This is the second in a two-part series discussing a still-unpatched userland Windows privilege escalation. The exploit enables attackers to perform highly privileged actions that typically require a kernel driver.

knowndll

PPL process attempting to load an unsigned DLL via LoadLibrary

knowndll3.png

blog-security-detection-720x420.png

Detecting and blocking unknown KnownDlls

Several common process tampering attacks exploit the gap between process creation and when security products are notified. Elastic Security detects a variety of such techniques, including Doppelgänging, Herpaderping, and a new technique: Ghosting

The birth of a process

1-blog-process-ghosting.png

2-blog-process-ghosting.png

2021-03-28_Explorer_Launching_Notepad.png

Scanning processes for malware

Prior work

Ghosting a process

4-blog-process-ghosting.png

Demo

process-ghosting-image-2.png

Detection

high-res-process-ghosting.png

Comparing techniques

Conclusion

References

blog-thumb-shattered-lock.jpg

What you need to know about Process Ghosting, a new executable image tampering attack

This blog is the first in a two-part series discussing a userland Windows exploit that enables attackers to perform highly privileged actions that typically require a kernel driver.

<p>This quick blog is the first in a two-part series discussing a userland Windows exploit initially disclosed by <a href="https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html">James Forshaw</a> and <a href="https://twitter.com/aionescu/status/1385263135276224514">Alex Ionescu</a>. The exploit enables attackers to perform highly privileged actions that typically require a kernel driver.
</p><h2>Protected process light</h2><p>Windows 8.1 introduced the concept of Protected Process Light (PPL), which enables specially-signed programs to run in such a way that they are immune from tampering and termination, even by administrative users. The goal is to keep malware from running amok — tampering with critical system processes and terminating anti-malware applications. There is a hierarchy of PPL “levels,” with higher-privilege ones immune from tampering by lower-privilege ones, but not vice-versa.&nbsp;
</p><p>For more information on PPL processes, please see the following resources:
</p><ul>
	<li aria-level="1"><a href="https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-">Protecting Anti-Malware Services - Win32 apps</a></li>
	<li aria-level="1"><a href="https://www.crowdstrike.com/blog/evolution-protected-processes-part-1-pass-hash-mitigations-windows-81/">The Evolution of Protected Processes Part 1</a></li>
	<li aria-level="1"><a href="https://www.crowdstrike.com/blog/evolution-protected-processes-part-2-exploitjailbreak-mitigations-unkillable-processes-and/">The Evolution of Protected Processes Part 2</a></li>
</ul><h2>The exploit</h2><p>At a high level, the <a href="https://blog.scrt.ch/2021/04/22/bypassing-lsa-protection-in-userland/">exploit</a> is a cache poisoning attack where an attacker can add a DLL to the <a href="https://docs.microsoft.com/en-us/archive/blogs/larryosterman/what-are-known-dlls-anyway">KnownDlls</a> cache — a trusted list of Windows DLLs. KnownDlls is only writable by WinTcb processes, which is the highest form of PPL... but a bug in the implementation of the <a href="https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-definedosdevicew">DefineDosDevice</a> API allows attackers to trick CSRSS, a WinTcb process, into creating a cache entry on their behalf. KnownDlls is trusted by the Windows loader, so no additional security checks are performed as KnownDlls are loaded, even inside PPL processes. After poisoning the cache, the attacker launches a protected process which ends up loading their DLL and executing its payload.
</p><p>Because this exploit enables attackers to inject a DLL of their choosing into a PPL process, they can perform any action with WinTcb privileges. Microsoft has indicated that they are <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1336">not interested</a> in servicing this <a href="https://aka.ms/windowscriteria">vulnerability</a>. It is confirmed to work on Windows 10 21H1 version 10.0.19043.985.
