Windows Local Privilege Escalation

Administrator Privilege's Escalations

Windows Privileges and Access Control Mechanisms

There are four different concepts and mechanisms:

• Security Identifier

• (SID), access token

• Mandatory Integrity Control

• User Account Control

Security Identifier

A SID is a unique value assigned to each entity, or principal, that can be authenticated by Windows, such as users and groups. The SID for local accounts and groups is generated by the Local Security Authority (LSA), and for domain users and domain groups, it’s generated on a Domain Controller (DC). The SID cannot be changed and is generated when the user or group is created.

The fundamental structure of a SID

S-R-X-Y

S-1-5-21-1336799502-1441772794-948155058-1001

• “S”, which indicates that the string is a SID

• “R” stands for revision and is always set to “1”, since the overall SID structure continues to be on its initial version.

• “X” determines the identifier authority. This is the authority that issues the SID. For example, “5” is the most common value for the identifier authority. It specifies NT Authority and is used for local or domain users and groups

• “Y” represents the sub authorities of the identifier authority. Every SID consists of one or more sub authorities. This part consists of the domain identifier and relative identifier (RID). The domain identifier is the SID of the domain for domain users, the SID of the local machine for local users, and “32” for built-in principals. The RID determines principals such as users or groups.

There are SIDs that have a RID under 1000, which are called well-known SIDs. These SIDs identify generic and built-in groups and users instead of specific groups and users. The following listing contains some useful well-known SIDs in the context of privilege escalation.

S-1-0-0 Nobody

S-1-1-0 Everybody

S-1-5-11 Authenticated Users

S-1-5-18 Local System

S-1-5-domainidentifier-500 Administrator

Impersonation Token

When a user starts a process or thread, a token will be assigned to these objects. This token, called a primary token, specifies which permissions the process or threads have when interacting with another object and is a copy of the access token of the user. A thread can also have an impersonation token assigned. Impersonation tokens are used to provide a different security context than the process that owns the thread.

Mandatory Integrity Control

In addition to SIDs and tokens, Windows also implements what is known as Mandatory Integrity Control. It uses integrity levels to control access to securable objects. We can think of these levels as hierarchies of trust Windows has in a running application or securable object.

From Windows Vista onward, processes run on four integrity levels:

• System: SYSTEM (kernel, ...)

• High: Elevated users

• Medium: Standard users

• Low: very restricted rights often used in sandboxed[privesc_win_sandbox] processes or for directories storing temporary data

We can display the integrity level of processes with Process Explorer for our current user with whoami /groups, and for files with icacls

User Account Control (UAC)

Another Windows security technology we need to consider is User Account Control (UAC). UAC is a Windows security feature that protects the operating system by running most applications and tasks with standard user privileges, even if the user launching them is an Administrator. For this, an administrative user obtains two access tokens after a successful logon. The first token is a standard user token (or filtered admin token), which is used to perform all non-privileged operations. The second token is a regular administrator token. It will be used when the user wants to perform a privileged operation. To leverage the administrator token, a UAC consent prompt needs to be confirmed.