// Windows security boundary attacks — kernel/user boundary, sandbox escape, AppContainer/LPAC bypass, COM/RPC boundary, integrity levels, PPL exploitation
Comprehensive reconnaissance and OSINT — subdomain enumeration, CVE lookup, breach intelligence, DNS history, social profiling, attack surface mapping
Modern initial access techniques — phishing, payload delivery, HTML smuggling, ISO/IMG bypass, supply chain attacks, credential stuffing, exposed service exploitation
Static/dynamic malware analysis, YARA rules, sandbox evasion detection, behavioral profiling, unpacking, anti-analysis bypass
Binary analysis, disassembly, decompilation, firmware RE, protocol reverse engineering, anti-reversing bypass, malware unpacking
Expert-level source code security auditing — taint analysis, memory safety, injection classes, auth flaws, crypto weaknesses, concurrency bugs, supply chain risks
AI/ML security assessment — prompt injection, jailbreak detection, RAG poisoning, model extraction, adversarial examples, supply chain risks in ML pipelines
┌─────────────────────────────────────────────────────┐
│ VTL1 (Secure World) │
│ Credential Guard, HVCI, Secure Kernel │
├─────────────────────────────────────────────────────┤
│ VTL0 (Normal World) │
│ ┌───────────────────────────────────────────────┐ │
│ │ Kernel Mode (Ring 0) │ │
│ │ ntoskrnl, win32k, drivers │ │
│ ├───────────────────────────────────────────────┤ │
│ │ User Mode (Ring 3) │ │
│ │ ┌─────────────────────────────────────────┐ │ │
│ │ │ High Integrity (Admin) │ │ │
│ │ │ ┌───────────────────────────────────┐ │ │ │
│ │ │ │ Medium Integrity (Standard User) │ │ │ │
│ │ │ │ ┌─────────────────────────────┐ │ │ │ │
│ │ │ │ │ Low Integrity │ │ │ │ │
│ │ │ │ │ ┌───────────────────────┐ │ │ │ │ │
│ │ │ │ │ │ AppContainer/LPAC │ │ │ │ │ │
│ │ │ │ │ │ (Untrusted) │ │ │ │ │ │
│ │ │ │ │ └───────────────────────┘ │ │ │ │ │
│ │ │ │ └─────────────────────────────┘ │ │ │ │
│ │ │ └───────────────────────────────────┘ │ │ │
│ │ └─────────────────────────────────────────┘ │ │
│ └───────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────┘
// win32k.sys — historically most exploited Windows kernel component
// Attack: trigger vulnerability via GDI/USER syscalls from user mode
// Common bug classes: UAF in window objects, integer overflow in font parsing
// Driver IOCTLs — third-party drivers often vulnerable
// Attack: send crafted IOCTL to driver device object
HANDLE hDevice = CreateFileA("\\\\.\\VulnDriver", GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
DeviceIoControl(hDevice, IOCTL_CODE, inputBuf, inputSize, outputBuf, outputSize, &bytesReturned, NULL);
// BYOVD (Bring Your Own Vulnerable Driver)
// Load known-vulnerable signed driver, exploit it for kernel R/W
// Popular targets: RTCore64.sys, dbutil_2_3.sys, ene.sys, gdrv.sys
1. Arbitrary Read → leak kernel addresses (bypass KASLR)
2. Arbitrary Write → overwrite token privileges, disable PPL
3. Common targets:
- EPROCESS.Token → steal SYSTEM token
- EPROCESS.Protection → disable PPL
- PreviousMode → set to KernelMode for unrestricted syscalls
| Level | Value | Examples |
|---|---|---|
| System | 0x4000 | SYSTEM services |
| High | 0x3000 | Elevated admin processes |
| Medium | 0x2000 | Standard user processes |
| Low | 0x1000 | Protected Mode IE, some sandboxes |
| Untrusted | 0x0000 | AppContainer processes |
# Check integrity level
whoami /groups | findstr "Mandatory"
# Medium → High: UAC bypass (see privesc-windows skill)
# Low → Medium: exploit vulnerability in medium-integrity process
# AppContainer → Low: sandbox escape
1. Broker vulnerabilities — the broker process mediates access
- File picker broker (allows file access)
- Print broker
- Clipboard broker
2. Kernel vulnerabilities — AppContainer is userland enforcement
- win32k syscalls still accessible (reduced but not eliminated)
- Kernel bug = full escape
3. COM object abuse — some COM servers run at higher integrity
- Find COM objects accessible from AppContainer
- Exploit logic bugs in COM server
4. Named pipe/ALPC — if broker exposes pipe without proper ACL
5. Capability abuse — overly permissive capabilities granted
- internetClient, privateNetworkClientServer
- documentsLibrary, picturesLibrary
Renderer (AppContainer/Untrusted) → Browser Process (Medium)
Attack surface:
- Mojo IPC interface bugs
- Shared memory corruption
- GPU process as intermediate target
- PDF/extension process boundaries
Typical chain:
1. Renderer RCE (V8 bug, type confusion)
2. Sandbox escape (Mojo IPC bug, win32k bug)
3. Privilege escalation (kernel bug or UAC bypass)
// COM objects that auto-elevate (no UAC prompt):
// CMSTPLUA: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
// ICMLuaUtil interface — can launch elevated processes
// Exploit: instantiate elevated COM object, call methods
CoInitialize(NULL);
IID iid_ICMLuaUtil = {0x6EDD6D74, 0xC007, 0x4E75, {0xB7, 0x6A, 0xE5, 0x74, 0x09, 0x95, 0xE2, 0x4C}};
CLSID clsid_CMSTPLUA = {0x3E5FC7F9, 0x9A51, 0x4367, {0x90, 0x63, 0xA1, 0x20, 0x24, 0x4F, 0xBE, 0xC7}};
// CoCreateInstance with CLSCTX_LOCAL_SERVER → runs elevated
