Module 8

Question 1

What is the primary goal of the privilege escalation tactic?

Answer 1

To exploit a vulnerability or misconfiguration to gain additional privileges on a compromised system.

Question 2

What is the MITRE ATT&CK Tactic ID for Privilege Escalation?

Answer 2

TA0004.

Question 3

On Windows, which account group has low privileges and can typically only access or modify their own files?

Answer 3

The Users group.

Question 4

Which Windows account group has Full Control permissions over most objects on the computer, such as directories, files, and services?

Answer 4

The local Administrators group.

Question 5

Which built-in Windows account has minimum privileges on the local computer and authenticates on the network with anonymous credentials?

Answer 5

The LocalService account (LOCAL SERVICE).

Question 6

Which built-in Windows account has minimum privileges locally but authenticates on the network by presenting the computer’s credentials?

Answer 6

The NetworkService account (NETWORK SERVICE).

Question 7

Which built-in Windows account is generally considered the highest level of access on a system, sometimes having more privileges than Administrators?

Answer 7

The LocalSystem account (SYSTEM).

Question 8

How do Service User Accounts like LocalSystem inherit their privileges, if not from local group membership?

Answer 8

They inherit their privileges from User Rights Assignments, which are security policy settings.

Question 9

User Rights Assignments are split into two categories: _____ and User Rights.

Answer 9

Logon Rights

Question 10

What do ‘Logon Rights’ in Windows security policy control?

Answer 10

They control how and where an account is authorized to log into a computer.

Question 11

What does the SeBatchLogonRight allow a user to do?

Answer 11

It allows a user to be logged in by a batch-queue service such as the Task Scheduler.

Question 12

What do ‘User Rights’ in Windows security policy control?

Answer 12

They control access to objects and can override explicit permissions on them.

Question 13

Which sensitive user right allows a user to read any file, even if they haven’t been granted read access to it?

Answer 13

The SeBackupPrivilege.

Question 14

Which sensitive user right, often held by service accounts for web or SQL servers, can be abused to obtain SYSTEM privileges?

Answer 14

The SeImpersonatePrivilege.

Question 15

Why are Windows services a large attack surface for privilege escalation?

Answer 15

Because they frequently run as SYSTEM and can be misconfigured or vulnerable in various ways.

Question 16

Name one of the built-in Windows utilities used to gather information about installed services.

Answer 16

sc.exe or wmic.exe.

Question 17

Which type of vulnerability occurs when an adversary can place an executable in a location where it gets executed before the intended one?

Answer 17

Path interception.

Question 18

What does the PATH environment variable in Windows contain?

Answer 18

It contains a list of directories from which common programs are run.

Question 19

The PATH variable for a user process is a concatenation of which two paths?

Answer 19

The Machine path and the User path.

Question 20

Path interception by the PATH variable occurs when a directory writable by standard users is added to the _____ path variable.

Answer 20

machine’s

Question 21

In the context of PATH variable interception, why is it particularly troublesome when software is installed in the system root (e.g., C:)?

Answer 21

Because directories created in the system root are writeable by standard users by default.

Question 22

Which command-line utility can be used to read the permissions of a file or directory in Windows?

Answer 22

The cacls command.

Question 23

The _____ API follows a search order that includes: executing directory, current working directory, System32, 16-bit System, Windows, and then PATH directories.

Answer 23

WinExec

Question 24

By default, what is the current working directory for all Windows services when they start?

Answer 24

C:\Windows\System32.

Question 25

If the `CreateProcess` API is called without `lpApplicationName` but with `lpCommandLine`, what search order does it follow?

Answer 25

It follows the same search order as the WinExec API (executing directory, current working directory, etc.).

Question 26

Path interception by _____ hijacking occurs when an attacker can write to a directory that precedes the legitimate one in an API's search order.

Answer 26

search order

Question 27

Which directory is the only one that precedes both the binary's current working directory and System32 in the standard search order?

Answer 27

The executing directory (the directory the binary is located in).

Question 28

Path interception by _____ [T1574.009] occurs when a program path contains spaces and is not enclosed in quotations.

Answer 28

unquoted path

Question 29

How does the `CreateProcess` API interpret the unquoted path `C:\Program Files\Bad Application\Bad Program.exe`?

