Auto-Elevate

This tool demonstrates the power of UAC bypasses and built-in features of Windows. This utility auto-locates winlogon.exe, steals and impersonates it’s process TOKEN, and spawns a new SYSTEM-level process with the stolen token. Combined with UAC bypass method #41 (ICMLuaUtil UAC bypass) from hfiref0x’s UACME utility, this utility can auto-elevate a low privileged Administrative account to NT AUTHORITY\SYSTEM.

The following image demonstrates using UACME combined with Auto-Elevate to go from a low-privileged Administrator account to NT AUTHORITY\SYSTEM on Windows 10 21H1.

demonstrates using UACME combined with Auto-Elevate

The following image demonstrates escalation from a high-privileged Administrator account to SYSTEM without a UAC bypass

demonstrates escalation from a high-privileged Administrator

Technical Explanation

The following steps are performed by Auto-Elevate to escalate from a low-privileged Administrator to SYSTEM:

Auto-Elevate to escalate from a low-privileged Administrator

Auto-Elevate

  1. The winlogon.exe process is located by enumerating the systems running processes with CreateToolhelp32Snapshot, Process32First, and Process32Next
  2. SeDebugPrivilege is enabled for the current process via a call to AdjustTokenPrivileges, as it’s required to open a HANDLE to winlogon.exe
  3. A handle to the winlogon.exe process is opened by calling OpenProcess, for this call PROCESS_ALL_ACCESS is used (however, it’s overkill)
  4. A handle to winlogon’s process token is retrieved by calling OpenProcessToken combined with the previously obtained process handle
  5. The user (SYSTEM) of winlogon is impersonated by calling ImpersonateLoggedOnUser
  6. The impersonated token handle is duplicated by calling DuplicateTokenEx with SecurityImpersonation, this creates a duplicated token we can use
  7. Using the duplicated, and impersonated token a new CMD instance is spawned by calling CreateProcessWithTokenW

To-Do

  • Implement a standalone version of method 41 from UACME (or similar) to automate the process further

MITRE ATT&CK Mapping

  • Token Manipulation: T1134
  • Access Token Manipulation: Token Impersonation/Theft: T1134.001
  • Access Token Manipulation: Create Process with Token: T1134.002
  • Access Token Manipulation: Make and Impersonate Token: T1134.003


Share this post




About

Welcome to Cyber-Security.tk my personal blog to share my knowledge
Cyber Security, Ethical Hacking, Web & Network Auditing, Reverse Engineering and Cryptography
This website don't use analytics tracking and is ads-free. JavaScript is enabled .


Contact

Contact Form : Connect with Us

    Ricochet : ricochet:3ka6l4q255cakeirgxupsl5i4lw3qpk5gmngtv5amax64hckuovgozyd


2023 © 0x1 | Cyber Security Consulting - Copyright All Rights Reserved