Levelsecondarylogon

ReadingyourwayaroundUACAbusingAccessTokensforUACBypassesJamesForshaw@tiraniddoWhyAdmin-ApprovalUACisevenworsethanyouthought!
WhyOver-the-ShoulderUACisstillworsethanyouthought!
WhatI'mGoingtoTalkAboutUACArchitectureAppInfoServiceRPCLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YApplicationUACArchitectureAppInfoServiceRPCLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YApplicationShellExecute"runas"UACArchitectureAppInfoServiceRPCLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YApplicationShellExecute"runas"consent.
exeUACArchitectureAppInfoServiceRPCLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YApplicationApplicationShellExecute"runas"LinkedTokensLinkedTokensDeny-OnlyGroupsLinkAlsoFewerPrivilegesLinkTheProblemwithUACLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YNon-AdminApplicationAdminApplicationCurrentUserRegistryHiveUserProfileDirectoryDesktopandKernelObjectsTheProblemwithUACLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YNon-AdminApplicationAdminApplicationCurrentUserRegistryHiveUserProfileDirectoryDesktopandKernelObjectsKernelObjectLoginSidNon-AdminTokenGroupsAdminTokenDACLKernelNtUserGetClipboardTokenWin32kUACAdminProcessWritetoClipboardCapturedTokenNon-AdminProcessKernelNtUserGetClipboardTokenWin32kUACAdminProcessCapturedTokenNon-AdminProcessNtUserGetClipboardTokenKernelNtUserGetClipboardTokenWin32kUACAdminProcessCapturedTokenNon-AdminProcessOpenedforreadClipboardTokenRead-onlyaccessCreatingaNewProcessParentTokenSiblingTokenProcessTokenTokenIDAssignedTokenParentTokenIDEqualProcessTokenParentTokenIDAuthIDAssignedTokenParentTokenIDAuthIDEqualEqualORCreatingaNewProcessParentTokenSiblingTokenProcessTokenTokenIDAssignedTokenParentTokenIDEqualProcessTokenParentTokenIDAuthIDAssignedTokenParentTokenIDAuthIDEqualEqualORImpersonatingaTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeALLOWEDRestricttoIdentificationLevelProcessIL>=TokenILProcessUser==TokenUserImpersonatingaTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeProcessIL>=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelImpersonatingaTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeProcessIL>=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelImpersonatingaTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeProcessIL=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelHighIL!
=AdministratorCreateandmodifyfilesinsystemlocationsCreateandmodifysystemservicesOpen>=highILprocessesforR/WInteractwith>=highILWindows(UIPI)No"God"PrivilegesPrivilegePossiblePrivilegedOperationsSeCreateTokenPrivilegeCreatenewtokenobjectsSeTcbPrivilegeManyandvariedprivilegedoperationsSeLoadDriverPrivilegeLoadadriverintothekernelSeDebugPrivilegeBypassprocess/threadsecuritychecksSeBackupPrivilegeBypassfile/keysecuritychecksforreadSeRestorePrivilegeBypassfile/keysecuritychecksforwriteSeImpersonatePrivilegeImpersonatearbitraryusersThefollowingarenotallowedtobeenabledforaMediumILtoken.
StealingTokensOpenProcessTokenWeonlyhaveQueryLimitedInformationOnlyLimitedInformationStartanElevatedProcessStandardauto-elevationofspecificMSbinaries.
ScheduledTasksIfsetwillspawnelevatedprocesswithnoUACprompt.
DEMOChangesinWindows10TokenLevel==IdentificationProcesshasImpersonatePrivilegeALLOWEDRestricttoIdentificationLevelProcessIL>=TokenILProcessUser==TokenUserElevationCheckCapabilityCheckElevationChecksif(SeTokenIsElevated(ImpersonationToken)){if(!
SeTokenIsElevated(ProcessToken)||ProcessToken->LogonSession->Flags.
UacSession){returnSTATUS_PRIVILEGE_NOT_HELD;}}//Continuewithimpersonationcheck.
WhatMakesaTokenElevatedBOOLEANRtlIsElevatedRid(SID_AND_ATTRIBUTES*sid_and_attr){DWORDlast_rid=GetLastRid(sid_and_attr->Sid);DWORDcheck_rids[]={512,544,.
.
.
};for(inti=0;i=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelImpersonatinganOTSTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeProcessIL>=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelCapabilityCheckCapabilityCheckBOOLEANSepIsImpersonationAllowedDueToCapability(PTOKENtoken,PTOKENimp_token){if((token->SessionId!
=imp_token->SessionId)||(token->TokenFlags&TOKEN_FLAGS_LOWBOX)==0)||(imp_token->TokenFlags&TOKEN_FLAGS_LOWBOX)==0)){returnFALSE;}if(!
SepSidInTokenSidHash(&token->CapabilitiesHash,SeConstrainedImpersonationCapabilitySid)||!
SepCheckCapabilities(token,imp_token->Capabilities)||!
RtlEqualSid(token->Package,imp_token->Package)){returnFALSE;}returnTRUE;}TokensmustbeinsameSessionandbothbeLowBox.
Processtokenmusthaveimpersonationcapability,andbeinsamepackage.
EnterpriseAuthenticationDEMOIsAnythingSafeHitCTRL+ALT+DELandclickAdmin-ApprovalUACisbrokenOver-the-sholderUACisprettybrokenonWindows10Bestchanceyouhaveisfast-userswitchingDon'tswitchusingExplorer,alwaysusethesecureattentionsequenceConclusionsAnyQuestionsThanks