16 Windows Privilege Escalation _ Understanding Windows Privileges and Access Control Mechanisms Flashcards

1
Q

What is SID ?

A

Secure Identifier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is SID for ?

A

The SID for local accounts and groups is generated by the Local Security Authority (LSA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is in in charge of domain users and domain groups

A

Domain Controller (DC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What’s the particularity of SID ?

A

The SID cannot be changed and is generated when the user or group is created.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the fundamental representation of SID

A

S-R-X-Y (Place Holder)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the usage of each part of SID (S-R-X-Y)

A

The first part is a literal “S”, which indicates that the string is a SID.

“R” stands for revision and is always set to “1”, since the overall SID structure continues to be on its initial version.

“X” determines the identifier authority.

“Y” represents the sub authorities of the identifier authority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Every SID consists of one and more sub authorities
In S-R-X-Y

A

Y: This part consists of the domain identifier and relative identifier (RID).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Why RID start at 1000 ?

So what this SID means ?

S-1-5-21-1336799502-1441772794-948155058-1001

A

1000 if for nearly all principals

Listing 2 shows that the RID is 1001.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are well know SIDs ?

S-1-0-0
S-1-1-0
S-1-5-11
S-1-5-18
S-1-5-domainidentifier-500

A

S-1-0-0 Nobody
S-1-1-0 Everybody
S-1-5-11 Authenticated Users
S-1-5-18 Local System
S-1-5-domainidentifier-500 Administrator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What append when an user is authenticated on Windows ?

A

Once a user is authenticated, Windows generates an access token that is assigned to that user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What an access token contains ?

A

token itself contains various pieces of information that effectively describe the security context of a given user. The security context is a set of rules or attributes that are currently in effect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security context of a token consists of ?

A
  • SID of the user
  • SIDs of the groups the user is a member of
  • the user and group privileges
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What append when a user start a process or a thread ?

A

A token will be assigned to these objects (primary token)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What primary token specify ?

A

Which permissions the process or threads have when interacting with another object

AND is a copy of the access token of the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is impersonation token ?

A

Impersonation tokens are used to provide a different security context than the process that owns the thread.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is MID (Mandatory Integrity Control)

A

It uses integrity levels to control access to securable objects

17
Q

What are integrity levels for MID (5)

A
  • System: SYSTEM (kernel, …)
  • High: Elevated users
  • Medium: Standard users
  • Low: Very restricted rights often used in sandboxed
  • Untrusted: Lowest integrity level with extremely limited access rights for processes or objects that pose the most potential risk
18
Q

What is User Account Control (UAC) ?

A

UAC is a Windows security feature that protects the operating system by running most applications and tasks with standard user privileges, even if the user launching them is an Administrator.

19
Q

What made of UAC ?

A
  1. standard user token (filtered admin token) which is used to perform all non-privileged operations.
  2. second token is a regular administrator token.
20
Q

What append when UAC is enabled and the

A

To leverage the administrator token, UAC consent prompt needs to be confirmed ?

21
Q

What is RID ? What’s used for ?

A

Relative User ID
The RID determines principals such as users or groups.

22
Q
A