This is the second in a two-part series discussing a still-unpatched userland Windows privilege escalation. The exploit enables attackers to perform highly privileged actions that typically require a kernel driver.

knowndll

PPL process attempting to load an unsigned DLL via LoadLibrary

knowndll3.png

blog-security-detection-720x420.png

Detecting and blocking unknown KnownDlls

Several common process tampering attacks exploit the gap between process creation and when security products are notified. Elastic Security detects a variety of such techniques, including Doppelgänging, Herpaderping, and a new technique: Ghosting

The birth of a process

1-blog-process-ghosting.png

2-blog-process-ghosting.png

2021-03-28_Explorer_Launching_Notepad.png

Scanning processes for malware

Prior work

Ghosting a process

4-blog-process-ghosting.png

Demo

process-ghosting-image-2.png

Detection

high-res-process-ghosting.png

Comparing techniques

Conclusion

References

blog-thumb-shattered-lock.jpg

What you need to know about Process Ghosting, a new executable image tampering attack

This blog is the first in a two-part series discussing a userland Windows exploit that enables attackers to perform highly privileged actions that typically require a kernel driver.

<p>This quick blog is the first in a two-part series discussing a userland Windows exploit initially disclosed by <a href="https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html">James Forshaw</a> and <a href="https://twitter.com/aionescu/status/1385263135276224514">Alex Ionescu</a>. The exploit enables attackers to perform highly privileged actions that typically require a kernel driver.
</p><h2>Protected process light</h2><p>Windows 8.1 introduced the concept of Protected Process Light (PPL), which enables specially-signed programs to run in such a way that they are immune from tampering and termination, even by administrative users. The goal is to keep malware from running amok — tampering with critical system processes and terminating anti-malware applications. There is a hierarchy of PPL “levels,” with higher-privilege ones immune from tampering by lower-privilege ones, but not vice-versa.&nbsp;
</p><p>For more information on PPL processes, please see the following resources:
</p><ul>
	<li aria-level="1"><a href="https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-">Protecting Anti-Malware Services - Win32 apps</a></li>
	<li aria-level="1"><a href="https://www.crowdstrike.com/blog/evolution-protected-processes-part-1-pass-hash-mitigations-windows-81/">The Evolution of Protected Processes Part 1</a></li>
	<li aria-level="1"><a href="https://www.crowdstrike.com/blog/evolution-protected-processes-part-2-exploitjailbreak-mitigations-unkillable-processes-and/">The Evolution of Protected Processes Part 2</a></li>
</ul><h2>The exploit</h2><p>At a high level, the <a href="https://blog.scrt.ch/2021/04/22/bypassing-lsa-protection-in-userland/">exploit</a> is a cache poisoning attack where an attacker can add a DLL to the <a href="https://docs.microsoft.com/en-us/archive/blogs/larryosterman/what-are-known-dlls-anyway">KnownDlls</a> cache — a trusted list of Windows DLLs. KnownDlls is only writable by WinTcb processes, which is the highest form of PPL... but a bug in the implementation of the <a href="https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-definedosdevicew">DefineDosDevice</a> API allows attackers to trick CSRSS, a WinTcb process, into creating a cache entry on their behalf. KnownDlls is trusted by the Windows loader, so no additional security checks are performed as KnownDlls are loaded, even inside PPL processes. After poisoning the cache, the attacker launches a protected process which ends up loading their DLL and executing its payload.
</p><p>Because this exploit enables attackers to inject a DLL of their choosing into a PPL process, they can perform any action with WinTcb privileges. Microsoft has indicated that they are <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1336">not interested</a> in servicing this <a href="https://aka.ms/windowscriteria">vulnerability</a>. It is confirmed to work on Windows 10 21H1 version 10.0.19043.985.
</p><h2>Open source</h2><p>The first public exploit POC that we’re aware of is the recently-released PPLDump, a <a href="https://github.com/itm4n/PPLdump">tool</a> that can dump any PPL process, such as LSASS <a href="https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection">in RunAsPPL mode</a>. A few weeks after PPLDump was released, <a href="https://blog.tofile.dev/2021/05/12/sealighterti.html">Sealighter-TI</a> came out, reusing the PPLDump exploit code to grant access to the Threat-Intelligence ETW feed, which is normally restricted to AntiMalware companies under NDA. The rapid turnaround of Sealighter-TI demonstrates how easy it is to repurpose the exploit code to execute a new payload.
</p><p>With the exploit code public, we expect that offensive tools will quickly capitalize on it, running payloads as WinTcb PPL. This will enable them to:
</p><ul>
	<li aria-level="1">Dump enterprise credentials, even when LSASS is hardened to run as PPL.</li>
	<li aria-level="1">Terminate or silently disable PPL processes such as security products.</li>
	<li aria-level="1">Run entire implants as WinTcb PPL processes. These implants cannot be inspected or terminated by user-mode security products. Microsoft restricts security products to AntiMalware PPL, which is less-privileged than WinTcb.</li>
	<li aria-level="1">Inject code into existing PPL processes. Imagine running Cobalt Strike’s beacon payload <em>inside of</em> Windows Defender.</li>
</ul><h2>Closing the hole</h2><p>Seeing this vulnerability with no public mitigation, we are releasing a tool called PPLGuard to close it. PPLGuard, which is based on the PPLDump code base with permission, uses the exploit to first elevate to WinTcb PPL, then applies a <a href="https://docs.microsoft.com/en-us/windows/win32/secauthz/dacls-and-aces">DACL</a> making the KnownDlls object directory read-only. This blocks the exploit by preventing CSRSS from adding a new entry — a critical step in the exploit chain. This DACL exists in memory only, so it is erased upon reboot.&nbsp;
</p><p><img src="https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/blt31cf27d94471be24/60b1264b909370737ae4bb31/knowndiis-blog-windows-privileged-user.png" data-sys-asset-uid="blt31cf27d94471be24" alt="" style="display: block; margin: auto;">
</p><figcaption>GENERIC_WRITE DENY ACE added to KnownDlls by PPLGuard</figcaption><p>Since PPLGuard closes the vulnerability that the exploit relies upon, subsequent executions will fail.
</p><pre class="prettyprint">C:\git\PPLGuard&gt;x64\Release\PPLGuard.exe
[+] KnownDlls hardening successful! :)
C:\git\PPLGuard&gt;x64\Release\PPLGuard.exe
[-] DefineDosDevice failed with error code 5 - Access is denied.
</pre><p>The PPLGuard proof of concept tool can be found <a href="https://github.com/elastic/PPLGuard">here</a>.
</p><h2>Conclusion</h2><p>In this blog, we covered a Windows privilege escalation exploit and provided an open source tool that mitigates the exploited vulnerability. In part 2 of this blog, we’ll cover how to hunt for these types of attacks using <a href="https://www.elastic.co/security">Elastic Security</a>. Stay tuned.
</p><p>In the meantime, experience our latest version of the <a href="https://www.elastic.co/elasticsearch/service">Elasticsearch Service</a> on Elastic Cloud. Also be sure to take advantage of our <a href="https://www.elastic.co/training/elastic-security-quick-start">Quick Start training</a> to set yourself up for success.</p><p><em>Update 2021-06-03: After this blog was written, someone ported the PPLDump exploit to .NET to <a href="https://twitter.com/buffaloverflow/status/1400441642516164614">run Cobalt Strike beacon as WinTCB PPL</a>.</em></p>

