ATT&CK Series: Process Injection, Bypass User Account Control, Exploitation for Privilege Escalation
November 06, 2018
When it comes to network security and protecting against potential breaches, a vast majority of companies spend large portions of their budget on hardening the perimeter of their networks to prevent initial access. Some commonly overlooked factors are implementing host-based access controls and hardening systems and applications within internal networks to mitigate an attacker from escalating privileges after an initial foothold has been gained.
In this post, we will delve into ATT&CK’s Privilege Escalation techniques and tactics from an adversarial perspective. The key techniques we will be covering don’t represent the entire attack surface available to an attacker once an initial foothold has been gained but rather the “low hanging fruit” and some more advanced methods that are commonly seen today.
One of the first things I like to do when establishing an initial foothold on a penetration test is to gain persistence on a system, in the event I lose my initial access. One way to do this is through process injection. Injecting arbitrary code into a legitimate running process is a common way to bypass host-based security controls as you are running in the context of another process. Through process injection, it may be possible to access system resources or privileges that the process is running under. We’re going to cover a couple approaches to windows process injection including Dynamic Linked Library (DLL) Injection and Thread Execution Hijacking.
DLL injection is the process of introducing code into a running process in the form of DLL files since they are called and loaded at runtime of the process. The general steps are first attaching to the process, allocating memory within the process, copying the DLL or the address of the DLL, and finally instructing the process to execute the DLL. Typically processes with administrative privileges are targeted as this gives you access to a multitude of further post exploitation avenues. It is important to note this procedure of gaining persistence is increasingly difficult as digital signatures from security products are updated daily.
The next technique we will cover is thread execution hijacking which is closely to related to DLL injection in the fact that we are utilizing the elevated privileges of the running process to invoke code. The idea here is that rather than starting a new thread in the process we are targeting, we hijack an existing thread in a process to change the instruction that is going to execute next and have it execute malicious code and then return back to where the code was prior to the execution of malicious code. It is important to note if Data Execution Prevention (DEP) is in place, this will not work as you cannot alter the assembly stack to point to your malicious code.
The risk associated with process injection is relatively high since there are plenty of running processes in a Windows environment running with elevated privileges. This is common as process and DLL injection from third party applications and software can extend functionality. Even anti-virus applications inject code into certain programs to monitor network traffic and block presumably dangerous content. It is almost never safe to inject code into a native program or process whether or not its arbitrary as it could cause resource and synchronization issues within the program itself. In addition, there is a possibility that the targeted application or service will crash.
There are multiple ways to defend against process injection. One of the most common methods is to maintain updated anti-virus signatures. New signatures are constantly being written for evolving malware emphasizing the need for staying up-to-date. In addition, restricting specific Windows API calls that are commonly known for having unintended side effects. Lastly, utilize programs that actively monitor processes and can alert when unusual DLLs or potentially malicious code is loaded into a legitimate running process. As with everything, there are legitimate uses for process injection and maintaining a balanced approach is key to a functional and user-friendly Windows environment.
The woes of user account control and limitations in the Windows enterprise environment have always been a point of contention. Users want more functionality and freedom to do their everyday work and information security (INFOSEC) personnel want to limit administrative rights. When Windows first launched Vista, they added a security feature called User Account Control (UAC) that ensured standard users could not make changes that required administrative privileges. A process or function requiring elevated rights would prompt a user to enter administrative credentials to be successfully executed. UAC can still be found in Windows 10 today with added security features and functionality.
There are various methods that can be used to bypass UAC, several of which involve hijacking special registry keys under current user hives. This is performed by injecting custom input turning off the UAC option. When a certain process is invoked, malicious code can be executed without a prompt for UAC. Another interesting concept involves lateral movement to elevate privileges. Process integrity levels only apply to the current system. On other network resources your access token is what counts. So if you have a standard user with limited permissions, who has local admin rights on another system, it may be possible to copy an executable to said system and run it with full administrative rights. This may allow an attacker to repeat the process on the system to gain full admin access.
The recommended and most efficient fix for UAC bypass techniques is to only allow trusted individuals to have local administrative access. Doing so limits the attack surface in a Windows environment. Windows 10 provides various UAC policies if disabling is not an option.
Lastly, I am going to cover one of the most prevalent ways to gain elevated privileges. Over the last couple of decades, there has been an abundance of exploits linked to bugs in software and applications as well as operating systems and kernel versions. For example, MS17-010 (Eternal Blue) has caused exploits such as WannaCry to do mass damage worldwide. With so many third-party applications and software installed in domain environments it is critical to stay up to date with patching regularly and decommissioning End-Of-Life (EOL) software.
Like the brief description I gave earlier regarding the abundance of emerging exploits, it is highly likely to find a piece of software or an unpatched system in an enterprise environment that can lead to full administrative access. Some of these exploits can even be executed from a networks perimeter, allowing for complete administrative control over a system while gaining an initial foothold within a network.
The absolute best way to prevent and defend against these common exploits is to have a robust patch management program in place that adheres to industry standards. Although this is a somewhat of a reactive approach, when bugs and exploits are found, most reputable companies have a system update or patch available in a timely manner to minimize risk. Another important factor is being weary when implementing non-reputable third-party applications and software as they may lack the support for updating bugs and exploits as they are discovered, leaving the systems they reside on vulnerable to potential exploitation.
So, we have now covered three common privilege escalation techniques used by attackers after initial access. It is important to note that these are merely a few techniques used today. As techniques and tactics are ever changing, it is crucial to stay up-to-date with the latest methods attackers are using to escalate privileges in both Windows and Linux environments. This series will continue covering various ATT&CK techniques and tactics used today, providing knowledge on risk to networks as well as respective mitigation strategies.