Clever Geek Handbook

How to prevent attackers from escalating privileges on a system after a successful infection

! Positive Technologies (PT Expert Security Center). , Β« Β» PT Sandbox .





. , , UAC , , PT Sandbox. .





 β€” . . , . , .





,  β€” , LSA (Local Security Authority) , , . explorer.exe, . , , , , . EPROCESS, OC Windows, . , .





, , , , - . : - β†’ β†’ API β€” ImpersonateLoggedOnUser, β†’ .





, syscall NtOpenProcessToken. , ,  β€” , , DesiredAccess . , ProcessHandle 0xFFFF… ( 32- , F 64- ).





ImpersonateLoggedOnUser, , , : NtQueryInformationToken, NtDuplicateToken , NtSetInformationThread . .





, , , .





, CreateProcessWithTokenW advapi32. NdrClientCall4, : .





β„– 1: β†’ (  β€” ,  β€” ) β†’ , Secondary logon service.





β„– 2: ,  β€” 0.





 β€” . rpcmon.





, , : Β« NdrClientCall4?Β» ,  β€” . , 32- 64- , NdrClientCall4. 64- , NdrClientCall3.





, , advapi32!LogonUserA/W . , , , . , NdrClientCall4, SspirLogonUser, .





PT Sandbox?





Β« Β» Β« Β» . , Write.Thread.Token.Impersonation, Create.Process.WithToken. Impersonation, Create.Token.LogonUser.Impersonation .





UAC: ,

, , . User Account Control β€” , , , , , . UAC , , , .





, UAC, . :





  • autoElevate, True;





  • ;





  • .





, , UAC: , system32 50 . UAC.





Wusa

, . Wusa, /extract β†’ β†’ DLL extract β†’ , .





, DLL, . , Windows 10 Wusa extract.





UAC ,  β€” , . Fodhelper β€” Windows 10, . , , . , , fodhelper .





( ). .





, , . , , . , windir, ( ), . β€” , .





COM-

OM- β€” Windows, . , , , UAC.





IFileOperation, , β€” , COM-. β†’ IFileOperation β†’ system32 β†’ sysprep.exe, β†’ DLL. , DLL, . , .





, COM- β€” , , dllhost.exe.





Shim-

: , .  shim-  β€” .





, : , . :





  1. Windows  β€” , API. , windows , Β«windows\system32Β».





  2. .





  3. DLL .





  4. DLL.





, «» , . : , , - .





PT Sandbox?





Create.Process.ExtraRegKey.UACBypass, Create.Process.EnvironmentVar.UACBypass, Create.Process.DirectoryMock.UACBypass, Create.Process.COMDLLHijack.UACBypass .





PT Sandbox 2020 , Polpo UAC, β€” .





2015 APT28 CVE-2015-1701 ( zero day) . - MD5 .





: CreateWindowExW , kernel_steal_token.





API- CreateWindowsExW,   hooked_ClientCopyImage. SetWindowLogPtrW,  β€” ,  β€” – 4 β€” , . , , , .





PsLookupProcessByProcessId β†’ , β€” EPROCESS β†’ β†’ , , . , .





CVE-2015-1701 PT Sandbox: .





PsLookupProcessByProcessId?





, PsLookupProcessByProcessId . ?





NtQuerySystemInformation SystemInformationClass, 11. () . OC β€” .





β†’ PsLookupProcessByProcessId ( ) β†’ β†’ «» ( ) β†’ .





, , 2011 FIN6 , . , ,  β€” HalDispatchTable. , , , 4- , , syscall , .





. , Fancy Bear 2016 zero day.





APT FruityArmor .





PT Sandbox? OC . (, .)





, PT Sandbox   , . , .





PT Sandbox

PT Sandbox β€” . ( ). β€” , . , , , , . PT Sandbox .





, , , . PT Expert Security Center β€” .





:





PT ESC





PT ESC







More articles:


All Articles