SlideShare a Scribd company logo

Level Up! - Practical Windows Privilege Escalation

jakx_
jakx_

This document provides an overview of practical Windows privilege escalation techniques. It begins with introductions and disclaimers, then discusses Windows access control models and concepts like integrity levels. It proceeds to demonstrate potential escalation avenues like exploiting privileged access elsewhere on the network, extracting credentials from files, exploiting unpatched vulnerabilities, weak permissions on services/files, AlwaysInstallElevated policies, and DLL hijacking. The document emphasizes that privilege escalation is still possible even with UAC and provides tools and references for further information.

Technology
1 of 51
Download to read offline
Practical Windows Privilege Escalation Andrew Smith
C:>type disclaimer.txt •The opinions expressed in this presentation are mine and not those of my employer.
C:>whoami /all •Andrew Smith •@jakx_ •Penetration Tester •OWASP •Metasploit •CTF •Certs
C:>whois you
What are you talking about? •Relevant Windows Security Info •PrivEsc tricks win7 •Limited user -> Local Admin
Why should I care? •You wanna level up •You wanna prevent level up •Hack the planet! •You like Mario?
Why should I care? •"People designing defenses who have never had them evaluated by a good attacker is kind of like learning one of those martial arts that look more like dancing than fighting. They look nice, but when you get into a fight your dance kungfu isn’t going to help you not get your ass kicked." -Dan Guido
Windows Access Control *https://msdn.microsoft.com/en- us/library/windows/desktop/aa379557%28v=vs.85%29.aspx •Securable Objects •Files •Directories •Services •Registry Keys •Named Pipes
Windows Access Control *https://msdn.microsoft.com/en- us/library/windows/desktop/aa379563%28v=vs.85%29.aspx •Security Descriptor •Discretionary Access Control List (DACL) •Access Control Entries (ACE)
Windows Access Control *https://msdn.microsoft.com/en- us/library/windows/desktop/aa379563%28v=vs.85%29.aspx •Access Token •Container of user security info •SID, groups, privileges •Tied to process or thread
Windows Access Control
Windows Access Control Access Token
Windows Access Control Access Token DACL
Windows Access Control Access Token DACL AccessChk
Mandatory Integrity Control *https://msdn.microsoft.com/en-us/library/bb625963.aspx •Security feature post-Vista •Assigns process Integrity Levels •Indicates “trustworthiness” of object
Windows Integrity Levels *Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition
Windows Integrity Levels Low Medium High SYSTEM *https://msdn.microsoft.com/en-us/library/bb625963.aspx
Windows Integrity Levels *https://msdn.microsoft.com/en-us/library/bb625963.aspx Low Medium High SYSTEM UAC Just ask nicely…
The Setup… •Land on workstation as SKYNETLuigi via $method •Want to escalate privileges •Limited User -> Local Admin •Marketing isnt Admin… right?
Time to Level Up! •Admin somewhere else? •Creds in files •Exploit unpatched EoP bugs •Exploit insecure configs/apps •Weak Services DACLs •Weak File DACLs •AlwaysInstallEvelated •DLLs
Somewhere Else? •Luigi in “Domain Users” group •1 box “Domain Users” in “Administrators”
Somewhere Else? •Powerview •https://github.com/PowerShellMafia/PowerSploit/blob/m aster/Recon/PowerView.ps1 • Find-LocalAdminAccess
Somewhere Else?
Creds in Files •C:usersluigiDesktoppasswords.xls •C:>dir /b /s web.config •C:>dir /b /s unattend.xml •C:>dir /b /s sysprep.inf •C:>dir /b /s sysprep.xml •C:>dir /b /s *pass* •GPP •mushroomkindgomSYSVOL????
Windows EoP Buggzz •Enumerate missing patches •post/windows/gather/enum_patches •post/multi/recon/local_exploit_suggester •Pwn
Windows EoP Buggzz •MS13-053
Weak Service Permissions Accesschk.exe –qwcu “Authenticated Users” * Accesschk.exe –qwcu “Users” * Accesschk.exe –qwcu “Everyone” *
Weak Service Permissions •Can we edit the service config? •Can we edit the binary it points to?
Weak Service Permissions •Demo
Weak File Permissions •Look for writeable files •Autoruns? •Scheduled Tasks? Accesschk.exe –qwsu “Authenticated Users” c: Accesschk.exe –qwsu “Users” c: Accesschk.exe –qwsu “Everyone” c:
Weak File Permissions •Story time
Weak File Permissions •Story time •Main app binary writeable “users”
Weak File Permissions •Story time •Main app binary writeable “users” •Autorun on login
Weak File Permissions
Weak File Permissions • “Nah bro, UAC”
Weak File Permissions • Admin logs in
Weak File Permissions • Admin logs in • Backdoored binary auto-executes
Weak File Permissions • Admin logs in • Backdoored binary auto-executes • Code execution at medium IL as admin (UAC)
Weak File Permissions •“One important thing to know is that UAC is not a security boundary.” *https://blogs.msdn.microsoft.com/e7/2009/02/05/upda te-on-uac/
AlwaysInstallElevated •Group policy setting that makes installing packages (.msi) convenient… •..Any .msi… •for everyone..
AlwaysInstallElevated reg query HKLMSOFTWAREPoliciesMicrosoft WindowsInstaller /v AlwaysInstallElevated reg query HKCUSOFTWAREPoliciesMicrosoft WindowsInstaller /v AlwaysInstallElevated
AlwaysInstallElevated •Demo
DLL Hijacking •Windows can dynamically load DLLs •If full path not used/missing, Windows executes DLL Search Order •Eg. •LoadLibrary(“ohnoes.dll”) vs •LoadLibrary(“c:program filesohnoes.dll”)
DLL Hijacking 1. The directory from which the application loaded. 2. The system directory. 3. The 16-bit system directory. 4. The Windows directory. 5. The current directory. 6. The directories listed in the PATH environment variable. *https://msdn.microsoft.com/en- us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
DLL Hijacking 1. The directory from which the application loaded. 2. The system directory. 3. The 16-bit system directory. 4. The Windows directory. 5. The current directory. (Exploitable) 6. The directories listed in the PATH environment variable. (Exploitable) *https://msdn.microsoft.com/en- us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
DLL Hijacking •Privileged app loads missing DLL + controllable search path element = pwned •Use Sysinternals Procmon •Include “.dll” •Include “NAME NOT FOUND” •Include folder in path
DLL Hijacking •Demo
Conclusions •Know your network/apps •Don’t run as admin •UAC IS NOT A SECURITY BOUNDARY •Patch your shit •“Hack yourself first”
Tools •Powerup •https://github.com/PowerShellMafia/PowerSploit/blob/master/Priv esc/PowerUp.ps1 •Windows-privesc-check •https://github.com/pentestmonkey/windows-privesc-check •Sysinternals Suite •https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
References/Resources https://www.insomniasec.com/downloads/publications/WindowsPrivEsc.ppt https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Service s_-_All_roads_lead_to_SYSTEM.pdf https://technet.microsoft.com/en-us/sysinternals/bb545027 http://www.greyhathacker.net/?p=738 Greyhat Hacking 4th edition Windows Internals 6th edition https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black- 26665607
Questions? @jakx_ ajs@swordshield.com