Answer 29

It tries to interpret the path based on whitespaces, checking paths like `C:\Program.exe`, `C:\Program Files\Bad.exe`, etc., before the full path.

Question 30

When abusing a service vulnerability, what specific type of payload must be used?

Answer 30

Dedicated svc.exe payloads must be used.

Question 31

After dropping a malicious binary to exploit an unquoted service path, what must an adversary typically do to execute it?

Answer 31

The service must be stopped and restarted.

Question 32

Which `sc` commands are used to stop and start a Windows service?

Answer 32

`sc_stop [servicename]` and `sc_start [servicename]`.

Question 33

The vulnerability where an adversary can overwrite a service executable due to a weak Access Control Entry is known as _____.

Answer 33

Weak Service File Permissions [T1574.010]

Question 34

What is a major difficulty in exploiting weak service file permissions by overwriting the binary?

Answer 34

The service binary cannot be overwritten while the service is running.

Question 35

Where in the Windows registry are service configurations stored?

Answer 35

In `HKLM\SYSTEM\CurrentControlSet\Services`.

Question 36

What is the MITRE ATT&CK ID for Weak Service Registry Permissions?

Answer 36

T1574.011.

Question 37

If an adversary has FullControl access to a service's registry key, what is a common way to exploit this for privilege escalation?

Answer 37

Change the service's binary path to point to a malicious payload.

Question 38

What is a DLL (dynamic-link library)?

Answer 38

A portable executable (PE) file containing common functionalities that can be used by any program.

Question 39

What is the name for the technique where an adversary places a malicious DLL in a directory that is higher in the search hierarchy than the legitimate one?

Answer 39

DLL Search Order Hijacking [T1574.001].

Question 40

What is the first location Windows checks in the standard DLL search order?

Answer 40

The executing directory.

Question 41

List the standard DLL search order for most applications.

Answer 41

Executing directory, System32 directory, 16-bit System directory, Windows directory, current working directory, and PATH directories.

Question 42

A generic software vulnerability [T1068] in an elevated application, such as _____, can be exploited from a user context for privilege escalation.

Answer 42

deserialization of untrusted data

Question 43

What is `ysoserial.net` used for?

Answer 43

It is a tool for creating .NET gadgets to exploit deserialization vulnerabilities.

Question 44

What Windows mechanism controls access to securable objects using integrity levels like low, medium, high, and system?

Answer 44

Mandatory Integrity Control (MIC).

Question 45

A security principal cannot modify an object that is assigned a _____ integrity level than its own.

Answer 45

higher

Question 46

By default, what integrity level is a user process given, even if the user is in the local administrators group?

Answer 46

A medium integrity level.

Question 47

What Windows defense-in-depth feature acts as a gatekeeper to Mandatory Integrity Control, prompting for consent before an action is run with high integrity?

Answer 47

User Account Control (UAC).

Question 48

What is the purpose of UAC bypass techniques [T1548.002]?

Answer 48

To elevate from a medium-integrity context to a high-integrity context without a UAC prompt.

Question 49

In Cobalt Strike, what is the difference between an 'elevator' and an 'exploit' for UAC bypass?

Answer 49

An 'elevator' (`runasadmin`) runs an arbitrary command, while an 'exploit' (`elevate`) spawns a new Beacon session.

Question 50

What is the syntax for the Cobalt Strike `elevate` command?

Answer 50

`elevate [exploit] [listener]`.

Question 51

What is the syntax for the Cobalt Strike `runasadmin` command?

Answer 51

`runasadmin [exploit] [command] [args]`.

Question 52

Name one of the UAC bypass methods built into both the `elevate` and `runasadmin` commands in Cobalt Strike.

Answer 52

`uac-schtasks` (Bypass UAC with schtasks.exe) or `uac-token-duplication` (Bypass UAC with Token Duplication).

Question 53

In the `cacls` command output, what does the permission key 'F' stand for?

Answer 53

Full control.

Question 54

In the `cacls` command output, what does the permission key 'C' stand for?

Answer 54

Read, write, execute, & delete.

Question 55

What PowerShell cmdlet can be used to view the Access Control List (ACL) of a registry key?

Answer 55

The `Get-Acl` cmdlet.

Question 56

What is the purpose of the `sc_config` command in the context of privilege escalation?

Answer 56

To modify a service's configuration, such as its `BINARY_PATH_NAME`, to point to a malicious executable.