Several new techniques have become available recently that give attackers a way to abuse legitimate Windows services and relatively easily escalate low-level privileges on a system to gain full control of it.
The newer exploits take advantage of the same or similar Windows services capabilities that attackers have abused previously and work on even some of the more recent versions of the operating system, warns Antonio Cocomazzi, system engineer at SentinelOne. Cocomazzi described some of the techniques in a briefing at the Black Hat Asia 2021 virtual conference this week.
For organizations, the biggest problem dealing with these attacks is that they abuse services that hold impersonation privileges and exist by design in Windows operating systems, Cocomazzi tells Dark Reading. The services are enabled, available by default, and play an essential part in the implementation of Web servers, database servers, mail servers, and other services, Cocomazzi says.
"These recent techniques allow an attacker to exploit even the latest and updated Windows systems," he says.
An exploit known as "Juicy Potato" continues to be the most common way for attackers to escalate privileges on a Windows system using a legitimate Windows service, Cocomazzi says. SentinelOne has observed evidence of the exploit being used in multiple APT campaigns, he adds.
There have been no signs of the new updated techniques being used in the wild, but that does not mean they are not being actively exploited.
"Considering that those techniques have been discovered recently, it's just a matter of time before they will be found [and] used by attackers in the future attacks," he says.
Juicy Potato is an exploit that allows an attacker with low-level service privileges on a Windows system to gain system level access on it. The exploit takes advantage of an impersonation privilege setting in Windows called "SeImpersonatePrivilege." Microsoft first introduced the feature in Windows 2000 SP4, ironically enough as a security measure to prevent "unauthorized servers from impersonating clients" that connect to them remotely via remote procedure calls or what are known as named pipes.
On systems where the service is enabled, all an attacker would need to do is download the JuicyPotato tool and use it to execute malicious code of their choice — like setting a reverse shell payload.
"JuicyPotato tricks the DCOM activation service into performing a privileged and authenticated RPC call to a malicious RPC server under attacker control," says Cocomazzi.
It then executes a couple of steps that allow it to steal a token that allows the attacker to carry out malicious activity with system-level privileges.
Microsoft has fixed the exploit in newer versions of its software. But JuicyPotato still works on every updated Windows Server until version 2016 and on every updated Windows Client machine until version 10, build 1803, he says. And newer versions of the so-called Potato family of exploits — such as RoguePotato and Juicy 2 — are now available that bypass the Microsoft fix that shut down JuicyPotato, Cocomazzi says.
In addition, several other exploits are available that allow attackers to exploit impersonation privilege settings and other Windows services to gain system level access on Windows systems. Examples include RogueWinRM, PrintSpoofer, and Network Service Impersonation. Each of these tools exploits different Windows services and mechanisms to give attackers the most privileged access on a Windows machine: the NT Authority/System privilege, he notes.
"In recent years, one of the most used/abused exploits for privilege escalation from a service compromise was the JuicyPotato," he says. "Since then, other exploits have been seen that abuse the same concepts: coercing a more privileged service into authenticating a resource under the attacker's control, thus allowing the attacker to steal and use the privileged authentication."
Most Potent Threats
Cocomazzi describes RoguePotato and PrintSpoofer as the two most potent Windows privilege escalation techniques currently available to attackers. That's because the exploits work in every Windows client and server installation and require very few conditions to function correctly.
PrintSpoofer exploits a highly privileged internal Windows component called a "spooler" service.
"It does not require any external network interaction and could be run fully locally, which is ideal for an attacker," Cocomazzi says.
RoguePotato, meanwhile, exploits "rpcss" another critical — and highly abused — Windows service. The exploit gives attackers a way to trick rpcss to authenticate a resource under the attacker's control so the attacker can steal and use the authentication to remotely execute code with system-level privileges. Unlike PrintSpoofer, the RoguePotato exploit requires network interaction. But it is a lot harder to mitigate because rpcss services cannot be stopped like the spooler service, Cocomazzi says.
Web applications running on Windows servers are a favorite target. A common scenario is for attackers to gain some form of limited access to the server by compromising a Web server app like IIS or MSSQL and then using that foothold to elevate privileges.
The best way for organizations to mitigate the threat posed by these techniques is to apply the principle of least privilege, the security researcher says. Organizations should take advantage of the Windows Service Hardening (WSH) mechanism to segregate and restrict service privileges — for example, by disabling impersonation privileges.
"The favorite targets for attackers are the IIS Web servers, so applying some restrictions on the application pool identities used by the system could be a great way to be protected against those techniques," Cocomazzi says.
Using the default configuration offered by the operating system can leave organizations vulnerable to these attacks, he says.