blog-banner-curved-windows.jpg

blog-thumb-curved-windows.jpg

Protecting Windows protected processes

Start free trial

Blog Footer CTA

Sign up for Elastic Cloud free trial

Gabriel Landau

<p>By submitting you acknowledge that you've read and agree to our <a href="/legal/elastic-cloud-account-terms" target="_self">Terms of Service</a>, and you agree to receive the <a href="/legal/privacy-statement#how-we-use-the-information" target="_self">selected communications</a> at the contact details you provided above. See <a href="/legal/privacy-statement/" target="_self">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.</p>

Communication Preferences - ONLY for /communication-preferences

<p>Durch das Absenden erklären Sie, dass Sie unsere <a href="/de/legal/elastic-cloud-account-terms" target="_self">Nutzungsbedingungen</a> gelesen haben und mit ihnen einverstanden sind und dass Sie Elastic erlauben, <a href="/de/legal/privacy-statement#how-we-use-the-information" target="_self">ausgewählte Nachrichten und Informationen</a> an die oben von Ihnen bereitgestellten Kontaktangaben zu senden. Weitere Informationen, darunter auch dazu, wie Sie Ihre Einwilligung zurückziehen können, finden Sie in der <a href="/de/legal/privacy-statement/" target="_self">Datenschutzerklärung von Elastic</a>.</p>

<p>By submitting you acknowledge that you've read and agree to our <a href="/legal/serverless-preview-terms" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.</p>

