Execution and Escalation Attack

(OBJ 2.4)

Arbitrary Code Execution

• Vulnerability allows an attacker to run their code or module that exploits without restrictions
• Lets attackers execute their code on the target system

Remote Code Execution

• Type of arbitrary code execution that occurs remotely, often over the internet
• Example:
  • If I can touch your machine and load up mu software, that's arbitrary code execution.
  • If I can do it over the internet, that's remote code execution

Privilege Escalation

• Gaining higher-level permissions than originally assigned

• Occurs when a user access or modifies specific resources that they are not entitled to normally access

• Allows attackers to operate with elevated privileges, such as administrator or root access

• Vertical Privilege Escalation

  • Going from normal user to higher privilege (e.g., admin or root)
  • Commonly associated with code execution leading to admin-level permissions

• Horizontal Privilege Escalation

  • Accessing or modifying resources at the same level as the attacker
  • Occurs when a user attempts to access resources for which they don't have permissions at the same level
  • Example:
    • I am on the Share drive and I am trying to access George's file and I don't have George's permission, that would be horizontal privilege escalation.
    • We both have user permissions at the same level but he has permissions over his stuff.

• Understanding Privileges

  • Application and process privileges are required for executing functions, reading, and writing data
  • Applications inherit the permissions of the user running them (e.g., system, admin, or user)
    • The arbitrary code inserted in a program is going to take the privileges of whoever is running that program
    • If the system is running that program, it has system permissions
  • Understanding and managing privileges is crucial for system security
  • Attackers aim to gain higher privileges to perform malicious actions

Rootkits

• Class of malware that conceals its presence by modifying system files, often at the kernel level

• Can be challenging to detect and provides attackers with persistence

• Ring Levels

  • Ring Zero
    • The kernel (center) with the highest privileges
      • Windows or Linux Kernel
    • Kernel mode rootkits (Ring Zero) are more dangerous due to their extensive control
    • If you are operating something with kernel level permissions you're at ring zero, you have the most privileged access to this machine.
  • Rings 1 to 3
    • User-level components with decreasing privileges as the ring number increases

  

• Kernel Mode Rootkit

  • Embedded in the kernel (Ring Zero)
  • Has maximum control and privileges
  • Highly dangerous due to the extensive system access

• User Mode Rootkit

  • Attached to user-level components (Rings 1 to 3)
  • Has administrator-level privileges
  • Utilizes operating system features for persistence, e.g., registry or task scheduler
    • They have to be inside registry
    • They have to be inside something like Task Scheduler
    • So that when you reboot the system, they get that persistence back