16 Windows Privilege Escalation _ Understanding Windows Privileges and Access Control Mechanisms

Question 1

What is SID ?

Answer 1

Secure Identifier

Question 2

What is SID for ?

Answer 2

The SID for local accounts and groups is generated by the Local Security Authority (LSA)

Question 3

What is in in charge of domain users and domain groups

Answer 3

Domain Controller (DC)

Question 4

What’s the particularity of SID ?

Answer 4

The SID cannot be changed and is generated when the user or group is created.

Question 5

What is the fundamental representation of SID

Answer 5

S-R-X-Y (Place Holder)

Question 6

What is the usage of each part of SID (S-R-X-Y)

Answer 6

The first part is a literal “S”, which indicates that the string is a SID.

“R” stands for revision and is always set to “1”, since the overall SID structure continues to be on its initial version.

“X” determines the identifier authority.

“Y” represents the sub authorities of the identifier authority

Question 7

Every SID consists of one and more sub authorities
In S-R-X-Y

Answer 7

Y: This part consists of the domain identifier and relative identifier (RID).

Question 8

Why RID start at 1000 ?

So what this SID means ?

S-1-5-21-1336799502-1441772794-948155058-1001

Answer 8

1000 if for nearly all principals

Listing 2 shows that the RID is 1001.

Question 9

What are well know SIDs ?

S-1-0-0
S-1-1-0
S-1-5-11
S-1-5-18
S-1-5-domainidentifier-500

Answer 9

S-1-0-0 Nobody
S-1-1-0 Everybody
S-1-5-11 Authenticated Users
S-1-5-18 Local System
S-1-5-domainidentifier-500 Administrator

Question 10

What append when an user is authenticated on Windows ?

Answer 10

Once a user is authenticated, Windows generates an access token that is assigned to that user.

Question 11

What an access token contains ?

Answer 11

token itself contains various pieces of information that effectively describe the security context of a given user. The security context is a set of rules or attributes that are currently in effect.

Question 12

Security context of a token consists of ?

Answer 12

• SID of the user
• SIDs of the groups the user is a member of
• the user and group privileges

Question 13

What append when a user start a process or a thread ?

Answer 13

A token will be assigned to these objects (primary token)

Question 14

What primary token specify ?

Answer 14

Which permissions the process or threads have when interacting with another object

AND is a copy of the access token of the user.

Question 15

What is impersonation token ?

Answer 15

Impersonation tokens are used to provide a different security context than the process that owns the thread.

Question 16

What is MID (Mandatory Integrity Control)

Answer 16

It uses integrity levels to control access to securable objects

Question 17

What are integrity levels for MID (5)

Answer 17

• System: SYSTEM (kernel, …)
• High: Elevated users
• Medium: Standard users
• Low: Very restricted rights often used in sandboxed
• Untrusted: Lowest integrity level with extremely limited access rights for processes or objects that pose the most potential risk

Question 18

What is User Account Control (UAC) ?

Answer 18

UAC is a Windows security feature that protects the operating system by running most applications and tasks with standard user privileges, even if the user launching them is an Administrator.

Question 19

What made of UAC ?

Answer 19

1. standard user token (filtered admin token) which is used to perform all non-privileged operations.
2. second token is a regular administrator token.

Question 20

What append when UAC is enabled and the

Answer 20

To leverage the administrator token, UAC consent prompt needs to be confirmed ?

Question 21

What is RID ? What’s used for ?

Answer 21

Relative User ID
The RID determines principals such as users or groups.