Local Privilege Escalation
Basic Enumeration
Local EnumerationWindows Services Exploitations
Service Binary Hijacking
This attack involves replacing the service binary with a malicious version and restart the service.
Service Binary HijackingService DLL Hijacking
This attack is similar to the "Service Binary Hijacking" but Instead of replacing the binary, it involves overwriting a DLL the binary uses.
Another method is to hijack the DLL search order.
1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory.
6. The directories that are listed in the PATH environment variable.Unquoted Service Paths
This attack relies on windows find an executable path when it's Unquoted.
Unquoted Service PathsScheduled Tasks
Windows Task Scheduler can execute automated tasks. This tasks can execute binary files and also scripts. Also, The scheduled tasks is running behalf on user.
Scheduled TasksToken impersonation
Windows identifies users by generating an access token assigned to each user. This token contains information about the user's privileges. When a user runs a process or thread, the primary token is assigned, specifying the permissions for that process. A thread can also have an impersonation token assigned, which provides a different security context; in this case, the process will run based on the impersonation token instead of the primary token.
Token impersonationReferences
Last updated