New Techniques Emerge for Abusing Windows Services to Gain System Control

New Techniques Emerge for Abusing Windows Services to Gain System Control
Organizations should apply principles of least privilege to mitigate threats, security researcher says.

Several new techniques have become available recently that give attackers a way to abuse legitimate Windows services and relatively easily escalate low-level privileges on a system to gain full control of it.


The newer exploits take advantage of the same or similar Windows services capabilities that attackers have abused previously and work on even some of the more recent versions of the operating system, warns Antonio Cocomazzi, system engineer at SentinelOne. Cocomazzi described some of the techniques in a briefing at the Black Hat Asia 2021 virtual conference this week.


For organizations, the biggest problem dealing with these attacks is that they abuse services that hold impersonation privileges and exist by design in Windows operating systems, Cocomazzi tells Dark Reading. The services are enabled, available by default, and play an essential part in the implementation of Web servers, database servers, mail servers, and other services, Cocomazzi says.


"These recent techniques allow an attacker to exploit even the latest and updated Windows systems," he says.


An exploit known as "Juicy Potato" continues to be the most common way for attackers to escalate privileges on a Windows system using a legitimate Windows service, Cocomazzi says. SentinelOne has observed evidence of the exploit being used in multiple APT campaigns, he adds.


There have been no signs of the new updated techniques being used in the wild, but that does not mean they are not being actively exploited.


"Considering that those techniques have been discovered recently, it's just a matter of time before they will be found [and] used by attackers in the future attacks," he says.


Juicy Potato is an exploit that allows an attacker ..

Support the originator by clicking the read the rest link below.