Local Privilege Escalation

Basic Enumeration

Windows Services Exploitations

Service Binary Hijacking

This attack involves replacing the service binary with a malicious version and restart the service.

Service DLL Hijacking

This attack is similar to the "Service Binary Hijacking" but Instead of replacing the binary, it involves overwriting a DLL the binary uses.

Another method is to hijack the DLL search order.

1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory. 
5. The current directory.
6. The directories that are listed in the PATH environment variable.

Unquoted Service Paths

This attack relies on windows find an executable path when it's Unquoted.

Scheduled Tasks

Windows Task Scheduler can execute automated tasks. This tasks can execute binary files and also scripts. Also, The scheduled tasks is running behalf on user.

Token impersonation

Windows identifies users by generating an access token assigned to each user. This token contains information about the user's privileges. When a user runs a process or thread, the primary token is assigned, specifying the permissions for that process. A thread can also have an impersonation token assigned, which provides a different security context; in this case, the process will run based on the impersonation token instead of the primary token.

References

PreviousNTLM Hashes NextService Binary Hijacking

Last updated 3 months ago