Recommended

Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dos attack
Dos attackDos attack
Dos attackManjushree Mashal
 

Recommended

Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dos attack
Dos attackDos attack
Dos attackManjushree Mashal
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
Reconnaissance and Social Engineering
Reconnaissance and Social EngineeringReconnaissance and Social Engineering
Reconnaissance and Social EngineeringVarunjeet Singh Rekhi
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationOnwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Module 6 Session Hijacking
Module 6 Session HijackingModule 6 Session Hijacking
Module 6 Session Hijackingleminhvuong
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemNabeel Ahmed
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparationManich Koomsusi
 

More Related Content

What's hot

4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
Reconnaissance and Social Engineering
Reconnaissance and Social EngineeringReconnaissance and Social Engineering
Reconnaissance and Social EngineeringVarunjeet Singh Rekhi
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Module 6 Session Hijacking
Module 6 Session HijackingModule 6 Session Hijacking
Module 6 Session Hijackingleminhvuong
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 

What's hot (20)

4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
Reconnaissance and Social Engineering
Reconnaissance and Social EngineeringReconnaissance and Social Engineering
Reconnaissance and Social Engineering
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Module 6 Session Hijacking
Module 6 Session HijackingModule 6 Session Hijacking
Module 6 Session Hijacking
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printing
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 

Viewers also liked

From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemNabeel Ahmed
 
An Introduction to Sysinternals
An Introduction to SysinternalsAn Introduction to Sysinternals
An Introduction to SysinternalsRiyaz Walikar
 
Esoteric xss payloads
Esoteric xss payloadsEsoteric xss payloads
Esoteric xss payloadsRiyaz Walikar
 
