4/19/2023 0 Comments Process monitor file accessLet's start by looking at a boot log of a common baseline that we might deal with as a vulnerability analyst - a 64-bit Windsystem with VMware Tools installed:Įven with virtually no software installed in our VM, we can already see something suspicious: C:\Program Files\ Look for and investigate unexpected file accesses.Apply the Privesc filter (Filter → Load Filter → Privesc).Import the "Privesc" filter (Filter → Organize Filters → Import.).Enable Process Monitor boot logging (Options → Enable Boot Logging).Using the Privesc.PMF Process Monitor filter is relatively straightforward: But I've created a filter that seems to do a pretty good job of making privilege escalation vulnerabilities pretty obvious. Check 3 is a little more complicated and may result in some false positives if we limit our tool to strictly what can be done with a Process Monitor Filter. Locations that may be writable by an unprivileged user.Ĭhecks 1 and 2 can be trivially implemented in Process Monitor.Processes that have elevated privileges.Files or directories that do not exist.The easiest way to check for privileged processes that might be able to be influenced by non-privileged users is to use a Process Monitor filter that displays operations based on the following attributes: How might we achieve privilege escalation on a Windows system? Any time that a privileged process interacts with a resource that an unprivileged user may be able to influence, this opens up the possibility for a privilege escalation vulnerability. These privileged components generally take two forms: When software is installed on the Windows platform, some components of it may run with privileges, regardless of which user is currently logged on to the system. In this post I will share some of my findings as well as the filter itself for finding privilege escalation vulnerabilities with Sysinternals Process Monitor (Procmon). Just like the idea of going directly from fuzzing with BFF to a working exploit became less and less viable as time went on, I'd like for there to be much less low-hanging fruit that can be easily found with this technique. In fact, the concept is so trivial that I was surprised by how successful it was in finding vulnerabilities. Both with respect to how easy it is to find the vulnerabilities and also how easy it can be to exploit them. I have recently worked on a vulnerability discovery technique that reminded me of the early BFF days. Increased presence of exploit mitigations in both software and the platforms that they run on.Increased fuzzing by parties releasing software.This can likely be attributed to two things that happened over the years: As time went on, the bar for exploiting memory corruption vulnerabilities was raised. It was often relatively straightforward to go from Start to PoC with CERT BFF.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |