REVIEW: RED TEAM Operator: Privilege Escalation in Windows Course by SEKTOR7 Institute

This is my review of the RED TEAM Operator: Privilege Escalation in Windows course offered by SEKTOR7 InstituteAs an affiliate, I make money with qualifying purchases.

RED TEAM Operator: Privilege Escalation in Windows is a brief introduction to the subject. As with other offerings by SEKTOR7, this course expects that you know the basics of writing software on Windows, particularly in C. I feel that without some basic development abilities, this course would be difficult to follow along with. You don’t need to be a master. Being able to write simple console applications, compile them with Visual Studio, and look up documentation on MSDN would be a good start.

This course is not a comprehensive guide to privilege escalation, however I felt it was a pretty good introduction to the subject. I feel that this course covered enough to get started with research on this subject. I ended up learning some new things and ~70 bookmarks to review later.

This material was interesting to me as a defender. I have definitely seen several of these techniques applied in real life intrusions. Seeing these attacks carried out from the other side will help me contextualize security events that I encounter in the future.

Some of the topics this course covers:

  • Basic post-exploitation reconnaissance
  • Finding credentials and other interesting files (passwords.txt, unattend.xml, …)
  • Windows Credential Manager
  • Abusing mis-configured services, scheduled tasks, and file system permissions
  • DLL Hijacking
  • User Account Control (UAC)
win32 credential manager UAC handles windows privesc service registry tokens environment named pipes msiexec processes scheduled tasks
Red Team Operator Privilege Escalation Word Cloud

What’s Included?

  • ~3.5 hours of on-demand video
  • Zip file containing example code
  • Virtual machine with pre-installed tools
  • 3 assignments

Resources

Here are all of the bookmarks I made while reviewing this course in no particular order.

https://docs.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-disconnectnamedpipe
https://docs.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-connectnamedpipe
https://docs.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-impersonatenamedpipeclient
https://posts.specterops.io/understanding-and-defending-against-access-token-theft-finding-alternatives-to-winlogon-exe-80696c8a73b
https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
https://devblogs.microsoft.com/oldnewthing/20080314-00/?p=23113
https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken
https://www.redcursor.com.au/blog/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10
https://support.kaspersky.com/13905
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera
https://github.com/adamdriscoll/PoshInternals/issues/7
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-rtlequalunicodestring
https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryobject
http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FType%20independed%2FNtDuplicateObject.html
https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntquerysysteminformation
https://docs.microsoft.com/en-us/windows/win32/sysinfo/handle-inheritance
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/leaked-handle-exploitation
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/integrity-levels
https://en.wikipedia.org/wiki/Mandatory_Integrity_Control
https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know/
https://dmcxblue.gitbook.io/red-team-notes/privesc/unquoted-service-path
https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/
https://github.com/hfiref0x/UACME
https://github.com/slyd0g/DLLHijackTest
https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
https://trustfoundry.net/what-is-dll-hijacking/
https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-sendmessagetimeouta
https://referencesource.microsoft.com/#mscorlib/system/environment.cs,1016
https://docs.microsoft.com/en-us/windows/win32/procthread/environment-variables
https://docs.microsoft.com/en-us/sysinternals/downloads/bginfo
https://github.com/ohpe/juicy-potato
https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
https://www.google.com/search?q=sc+ss64&oq=sc+ss64&aqs=chrome..69i57j69i60l3.2247j0j4&sourceid=chrome&ie=UTF-8
https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk
https://www.ired.team/offensive-security/privilege-escalation/unquoted-service-paths
https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
https://medium.com/@orhan_yildirim/windows-privilege-escalation-insecure-service-permissions-e4f33dbff219
https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0
https://github.com/HurtzDonut01/PSCredMan/blob/master/Private/PsUtils_CredMan.cs
https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credenumeratea
https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)
https://ss64.com/nt/cmdkey.html
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
http://www.gosecure.it/blog/art/539/sec/privilege-escalation-using-windows-credential-editor/
https://ss64.com/nt/reg.html
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
https://sec-consult.com/blog/detail/windows-privilege-escalation-an-approach-for-penetration-testers/
https://pentestlab.blog/tag/unattend/
https://adsecurity.org/?p=2288
https://en.wikipedia.org/wiki/Privilege_escalation
https://docs.microsoft.com/en-us/windows/win32/secauthz/restricted-tokens
https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
https://docs.microsoft.com/en-us/windows/win32/secauthz/impersonation-tokens
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows
https://docs.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/windows-kernel-mode-security-reference-monitor
https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-queryservicestatus
https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openservicea
https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openscmanagera
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-initializeprocthreadattributelist
http://www.angusj.com/resourcehacker/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s