and server installations and require very few requirements to work properly.
PrintSpoofer exploits a privileged internal Windows component called the “spooler” service.
“It’s ideal for attackers because it doesn’t require any interaction with the external network and can run completely locally,” says Cocoazzi.
RoguePotato, on the other hand, exploits another important (very abused) Windows service “rpcss”. This exploit provides a way for an attacker to trick rpcs into authenticating resources under attacker control, allowing an attacker to steal and use authentication and execute code remotely with system-level privileges. I will. Unlike PrintSpoofer, the RoguePotato exploit requires network interaction. However, it’s much harder to mitigate because you can’t stop the rpcss service like the spooler service, says Cocomaszi.
My favorite target is a web application running on a Windows server. A common scenario is for an attacker to compromise a web server app such as IIS or MSSQL and use its scaffolding to gain some form of restricted access to the server by elevating privileges.
Security researchers say that the best way for organizations to mitigate the threat posed by these techniques is to apply the principle of least privilege. Organizations should take advantage of the Windows Service Enhancement (WSH) mechanism to isolate and limit service privileges. For example, disable impersonation privileges.
“As an attacker’s favorite target is the IIS web server, applying some restrictions to the application pool IDs used by the system could be a good way to protect against these techniques. “Cocomazzi says.
Using the default configuration provided by the operating system, he says, can make an organization vulnerable to these attacks.
Jai Vijayan is an experienced technology reporter with over 20 years of experience in IT trade journalism. He was recently the lead editor of Computerworld, addressing the issues of information security and data privacy in publications. During his 20 years … View complete biography
New technologies for exploiting Windows services emerge …
https://www.darkreading.com/threat-intelligence/new-techniques-emerge-for-abusing-windows-services-to-gain-system-control/d/d-id/1340948?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple New technologies for exploiting Windows services emerge …