16 Windows Privilege Escalation _ Understanding Windows Privileges and Access Control Mechanisms Flashcards
What is SID ?
Secure Identifier
What is SID for ?
The SID for local accounts and groups is generated by the Local Security Authority (LSA)
What is in in charge of domain users and domain groups
Domain Controller (DC)
What’s the particularity of SID ?
The SID cannot be changed and is generated when the user or group is created.
What is the fundamental representation of SID
S-R-X-Y (Place Holder)
What is the usage of each part of SID (S-R-X-Y)
The first part is a literal “S”, which indicates that the string is a SID.
“R” stands for revision and is always set to “1”, since the overall SID structure continues to be on its initial version.
“X” determines the identifier authority.
“Y” represents the sub authorities of the identifier authority
Every SID consists of one and more sub authorities
In S-R-X-Y
Y: This part consists of the domain identifier and relative identifier (RID).
Why RID start at 1000 ?
So what this SID means ?
S-1-5-21-1336799502-1441772794-948155058-1001
1000 if for nearly all principals
Listing 2 shows that the RID is 1001.
What are well know SIDs ?
S-1-0-0
S-1-1-0
S-1-5-11
S-1-5-18
S-1-5-domainidentifier-500
S-1-0-0 Nobody
S-1-1-0 Everybody
S-1-5-11 Authenticated Users
S-1-5-18 Local System
S-1-5-domainidentifier-500 Administrator
What append when an user is authenticated on Windows ?
Once a user is authenticated, Windows generates an access token that is assigned to that user.
What an access token contains ?
token itself contains various pieces of information that effectively describe the security context of a given user. The security context is a set of rules or attributes that are currently in effect.
Security context of a token consists of ?
- SID of the user
- SIDs of the groups the user is a member of
- the user and group privileges
What append when a user start a process or a thread ?
A token will be assigned to these objects (primary token)
What primary token specify ?
Which permissions the process or threads have when interacting with another object
AND is a copy of the access token of the user.
What is impersonation token ?
Impersonation tokens are used to provide a different security context than the process that owns the thread.
What is MID (Mandatory Integrity Control)
It uses integrity levels to control access to securable objects
What are integrity levels for MID (5)
- System: SYSTEM (kernel, …)
- High: Elevated users
- Medium: Standard users
- Low: Very restricted rights often used in sandboxed
- Untrusted: Lowest integrity level with extremely limited access rights for processes or objects that pose the most potential risk
What is User Account Control (UAC) ?
UAC is a Windows security feature that protects the operating system by running most applications and tasks with standard user privileges, even if the user launching them is an Administrator.
What made of UAC ?
- standard user token (filtered admin token) which is used to perform all non-privileged operations.
- second token is a regular administrator token.
What append when UAC is enabled and the
To leverage the administrator token, UAC consent prompt needs to be confirmed ?
What is RID ? What’s used for ?
Relative User ID
The RID determines principals such as users or groups.