4 Ways to Make UAC Less Annoying on Windows 7 / Vista
4 Ways to Make UAC Less Annoying on Windows 7 / Vista4 Ways to Make UAC Less Annoying on Windows 7 / Vista
4 Ways to Make UAC Less Annoying on Windows 7 / Vistayeenaroth
 
Privilege Escalation And Misconfigurations Part2
Privilege Escalation And Misconfigurations Part2Privilege Escalation And Misconfigurations Part2
Privilege Escalation And Misconfigurations Part2Caleb Sima
 
Privilege Escalation And Misconfigurations
Privilege Escalation And MisconfigurationsPrivilege Escalation And Misconfigurations
Privilege Escalation And MisconfigurationsCaleb Sima
 
Attacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionAttacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionIan Haken
 
Disruptive Innovations 2014 / CITI
Disruptive Innovations 2014 / CITIDisruptive Innovations 2014 / CITI
Disruptive Innovations 2014 / CITIRana Babaç
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Maximum clique detection algorithm
Maximum clique detection algorithmMaximum clique detection algorithm
Maximum clique detection algorithmAbhishek Kona
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
 
DBSCAN (2014_11_25 06_21_12 UTC)
DBSCAN (2014_11_25 06_21_12 UTC)DBSCAN (2014_11_25 06_21_12 UTC)
DBSCAN (2014_11_25 06_21_12 UTC)Cory Cook
 

Viewers also liked (20)

From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows system
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
 
An Introduction to Sysinternals
An Introduction to SysinternalsAn Introduction to Sysinternals
An Introduction to Sysinternals
 
Prepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalPrepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec Professional
 
My pwk & oscp journey
My pwk & oscp journeyMy pwk & oscp journey
My pwk & oscp journey
 
Esoteric xss payloads
Esoteric xss payloadsEsoteric xss payloads
Esoteric xss payloads
 
4 Ways to Make UAC Less Annoying on Windows 7 / Vista
4 Ways to Make UAC Less Annoying on Windows 7 / Vista4 Ways to Make UAC Less Annoying on Windows 7 / Vista
4 Ways to Make UAC Less Annoying on Windows 7 / Vista
 
Windows 7
Windows 7Windows 7
Windows 7
 
OPS2016 ja ohjelmointi
OPS2016 ja ohjelmointiOPS2016 ja ohjelmointi
OPS2016 ja ohjelmointi
 
Programación dinámica
Programación dinámicaProgramación dinámica
Programación dinámica
 
Privilege Escalation And Misconfigurations Part2
Privilege Escalation And Misconfigurations Part2Privilege Escalation And Misconfigurations Part2
Privilege Escalation And Misconfigurations Part2
 
Privilege Escalation And Misconfigurations
Privilege Escalation And MisconfigurationsPrivilege Escalation And Misconfigurations
Privilege Escalation And Misconfigurations
 
Attacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionAttacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk Encryption
 
Disruptive Innovations 2014 / CITI
Disruptive Innovations 2014 / CITIDisruptive Innovations 2014 / CITI
Disruptive Innovations 2014 / CITI
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Maximum clique detection algorithm
Maximum clique detection algorithmMaximum clique detection algorithm
Maximum clique detection algorithm
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
 
DBSCAN (2014_11_25 06_21_12 UTC)
DBSCAN (2014_11_25 06_21_12 UTC)DBSCAN (2014_11_25 06_21_12 UTC)
DBSCAN (2014_11_25 06_21_12 UTC)
 
Db Scan
Db ScanDb Scan
Db Scan
 

Similar to Level Up! - Practical Windows Privilege Escalation

Windows privilege escalation
Windows privilege escalationWindows privilege escalation
Windows privilege escalationDhruv Shah
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Kirill Ermakov
 
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You ThinkHITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You ThinkHacks in Taiwan (HITCON)
 
SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentMongoDB
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistrySam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Programs you need!
Programs you need!Programs you need!
Programs you need!dshinkfield
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidMatthew Johnson
 
Programs you need!
Programs you need!Programs you need!
Programs you need!clcewing
 
CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)Sam Bowne
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware TechniquesLee C
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 

Similar to Level Up! - Practical Windows Privilege Escalation (20)

Windows privilege escalation
Windows privilege escalationWindows privilege escalation
Windows privilege escalation
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
 
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You ThinkHITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
 
SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB Deployment
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Programs you need!
Programs you need!Programs you need!
Programs you need!
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Programs you need!
Programs you need!Programs you need!
Programs you need!
 
CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 

Recently uploaded

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Recently uploaded (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Level Up! - Practical Windows Privilege Escalation