Slide deck from my session at Microsoft Ignite 2017: “Look under the hood: bypassing antimalware tactics and infrastructure response methods”.
Tools from the session
Here you can find the most important tools I used during the session!
Elevation from regular user to the localsystem
One of the interesting and somewhat magical steps during our session at Microsoft Ignite today was an elevation from regular user to the localsystem. Of course, in properly configured and patched system it should not be possible but we used a bug MS16-032 fixed by Microsoft in March 2016.
The bug relies on how handles are handled (we love such geeky word plays) in multiprocessor systems including Windows 10 and Windows Server 2012 R2. So if you did not patch your system during last 6 months you are probably vulnerable too. We have chosen this bug for our demonstration not only because it is usually working but also because it may be exploited with pure PowerShell. We relied heavily on FuzzySecurity code published in GitHub.
The code for the elevation is wrapped into one function we called “Elevate-Cmd”. If you declare this function (you can do just copy&paste from the code below to your PowerShell or ISE window) you can later use it for example by typing “Elevate-Cmd net localgroup administrators fkrueger /add”. Please do remember that parameters are sent to cmd.exe so if you plan to use internal commands like dir, type, echo etc. you should prefix them with /c: “Elevate-Cmd /c dir c:\users”.
Looks scary? For us as well. So if you think it about fixing it refer to KB3143141 (LINK)