Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:20 PM
Connect Directly

New Techniques Emerge for Abusing Windows Services to Gain System Control

Organizations should apply principles of least privilege to mitigate threats, security researcher says.

Several new techniques have become available recently that give attackers a way to abuse legitimate Windows services and relatively easily escalate low-level privileges on a system to gain full control of it.

The newer exploits take advantage of the same or similar Windows services capabilities that attackers have abused previously and work on even some of the more recent versions of the operating system, warns Antonio Cocomazzi, system engineer at SentinelOne. Cocomazzi described some of the techniques in a briefing at the Black Hat Asia 2021 virtual conference this week.

Related Content:

Flaws in Privileged Management Apps Expose Machines to Attack

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

For organizations, the biggest problem dealing with these attacks is that they abuse services that hold impersonation privileges and exist by design in Windows operating systems, Cocomazzi tells Dark Reading. The services are enabled, available by default, and play an essential part in the implementation of Web servers, database servers, mail servers, and other services, Cocomazzi says.

"These recent techniques allow an attacker to exploit even the latest and updated Windows systems," he says.

An exploit known as "Juicy Potato" continues to be the most common way for attackers to escalate privileges on a Windows system using a legitimate Windows service, Cocomazzi says. SentinelOne has observed evidence of the exploit being used in multiple APT campaigns, he adds.

There have been no signs of the new updated techniques being used in the wild, but that does not mean they are not being actively exploited.

"Considering that those techniques have been discovered recently, it's just a matter of time before they will be found [and] used by attackers in the future attacks," he says.

Juicy Potato is an exploit that allows an attacker with low-level service privileges on a Windows system to gain system level access on it. The exploit takes advantage of an impersonation privilege setting in Windows called "SeImpersonatePrivilege." Microsoft first introduced the feature in Windows 2000 SP4, ironically enough as a security measure to prevent "unauthorized servers from impersonating clients" that connect to them remotely via remote procedure calls or what are known as named pipes.

On systems where the service is enabled, all an attacker would need to do is download the JuicyPotato tool and use it to execute malicious code of their choice — like setting a reverse shell payload.

"JuicyPotato tricks the DCOM activation service into performing a privileged and authenticated RPC call to a malicious RPC server under attacker control," says Cocomazzi.

It then executes a couple of steps that allow it to steal a token that allows the attacker to carry out malicious activity with system-level privileges.

Microsoft has fixed the exploit in newer versions of its software. But JuicyPotato still works on every updated Windows Server until version 2016 and on every updated Windows Client machine until version 10, build 1803, he says.  And newer versions of the so-called Potato family of exploits — such as RoguePotato and Juicy 2 — are now available that bypass the Microsoft fix that shut down JuicyPotato, Cocomazzi says.

In addition, several other exploits are available that allow attackers to exploit impersonation privilege settings and other Windows services to gain system level access on Windows systems. Examples include RogueWinRM, PrintSpoofer, and Network Service Impersonation. Each of these tools exploits different Windows services and mechanisms to give attackers the most privileged access on a Windows machine: the NT Authority/System privilege, he notes.

"In recent years, one of the most used/abused exploits for privilege escalation from a service compromise was the JuicyPotato," he says. "Since then, other exploits have been seen that abuse the same concepts: coercing a more privileged service into authenticating a resource under the attacker's control, thus allowing the attacker to steal and use the privileged authentication."  

Most Potent Threats
Cocomazzi describes RoguePotato and PrintSpoofer as the two most potent Windows privilege escalation techniques currently available to attackers. That's because the exploits work in every Windows client and server installation and require very few conditions to function correctly.

PrintSpoofer exploits a highly privileged internal Windows component called a "spooler" service.

"It does not require any external network interaction and could be run fully locally, which is ideal for an attacker," Cocomazzi says.

RoguePotato, meanwhile, exploits "rpcss" another critical — and highly abused — Windows service. The exploit gives attackers a way to trick rpcss to authenticate a resource under the attacker's control so the attacker can steal and use the authentication to remotely execute code with system-level privileges. Unlike PrintSpoofer, the RoguePotato exploit requires network interaction. But it is a lot harder to mitigate because rpcss services cannot be stopped like the spooler service, Cocomazzi says.

Web applications running on Windows servers are a favorite target. A common scenario is for attackers to gain some form of limited access to the server by compromising a Web server app like IIS or MSSQL and then using that foothold to elevate privileges.

The best way for organizations to mitigate the threat posed by these techniques is to apply the principle of least privilege, the security researcher says. Organizations should take advantage of the Windows Service Hardening (WSH) mechanism to segregate and restrict service privileges — for example, by disabling impersonation privileges.

"The favorite targets for attackers are the IIS Web servers, so applying some restrictions on the application pool identities used by the system could be a great way to be protected against those techniques," Cocomazzi says.

Using the default configuration offered by the operating system can leave organizations vulnerable to these attacks, he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-22
BQE BillQuick Web Suite 2018 through 2021 before allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include ...
PUBLISHED: 2021-10-22
Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.
PUBLISHED: 2021-10-22
Aplioxio PDF ShapingUp contains a buffer overflow which allows attackers to cause a denial of service (DoS) via a crafted PDF file.
PUBLISHED: 2021-10-22
Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted JPEG file.
PUBLISHED: 2021-10-22
Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting (XSS) vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling.