Introduction
This article introduces local privilege escalation techniques, focusing on the Windows OS booting process and user types. It will teach you how an attacker can bypass the logon screen using a bootable Windows or Linux OS drive and describes protection methods, such as regedit and BitLocker, that may help safeguard computers against such attacks.
Workgroup User Privileges
Regular users have limited access to system files and resources. They usually have access to their files and applications but not other system settings or locations. Their user rights are restricted.
A local admin is an elevated account on a local system. Regular users can add members to the Local Administrator group, and local admins can access local users’ data.
NT-Authority: This is the most privileged account on a local system, able to access all system settings and directories. A user with an NT-Authority account has unrestricted access to all the resources on the local system.
Domain User Privileges
Delegated administrators typically control and enforce certain roles and features. Use delegated administration to assign limited admin privileges to standard users in your organization.
A domain administrator in Windows is a user account that can edit information in Active Directory. The user can modify server configurations and any content stored in Active Directory.
Enterprise Admin: One group that only appears in the forest root domain is the Enterprise Admins group. All of the forest domains are under this group's administrative supervision.
Windows Booting Process
- During computer bootup, the MBR (Master Boot Record) carries logical information about the partition containing the operating system.
- A bootloader manages the process of loading the operating system. The system will be loaded from any drive configured only if the MBR recognizes and points to the drive.
- Following the bootloader, the kernel is loaded. It contributes to loading the operating system and establishing communication with input and output devices.
- The login screen in Winlogon is where the system has the most permission privileges. Following identification, the system modifies the permissions based on the user account.
- Once the login credentials are validated, the system lowers the NT authority permissions according to the user permissions.
Local PE Attack Flow
From the Windows login screen, you can launch several accessibility tools. Sticky Keys, Magnifier, and Ease of Access are the major programs.
These programs operate with NT-Authority rights because they are executed before limiting privileges.
Launching an Attack
First, a bootable operating system device is necessary. The operating system can be installed through a USB driver or a CD. In the second step, the OS must load the bootable device to access the command prompt via the “troubleshoot” window.
The next step is to change the name of cmd.exe to the name of one of the startup programs.
The last step is to reboot the machine to access the login screen. The user needs to call the program replaced with CMD at the logon screen. This program will prompt the CMD window with NT Authority permissions.
BIOS Screen
While booting up the Windows machine, pressing the F12 or ESC key loads the BIOS screen.
The boot manager can load the bootable Windows media created using Rufus by selecting Enter setup > Boot from a file. Then, it is possible to execute Windows setup during bootup to invoke the command prompt.
Linux & Windows ISO
Any operating system version can be used on a Windows PC as long as it can be loaded on the hard drive.
When using a bootable Linux OS, “live” mode should be selected. Basic knowledge of the Linux OS is required.
When using a bootable Windows OS, the Repair Mode option includes troubleshooting containing the Command Prompt.
Mounting a Windows Drive
After successfully booting into the live system, the original OS hard disk drive must be loaded to gain access to system files.
In the command prompt, the command wmic logical disk get name lists the available partitions, including the one containing the system32 directory.
File System Manipulation
The path “c:\Windows\system32” contains built-in apps that can be launched from the logon screen.
A backup is one of the applications that must be created. For example, copy Ultiman.exe and UltimanBackUp.exe.
Then, the name of cmd.exe must be replaced with the name of the application, for example, copy cmd.exe ultiman.exe
NT-Authority Permissions
After updating the files, restart the machine to access the login screen.
CMD will be launched when you click Ultiman.exe (a clock-shaped symbol). The CMD will be run with NT-Authority rights, which may be confirmed with the whoami command.
This process can be done by replacing other programs. For example, CMD can be executed from Sticky Keys or Magnifier.
Adding a New User
Net user [user name] [password] /add
Once CMD runs with NT-Authority, the attacker can create a new user and gain access to the system.
To avoid discovery, the attacker may create a new hidden user rather than changing the current user password. A hidden user can be created by appending a dollar ($) symbol to the end of the username.
After creating the user, the attacker can add it to the administrator’s group. The attacker acquires high privileges by adding users to the administrator’s group.
To add a user to the administrator’s group, use the following command: net localgroup administrators [username] /add.
Mounting on Linux
A read-only file system problem may prevent users from changing the mounted drive while booting to a Linux live system.
Commands used to mount a Windows hard disk:
mkdir- Creates the directory.
Fdisk- Formats the disk.
Mount- Mounts the device.
After booting, use cp to replace cmd.exe with seth.exe, as demonstrated in Windows.
Bypass Windows Defender
Microsoft enhanced the overall protection of some Windows OS builds by introducing the Windows Defender ATP.
If a backdoor exists in one of the binaries of Microsoft’s accessibility suite, the hash matches a binary that provides system-level access.
In Windows 10, it is necessary to trick the defender since the application detects that Winlogon’s files were replaced and displays an error.
Enabling Safe Mode
Loading the system in safe mode is one of the most prevalent ways to fool Windows defenders.
When safe mode is activated, the defender does not check the hash of the files, so it does not detect modifications.
bcdedit /set {default} safeboot minimal
Without safe mode
When replacing accessible apps with alternative binaries instead of CMD, such as FTP, MMC, and cohost, Windows Defender can be evaded without enabling safe mode.
Switching ftp.exe with seth.exe will prompt an FTP console when pressing the SHIFT key five times. System commands can be executed on FTP by adding an exclamation mark (!) at the beginning of the command.
Security Measures
BIOS Password: Adding a BIOS password to the computer’s boot procedure can help safeguard it from unauthorized changes. Unfortunately, the BIOS password is reset when the CMOS battery is removed from the computer.
Encrypted Drive: Encrypting the hard disk is considered the most excellent solution for data protection because it prevents people from reading or writing data to the drive from an external live OS.
Restricted Access: Restricting access is a prudent step rather than a security method. A computer should never be left unattended in an easily accessible area. However, in most cases, it is impossible to enforce this guideline.
Windows 10 ATP: On new and updated systems, Windows Defender detects changes made to attach or replace cmd.exe or taskmgr.exe to the “accessibility suite.” For example, sethc.exe can be accessed from the lock screen.
BIOS Password
In some circumstances, users can access a live Linux desktop by inserting a detachable device such as a USB drive or a bootable CD. Unauthorized users may be able to view and edit the files if they are not encrypted.
The first step to mitigate this threat is to protect the boot order from unauthorized changes. This can be done by setting a password on the BIOS and restricting access to the boot order screen.
Bitlocker Disk Encryption
Bitlocker is a Windows feature that helps to protect sensitive data. The central concept behind this feature is to encrypt logical drives. BitLocker allows you to encrypt the entire disk and prohibits unauthorized users from modifying it.
The user must enter a password during the boot after successfully encrypting the drive. The drive is decrypted, and Windows boots generally after the correct password is entered.
