This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.
Description
Attack Execution Flow
3
1
Step 1
Explore[Find programs with elevated priveleges] The adversary probes for programs running with elevated privileges.
Look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break.
AI Translation
[Trova programmi con privilegi elevati] L'adversary effettua sondaggi alla ricerca di programmi in esecuzione con privilegi elevati.
Cerca programmi che scrivono nelle directory di sistema o nei registry key (come HKLM, che memorizza numerose variabili ambientali critiche di Windows). Questi programmi sono tipicamente in esecuzione con privilegi elevati e di solito non sono stati progettati con la sicurezza in mente. Tali programmi sono ottimi bersagli di exploit perché conferiscono molta potenza quando vengono compromessi.
Attack Techniques
-
Look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break.
2
Step 2
Explore[Find vulnerability in running program] The adversary looks for a vulnerability in the running program that would allow for arbitrary code execution with the privilege of the running program.
Look for improper input validation
Look for improper failure safety. For instance when a program fails it may authorize restricted access to anyone.
Look for a buffer overflow which may be exploited if an adversary can inject unvalidated data.
AI Translation
[Trova vulnerabilità nel programma in esecuzione] L’avversario cerca una vulnerabilità nel programma in esecuzione che consentirebbe l’esecuzione di codice arbitrario con i privilegi del programma in esecuzione.
Cerca una validazione impropria degli input
Cerca una sicurezza in caso di fallimento inadeguata. Ad esempio, quando un programma fallisce potrebbe autorizzare accessi riservati a chiunque.
Cerca un buffer overflow che potrebbe essere sfruttato se un avversario può iniettare dati non validati.
Attack Techniques
-
Look for improper failure safety. For instance when a program fails it may authorize restricted access to anyone.
-
Look for a buffer overflow which may be exploited if an adversary can inject unvalidated data.IT: Cerca di individuare fallimenti di sicurezza in caso di errore. Ad esempio, quando un programma si blocca potrebbe autorizzare l'accesso ristretto a chiunque.
-
Look for improper input validationIT: Cerca di individuare fallimenti di sicurezza in caso di errore. Ad esempio, quando un programma si blocca potrebbe autorizzare l'accesso ristretto a chiunque.
3
Step 3
Exploit[Execute arbitrary code] The adversary exploits the vulnerability that they have found. For instance, they can try to inject and execute arbitrary code or write to OS resources.
AI Translation
[Eseguire codice arbitrario] L'avversario sfrutta la vulnerabilità che ha individuato. Ad esempio, può tentare di iniettare ed eseguire codice arbitrario o scrivere su risorse del sistema operativo.
Mitigations
10
If Possible Use A Sandbox Model Which Limits The Actions That Programs Can Take. A Sandbox Restricts A Program To A Set Of Privileges And Commands That Make It Difficult Or Impossible For The Program To Cause Any Damage.
Avoid Revealing Information About Your System (E.G., Version Of The Program) To Anonymous Users.
Make Sure That Your Program Or Service Fail Safely. What Happen If The Communication Protocol Is Interrupted Suddenly? What Happen If A Parameter Is Missing? Does Your System Have Resistance And Resilience To Attack? Fail Safely When A Resource Exhaustion Occurs.
Apply The Principle Of Least Privilege.
Validate All Untrusted Data.
Apply The Latest Patches.
Scan Your Services And Disable The Ones Which Are Not Needed And Are Exposed Unnecessarily. Exposing Programs Increases The Attack Surface. Only Expose The Services Which Are Needed And Have Security Mechanisms Such As Authentication Built Around Them.
Check Your Program For Buffer Overflow And Format String Vulnerabilities Which Can Lead To Execution Of Malicious Code.
Monitor Traffic And Resource Usage And Pay Attention If Resource Exhaustion Occurs.
Protect Your Log File From Unauthorized Modification And Log Forging.
Consequences
Security Scopes Affected
Access Control
Authorization
Availability
Confidentiality
Integrity
Potential Impacts
Execute Unauthorized Commands
Gain Privileges
Resource Consumption
Indicators
1
The log can have a trace of abnormal activity. Also if abnormal activity is detected on the host target. For instance flooding should be seen as abnormal activity and the target host may decide to take appropriate action in order to mitigate the attack (data filtering or blocking). Resource exhaustion is also a sign of abnormal activity.