Serverless GDPR Text

<p>Durch das Absenden erklären Sie, dass Sie unsere <a href="/de/legal/serverless-preview-terms" target="_self">Nutzungsbedingungen</a> gelesen haben und mit ihnen einverstanden sind und dass Sie Elastic erlauben, bezüglich unserer zugehörigen Produkte und Dienstleistungen und unter Nutzung der von Ihnen oben bereitgestellten Kontaktangaben <a href="/de/legal/privacy-statement#how-we-use-the-information" target="_self">mit Ihnen in Kontakt zu treten</a>. Weitere Informationen, darunter auch dazu, wie Sie Ihre Einwilligung zurückziehen können, finden Sie in der <a href="/de/legal/privacy-statement/" target="_self">Datenschutzerklärung von Elastic</a>.</p>

<p>By submitting you agree to <a href="/agreements/global/cloud-services-monthly" rel="nofollow">Elastic Cloud Terms of Service</a>. Your personal data will be processed in accordance with <a href="/legal/privacy-statement">Elastic's Privacy Statement</a>.</p>

Cloud Trial GDPR Text

<p>Beim Absenden akzeptieren Sie die <a href="/de/agreements/global/cloud-services-monthly" rel="nofollow">Nutzungsbedingungen von Elastic Cloud</a>. Die Verarbeitung Ihrer personenbezogenen Daten unterliegt der <a href="/de/legal/privacy-statement">Datenschutzerklärung von Elastic</a>.
</p>

<p>By submitting you acknowledge that you've read and agree to our <a href="/legal/terms-of-use" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.</p>

Newsletter GDPR Text

<p>Durch das Absenden erklären Sie, dass Sie unsere <a href="/de/legal/terms-of-use" target="_self">Nutzungsbedingungen</a> gelesen haben und mit ihnen einverstanden sind und dass Sie Elastic erlauben, bezüglich unserer zugehörigen Produkte und Dienstleistungen und unter Nutzung der von Ihnen oben bereitgestellten Kontaktangaben <a href="/de/legal/privacy-statement#how-we-use-the-information" target="_self">mit Ihnen in Kontakt zu treten</a>. Weitere Informationen, darunter auch dazu, wie Sie Ihre Einwilligung zurückziehen können, finden Sie in der <a href="/de/legal/privacy-statement/" target="_self">Datenschutzerklärung von Elastic</a>.</p>

Explore similar demos

Overview

Speakers

Close

See more insights

The content on this page is not available in the selected language. As Elastic grows globally, we continue to support content in multiple languages.

The content on this page is not available in the selected language.

Der Inhalt dieser Seite ist in der ausgewählten Sprache nicht verfügbar. Wir bei Elastic arbeiten daran, die bereitgestellten Inhalte in verschiedenen Sprachen anzubieten. Bis dahin bitten wir Sie um etwas Geduld und hoffen auf Ihr Verständnis!

Author

Watch now (no PT)

Watch now

See all top stories

All (no PT translation)

Contact information

Press Release

Share on Reddit

Articles by

Share this story

Share by Email

Thank you for your interest!

Contact Info

Follow us on Youtube

Load More

Share on LinkedIn

Follow us on LinkedIn

Search Integrations

All Solutions

Video for

Follow us on Twitter

See when this webinar starts in my time zone

Register to Watch

Register now

See All Posts

Can't make it? Register and we'll send you the recording. You'll also receive an email with related content

Sie können nicht dabei sein? Registrieren Sie sich, damit wir Ihnen die Aufzeichnung zukommen lassen können. Außerdem erhalten Sie eine E‑Mail mit Begleitmaterial.

Small image for

On-demand webinar

Featured webinar

Register to Attend

Share on Facebook

Reset all

Upcoming webinar

View more posts

Print

Hosted by

Sign In to Attend

View next

Follow us on Facebook

Share

Highlights

Learn More

Read less

You'll also receive an email with related content

Wir schicken Ihnen zudem relevante Informationen, die von Interesse sein könnten.

Thank you for registering. We will send you a confirmation email soon.

Vielen Dank für Ihre Registrierung. Sie erhalten in Kürze eine Bestätigungs-E‑Mail von uns.

Author

Articles by Gabriel Landau

Detecting and blocking unknown KnownDlls

What you need to know about Process Ghosting, a new executable image tampering attack

Protecting Windows protected processes

Sign up for Elastic Cloud free trial