</p><h2>Open source</h2><p>The first public exploit POC that we’re aware of is the recently-released PPLDump, a <a href="https://github.com/itm4n/PPLdump">tool</a> that can dump any PPL process, such as LSASS <a href="https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection">in RunAsPPL mode</a>. A few weeks after PPLDump was released, <a href="https://blog.tofile.dev/2021/05/12/sealighterti.html">Sealighter-TI</a> came out, reusing the PPLDump exploit code to grant access to the Threat-Intelligence ETW feed, which is normally restricted to AntiMalware companies under NDA. The rapid turnaround of Sealighter-TI demonstrates how easy it is to repurpose the exploit code to execute a new payload.
</p><p>With the exploit code public, we expect that offensive tools will quickly capitalize on it, running payloads as WinTcb PPL. This will enable them to:
</p><ul>
	<li aria-level="1">Dump enterprise credentials, even when LSASS is hardened to run as PPL.</li>
	<li aria-level="1">Terminate or silently disable PPL processes such as security products.</li>
	<li aria-level="1">Run entire implants as WinTcb PPL processes. These implants cannot be inspected or terminated by user-mode security products. Microsoft restricts security products to AntiMalware PPL, which is less-privileged than WinTcb.</li>
	<li aria-level="1">Inject code into existing PPL processes. Imagine running Cobalt Strike’s beacon payload <em>inside of</em> Windows Defender.</li>
</ul><h2>Closing the hole</h2><p>Seeing this vulnerability with no public mitigation, we are releasing a tool called PPLGuard to close it. PPLGuard, which is based on the PPLDump code base with permission, uses the exploit to first elevate to WinTcb PPL, then applies a <a href="https://docs.microsoft.com/en-us/windows/win32/secauthz/dacls-and-aces">DACL</a> making the KnownDlls object directory read-only. This blocks the exploit by preventing CSRSS from adding a new entry — a critical step in the exploit chain. This DACL exists in memory only, so it is erased upon reboot.&nbsp;
</p><p><img src="https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/blt31cf27d94471be24/60b1264b909370737ae4bb31/knowndiis-blog-windows-privileged-user.png" data-sys-asset-uid="blt31cf27d94471be24" alt="" style="display: block; margin: auto;">
</p><figcaption>GENERIC_WRITE DENY ACE added to KnownDlls by PPLGuard</figcaption><p>Since PPLGuard closes the vulnerability that the exploit relies upon, subsequent executions will fail.
</p><pre class="prettyprint">C:\git\PPLGuard&gt;x64\Release\PPLGuard.exe
[+] KnownDlls hardening successful! :)
C:\git\PPLGuard&gt;x64\Release\PPLGuard.exe
[-] DefineDosDevice failed with error code 5 - Access is denied.
</pre><p>The PPLGuard proof of concept tool can be found <a href="https://github.com/elastic/PPLGuard">here</a>.
</p><h2>Conclusion</h2><p>In this blog, we covered a Windows privilege escalation exploit and provided an open source tool that mitigates the exploited vulnerability. In part 2 of this blog, we’ll cover how to hunt for these types of attacks using <a href="https://www.elastic.co/security">Elastic Security</a>. Stay tuned.
</p><p>In the meantime, experience our latest version of the <a href="https://www.elastic.co/elasticsearch/service">Elasticsearch Service</a> on Elastic Cloud. Also be sure to take advantage of our <a href="https://www.elastic.co/training/elastic-security-quick-start">Quick Start training</a> to set yourself up for success.</p><p><em>Update 2021-06-03: After this blog was written, someone ported the PPLDump exploit to .NET to <a href="https://twitter.com/buffaloverflow/status/1400441642516164614">run Cobalt Strike beacon as WinTCB PPL</a>.</em></p>

blog-banner-curved-windows.jpg

blog-thumb-curved-windows.jpg

Protecting Windows protected processes

Start free trial

Blog Footer CTA

Sign up for Elastic Cloud free trial

Gabriel Landau

The content on this page is not available in the selected language. As Elastic grows globally, we continue to support content in multiple languages.

The content on this page is not available in the selected language.

El contenido de esta página no está disponible en el idioma seleccionado. Elastic está trabajando para garantizar que el contenido esté disponible en varios idiomas. Gracias por tu paciencia mientras trabajamos.

