Class 7 ‐ Windows Privilege Escalation - Justin-Boyd/Ethical-Hacking-Class GitHub Wiki

Windows Privileges

Windows Privilege Types

  • Local

    • Guest User
      • Allows anyone to have initial access to the PC with limited privileges
    • Regular User
      • Basic account permissions
    • Admin
      • Privileged account in a local system
    • NT Authority
      • Highest privilege level in a local system

  • Domain

    • Regular User
      • Domain default: ‘Users’ group with default permissions
    • Delegated Admin
      • Additional administrative privileges
    • Domain Admin
      • Highest level privileges within the domain
    • Enterprise Admin
      • Can access any resource in the entire organization

Net.exe Utility

  • Microsoft Windows software component
  • Executed via CMD
  • Manages users, groups, and services
  • Can also manage network connections

Windows Local PE

Privilege Escalation

  • Actions done to elevate a user’s privilege level
  • The aim is to achieve complete system control.

PE via WinLogon

PE via WinLogon

  • WinLogon: Windows login screen process
  • Ease of Access: WinLogon utility with accessibility-related tools
  • Privilege: Leveraging WinLogon’s system privileges to launch CMD as NT Authority

Flow of PE via WinLogon

  • OS
    • Choose a suitable OS
  • Mount
    • Mount the live OS
  • Edit
    • Override sethc.exe with cmd.exe
  • CMD
    • Execute cmd.exe with high-level privileges
  • PE
    • Add a user, change a password

Offline Mitigations

Offline Mitigations

  • BIOS Password: Protects the computer against having its boot order changed
  • Encrypt the Drive: Prevents an external live OS from accessing the drive
  • Physical Access: Limit physical access to the hardware

Online Mitigations

  1. Principle of Least Privilege
  2. Removing Local Admin Rights
  3. Account Audits
  4. User Account Controls
  5. Applocker
  6. Software
  7. Code
  8. Tokens

Post Exploitation

  • Initiated when a system is compromised
  • Provides a way to maintain access
  • Creates hidden users in the system

Hiding the User

  • User List Tools
    • Hiding a new user from user list tools by adding $
  • Login Screen
    • Hiding a new user from the login screen via a registry key
  • These operations may be logged in the Event Viewer, so the logs will have to be hidden as well.

Hiding the User via Regedit

Hiding the User via Regedit

  • Use Regedit.exe to navigate the registry tree.
  • Add a new key called SpecialAccounts that contains a key called UserList.
  • Add a value to UserList to hide the user.