Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:20 PM
Connect Directly

New Techniques Emerge for Abusing Windows Services to Gain System Control

Organizations should apply principles of least privilege to mitigate threats, security researcher says.

Several new techniques have become available recently that give attackers a way to abuse legitimate Windows services and relatively easily escalate low-level privileges on a system to gain full control of it.

The newer exploits take advantage of the same or similar Windows services capabilities that attackers have abused previously and work on even some of the more recent versions of the operating system, warns Antonio Cocomazzi, system engineer at SentinelOne. Cocomazzi described some of the techniques in a briefing at the Black Hat Asia 2021 virtual conference this week.

Related Content:

Flaws in Privileged Management Apps Expose Machines to Attack

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

For organizations, the biggest problem dealing with these attacks is that they abuse services that hold impersonation privileges and exist by design in Windows operating systems, Cocomazzi tells Dark Reading. The services are enabled, available by default, and play an essential part in the implementation of Web servers, database servers, mail servers, and other services, Cocomazzi says.

"These recent techniques allow an attacker to exploit even the latest and updated Windows systems," he says.

An exploit known as "Juicy Potato" continues to be the most common way for attackers to escalate privileges on a Windows system using a legitimate Windows service, Cocomazzi says. SentinelOne has observed evidence of the exploit being used in multiple APT campaigns, he adds.

There have been no signs of the new updated techniques being used in the wild, but that does not mean they are not being actively exploited.

"Considering that those techniques have been discovered recently, it's just a matter of time before they will be found [and] used by attackers in the future attacks," he says.

Juicy Potato is an exploit that allows an attacker with low-level service privileges on a Windows system to gain system level access on it. The exploit takes advantage of an impersonation privilege setting in Windows called "SeImpersonatePrivilege." Microsoft first introduced the feature in Windows 2000 SP4, ironically enough as a security measure to prevent "unauthorized servers from impersonating clients" that connect to them remotely via remote procedure calls or what are known as named pipes.

On systems where the service is enabled, all an attacker would need to do is download the JuicyPotato tool and use it to execute malicious code of their choice — like setting a reverse shell payload.

"JuicyPotato tricks the DCOM activation service into performing a privileged and authenticated RPC call to a malicious RPC server under attacker control," says Cocomazzi.

It then executes a couple of steps that allow it to steal a token that allows the attacker to carry out malicious activity with system-level privileges.

Microsoft has fixed the exploit in newer versions of its software. But JuicyPotato still works on every updated Windows Server until version 2016 and on every updated Windows Client machine until version 10, build 1803, he says.  And newer versions of the so-called Potato family of exploits — such as RoguePotato and Juicy 2 — are now available that bypass the Microsoft fix that shut down JuicyPotato, Cocomazzi says.

In addition, several other exploits are available that allow attackers to exploit impersonation privilege settings and other Windows services to gain system level access on Windows systems. Examples include RogueWinRM, PrintSpoofer, and Network Service Impersonation. Each of these tools exploits different Windows services and mechanisms to give attackers the most privileged access on a Windows machine: the NT Authority/System privilege, he notes.

"In recent years, one of the most used/abused exploits for privilege escalation from a service compromise was the JuicyPotato," he says. "Since then, other exploits have been seen that abuse the same concepts: coercing a more privileged service into authenticating a resource under the attacker's control, thus allowing the attacker to steal and use the privileged authentication."  

Most Potent Threats
Cocomazzi describes RoguePotato and PrintSpoofer as the two most potent Windows privilege escalation techniques currently available to attackers. That's because the exploits work in every Windows client and server installation and require very few conditions to function correctly.

PrintSpoofer exploits a highly privileged internal Windows component called a "spooler" service.

"It does not require any external network interaction and could be run fully locally, which is ideal for an attacker," Cocomazzi says.

RoguePotato, meanwhile, exploits "rpcss" another critical — and highly abused — Windows service. The exploit gives attackers a way to trick rpcss to authenticate a resource under the attacker's control so the attacker can steal and use the authentication to remotely execute code with system-level privileges. Unlike PrintSpoofer, the RoguePotato exploit requires network interaction. But it is a lot harder to mitigate because rpcss services cannot be stopped like the spooler service, Cocomazzi says.

Web applications running on Windows servers are a favorite target. A common scenario is for attackers to gain some form of limited access to the server by compromising a Web server app like IIS or MSSQL and then using that foothold to elevate privileges.

The best way for organizations to mitigate the threat posed by these techniques is to apply the principle of least privilege, the security researcher says. Organizations should take advantage of the Windows Service Hardening (WSH) mechanism to segregate and restrict service privileges — for example, by disabling impersonation privileges.

"The favorite targets for attackers are the IIS Web servers, so applying some restrictions on the application pool identities used by the system could be a great way to be protected against those techniques," Cocomazzi says.

Using the default configuration offered by the operating system can leave organizations vulnerable to these attacks, he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...