Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/6/2021
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Techniques Emerge for Abusing Windows Services to Gain System Control

Organizations should apply principles of least privilege to mitigate threats, security researcher says.

Several new techniques have become available recently that give attackers a way to abuse legitimate Windows services and relatively easily escalate low-level privileges on a system to gain full control of it.

The newer exploits take advantage of the same or similar Windows services capabilities that attackers have abused previously and work on even some of the more recent versions of the operating system, warns Antonio Cocomazzi, system engineer at SentinelOne. Cocomazzi described some of the techniques in a briefing at the Black Hat Asia 2021 virtual conference this week.

Related Content:

Flaws in Privileged Management Apps Expose Machines to Attack

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

For organizations, the biggest problem dealing with these attacks is that they abuse services that hold impersonation privileges and exist by design in Windows operating systems, Cocomazzi tells Dark Reading. The services are enabled, available by default, and play an essential part in the implementation of Web servers, database servers, mail servers, and other services, Cocomazzi says.

"These recent techniques allow an attacker to exploit even the latest and updated Windows systems," he says.

An exploit known as "Juicy Potato" continues to be the most common way for attackers to escalate privileges on a Windows system using a legitimate Windows service, Cocomazzi says. SentinelOne has observed evidence of the exploit being used in multiple APT campaigns, he adds.

There have been no signs of the new updated techniques being used in the wild, but that does not mean they are not being actively exploited.

"Considering that those techniques have been discovered recently, it's just a matter of time before they will be found [and] used by attackers in the future attacks," he says.

Juicy Potato is an exploit that allows an attacker with low-level service privileges on a Windows system to gain system level access on it. The exploit takes advantage of an impersonation privilege setting in Windows called "SeImpersonatePrivilege." Microsoft first introduced the feature in Windows 2000 SP4, ironically enough as a security measure to prevent "unauthorized servers from impersonating clients" that connect to them remotely via remote procedure calls or what are known as named pipes.

On systems where the service is enabled, all an attacker would need to do is download the JuicyPotato tool and use it to execute malicious code of their choice — like setting a reverse shell payload.

"JuicyPotato tricks the DCOM activation service into performing a privileged and authenticated RPC call to a malicious RPC server under attacker control," says Cocomazzi.

It then executes a couple of steps that allow it to steal a token that allows the attacker to carry out malicious activity with system-level privileges.

Microsoft has fixed the exploit in newer versions of its software. But JuicyPotato still works on every updated Windows Server until version 2016 and on every updated Windows Client machine until version 10, build 1803, he says.  And newer versions of the so-called Potato family of exploits — such as RoguePotato and Juicy 2 — are now available that bypass the Microsoft fix that shut down JuicyPotato, Cocomazzi says.

In addition, several other exploits are available that allow attackers to exploit impersonation privilege settings and other Windows services to gain system level access on Windows systems. Examples include RogueWinRM, PrintSpoofer, and Network Service Impersonation. Each of these tools exploits different Windows services and mechanisms to give attackers the most privileged access on a Windows machine: the NT Authority/System privilege, he notes.

"In recent years, one of the most used/abused exploits for privilege escalation from a service compromise was the JuicyPotato," he says. "Since then, other exploits have been seen that abuse the same concepts: coercing a more privileged service into authenticating a resource under the attacker's control, thus allowing the attacker to steal and use the privileged authentication."  

Most Potent Threats
Cocomazzi describes RoguePotato and PrintSpoofer as the two most potent Windows privilege escalation techniques currently available to attackers. That's because the exploits work in every Windows client and server installation and require very few conditions to function correctly.

PrintSpoofer exploits a highly privileged internal Windows component called a "spooler" service.

"It does not require any external network interaction and could be run fully locally, which is ideal for an attacker," Cocomazzi says.

RoguePotato, meanwhile, exploits "rpcss" another critical — and highly abused — Windows service. The exploit gives attackers a way to trick rpcss to authenticate a resource under the attacker's control so the attacker can steal and use the authentication to remotely execute code with system-level privileges. Unlike PrintSpoofer, the RoguePotato exploit requires network interaction. But it is a lot harder to mitigate because rpcss services cannot be stopped like the spooler service, Cocomazzi says.

Web applications running on Windows servers are a favorite target. A common scenario is for attackers to gain some form of limited access to the server by compromising a Web server app like IIS or MSSQL and then using that foothold to elevate privileges.

The best way for organizations to mitigate the threat posed by these techniques is to apply the principle of least privilege, the security researcher says. Organizations should take advantage of the Windows Service Hardening (WSH) mechanism to segregate and restrict service privileges — for example, by disabling impersonation privileges.

"The favorite targets for attackers are the IIS Web servers, so applying some restrictions on the application pool identities used by the system could be a great way to be protected against those techniques," Cocomazzi says.

Using the default configuration offered by the operating system can leave organizations vulnerable to these attacks, he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
CVE-2021-34067
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
CVE-2021-34068
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.