Detect escalation privileges

newuser159 · October 3, 2022, 3:42am

Hi everyone, I’m a newbie in Windows Security. I want to detect escalation privileges (UM or KM) , can anyone give me an idea how to do it.
My solution is checking the process/ thread privileges every time it calls common API like CreateProcess, CreateFile, OpenProcess, … by hooking. Does it possible?
I think Windows checks process permission when it changes the resource, I thinks based on this I can scan in real time . Can someone please explain it to me or share any documentation that describes it.

MBond2 · October 3, 2022, 10:29pm

‘escalation privileges’ is not a standard term in windows security so it is hard to know what you are asking, but here are some basics

Windows security is based on security principals, access control lists and privleges

A security principal is an entity who can act - typically a user or computer account.

An access control list is a list of security principals or groups that are assigned allow or deny to a set of rights.

Privleges control special access that isn’t covered by ACLs

Every process and thread has a security token and when a thread calls an API to open a new handle, that security token (which encapsulates a security principal) is used to check the ACL for the right to open a handle to the desired resource with the specified access. Security is not checked when the handle is used. There are many more details, but that’s the basic model

What you might be asking about is UAC. When UAC is active, standard processes are started with security tokens that do not include all of the SIDs that it could be, but elevated processes are.

there are many more details here

https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control

but it should also be noted that the UM / KM boundary is an essential part of enforcing this security model, and that it inherently focuses on UM and network access. It is not designed to protect one KM component from another

Nathan_Kidd · October 4, 2022, 1:43pm

I like that concise summary. I with I had it when I started working with these things years ago.

newuser159 · October 5, 2022, 2:28am

@Nathan_Kidd said:
I like that concise summary. I with I had it when I started working with these things years ago.

Please let me know a little detail your experiment or solution for this problem. I look forward to hearing from you.

Tim_Roberts · October 5, 2022, 5:45am

Please let me know a little detail your experiment or solution for this problem.

What problem? As Mr Bond pointed out, your question does not make sense.

Mecanik · October 23, 2022, 3:43pm

@newuser159 said:
Hi everyone, I’m a newbie in Windows Security. I want to detect escalation privileges (UM or KM) , can anyone give me an idea how to do it.
My solution is checking the process/ thread privileges every time it calls common API like CreateProcess, CreateFile, OpenProcess, … by hooking. Does it possible?
I think Windows checks process permission when it changes the resource, I thinks based on this I can scan in real time . Can someone please explain it to me or share any documentation that describes it.

Short answer: you can’t. Not reliably anyway. An escalation of privileges is a bug/flaw in the OS itself and must be fixed by the OS developers. Unfortunately.