<p>By submitting you acknowledge that you've read and agree to our <a href="/legal/elastic-cloud-account-terms" target="_self">Terms of Service</a>, and you agree to receive the <a href="/legal/privacy-statement#how-we-use-the-information" target="_self">selected communications</a> at the contact details you provided above. See <a href="/legal/privacy-statement/" target="_self">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.</p>

Communication Preferences - ONLY for /communication-preferences

<p>Al enviar, confirma que ha leído y acepta nuestras <a href="/es/legal/elastic-cloud-account-terms" target="_self">Condiciones de servicio</a>, y que acepta recibir las <a href="/es/legal/privacy-statement#how-we-use-the-information" target="_self">comunicaciones seleccionadas</a> en los detalles de contacto que proporcionó anteriormente. Consulte la <a href="/es/legal/privacy-statement/" target="_self">Declaración de privacidad de Elastic</a> para obtener más información o para cancelar su suscripción en cualquier momento.</p>

<p>By submitting you acknowledge that you've read and agree to our <a href="/legal/serverless-preview-terms" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.</p>

Serverless GDPR Text

<p>Al enviar, confirma que ha leído y acepta nuestras <a href="/es/legal/serverless-preview-terms" target="_self">Condiciones de servicio</a>, y que Elastic puede <a href="/es/legal/privacy-statement#how-we-use-the-information" target="_self">ponerse en contacto con usted</a> acerca de nuestros productos y servicios relacionados. Consulte la <a href="/es/legal/privacy-statement/" target="_self">Declaración de privacidad de Elastic</a> para obtener más información o para cancelar su suscripción en cualquier momento.</p>

<p>By submitting you agree to <a href="/agreements/global/cloud-services-monthly" rel="nofollow">Elastic Cloud Terms of Service</a>. Your personal data will be processed in accordance with <a href="/legal/privacy-statement">Elastic's Privacy Statement</a>.</p>

Cloud Trial GDPR Text

<p>Al enviar esta información, aceptas los <a href="/es/agreements/global/cloud-services-monthly" rel="nofollow">Términos de servicio de Elastic</a>. Los datos personales se procesarán de conformidad con la <a href="/es/legal/privacy-statement">declaración de privacidad de Elastic</a>.
</p>

<p>By submitting you acknowledge that you've read and agree to our <a href="/legal/terms-of-use" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.</p>

Newsletter GDPR Text

<p>Al enviar, confirma que ha leído y acepta nuestras <a href="/es/legal/terms-of-use" target="_self">Condiciones de servicio</a>, y que Elastic puede <a href="/es/legal/privacy-statement#how-we-use-the-information" target="_self">ponerse en contacto con usted</a> acerca de nuestros productos y servicios relacionados. Consulte la <a href="/es/legal/privacy-statement/" target="_self">Declaración de privacidad de Elastic</a> para obtener más información o para cancelar su suscripción en cualquier momento.</p>

Hosted by

All Solutions

Follow us on Youtube

Watch now (no PT)

Articles by

Share by Email

Filters

All (no PT translation)

Contact information

See when this webinar starts in my time zone

Ver cuándo comienza este webinar en mi zona horaria

Thank you for your interest!

Register to Attend

Small image for

Register to Watch

Continue reading

Featured webinar

What to explore next...

Reset all

Load more press releases

Sign In to Attend

Share

Upcoming webinar

Learn more

Search Integrations

Share on Reddit

Share on Twitter

Share on Facebook

Load more news

View more posts

On-demand webinar

Follow us on Facebook

Author

Press Release

You'll also receive an email with related content.

You'll also receive an email with related content

Además, te enviaremos contenidos relevantes

Print

Contact Info

Overview

Video for

Read less

Register now

Share this story

See All Posts

See all top stories

View next

Can't make it? Register and we'll send you the recording. You'll also receive an email with related content

¿No puedes asistir? Regístrate y te enviaremos la grabación. También recibirás un correo electrónico con contenido relacionado.

Follow us on LinkedIn

Highlights

Explore similar demos

Follow us on Twitter

Share on LinkedIn

Load More

See more insights

Speakers

Close

Thank you for registering. We will send you a confirmation email soon.

Gracias por registrarte. Te enviaremos un correo electrónico de confirmación pronto.

Author

Articles by Gabriel Landau

Detecting and blocking unknown KnownDlls

What you need to know about Process Ghosting, a new executable image tampering attack

Protecting Windows protected processes

Sign up for Elastic Cloud free trial