# Enumerate RPC interfaces
rpcdump.py target_ip
# Or: RpcView tool for local enumeration
# Common targets:
# - Print Spooler RPC (PrintNightmare)
# - Task Scheduler RPC
# - EFSRPC (PetitPotam)
# - MS-DRSR (DCSync)
- VTL1 runs Secure Kernel, Credential Guard, HVCI
- VTL0 cannot read/write VTL1 memory
- Escape requires: Hyper-V vulnerability (extremely rare, high bounty)
- Attack surface: hypercalls, synthetic interrupts, VMBUS
- Hyper-V attack surface: VMBus, synthetic devices, RemoteFX
- VMware: SVGA, HGFS, backdoor interface
- VirtualBox: 3D acceleration, shared folders, guest additions
- QEMU/KVM: virtio devices, SPICE, USB passthrough
1. V8 type confusion → renderer RCE (Untrusted integrity)
2. Mojo IPC bug → sandbox escape to browser process (Medium)
3. BYOVD or kernel bug → SYSTEM
1. VBA macro execution (Medium integrity)
2. AMSI bypass + download Stage 1
3. Credential harvesting or Kerberoast
4. Lateral movement → Domain Controller
5. DCSync → Domain Admin
1. HTML smuggling → ISO → DLL sideload (Medium)
2. UAC bypass → High integrity
3. Load vulnerable driver (BYOVD)
4. Kernel R/W primitive → disable PPL, steal SYSTEM token
// Chromium uses multi-process architecture:
// - Browser process: full privileges, manages tabs
// - Renderer process: sandboxed (AppContainer on Windows)
// - GPU process: limited sandbox
// - Network process: limited sandbox
//
// Sandbox restrictions (renderer):
// - No filesystem access (except via IPC to browser)
// - No network access (except via IPC)
// - No process creation
// - Limited Windows API access
// - AppContainer integrity level (below Low)
// Escape path: Renderer RCE → IPC bug → Browser process
// IPC mechanism: Mojo (Chromium's IPC framework)
// Attack surface: every Mojo interface exposed to renderer
// Mojo interfaces define the renderer→browser attack surface
// Each interface = potential sandbox escape if mishandled
// Common vulnerability patterns:
// 1. Type confusion in Mojo message deserialization
// 2. UAF when interface pointer outlives backing object
// 3. Race condition between validation and use
// 4. Missing origin checks (renderer claims wrong origin)
// Exploitation:
// 1. Achieve renderer RCE (V8 type confusion, JIT bug)
// 2. Enumerate available Mojo interfaces
// 3. Fuzz or audit interface implementations in browser process
// 4. Trigger bug → code execution in browser process (Medium integrity)
// 5. From browser process: full system access or further escalation
// Historical examples:
// CVE-2019-5786: FileReader UAF → renderer RCE → Mojo escape
// CVE-2021-21224: V8 type confusion → Mojo IPC → sandbox escape
// CVE-2022-0609: Animation UAF → full chain
// AppContainer escape vectors:
// 1. Kernel vulnerability (win32k, ntoskrnl)
// - AppContainer can still make syscalls
// - win32k attack surface reduced but not eliminated
// - Kernel bug → SYSTEM (bypasses all userland sandboxes)
// 2. Named object abuse
// - Some named objects accessible from AppContainer
// - If higher-privilege process opens object with weak DACL
// - AppContainer can interact with it
// 3. ALPC/RPC to privileged services
// - Some RPC endpoints accessible from AppContainer
// - Vulnerability in RPC handler → escape
// - Example: Print Spooler accessible from some sandboxes
// 4. Token manipulation
// - If sandbox has SeImpersonatePrivilege (rare)
// - Potato-style attacks work from sandbox
// - Usually sandboxes strip this privilege
// 5. Shared memory / mapped sections
// - If shared section has weak permissions
// - Corrupt data used by higher-privilege process
// - Example: shared font cache corruption → win32k exploit
// PPL levels (highest to lowest):
// - PPL-Windows: OS critical processes
// - PPL-WinTcb: Windows Trusted Computer Base
// - PPL-Antimalware: AV/EDR processes (MsMpEng.exe, CrowdStrike)
// - PPL-Lsa: LSASS (when RunAsPPL enabled)
// - PP-Authenticode: signed processes
//
// PPL prevents:
// - OpenProcess with PROCESS_VM_READ/WRITE
// - Debugging (DebugActiveProcess)
// - Thread injection (CreateRemoteThread)
// - Memory reading (ReadProcessMemory)
// - DLL injection
//
// Even SYSTEM cannot open PPL process with full access
// 1. BYOVD → kernel R/W → modify EPROCESS.Protection field
// Set Protection.Level = 0 → process is no longer protected
// Then: normal OpenProcess/ReadProcessMemory works
BYTE protection_offset = 0x87A; // Offset varies by Windows version
WriteKernelMemory(eprocess + protection_offset, 0, 1); // Clear protection
// 2. PPLdump (abuse PPL-signed DLL)
// Load DLL signed with PPL-compatible certificate
// DLL runs inside PPL process → can read its memory
// Dump LSASS from within PPL context
// 3. PPLKiller (vulnerable driver)
// Use signed driver with R/W primitive
// Modify EPROCESS.SignatureLevel and Protection
// Process becomes unprotected → dump normally
// 4. Mimikatz driver (mimidrv.sys)
// Mimikatz's own signed driver
// Removes PPL protection from LSASS
// Then: sekurlsa::logonpasswords works
// 5. Userland exploit in PPL process
// If PPL process has vulnerability (e.g., DLL hijack)
// Exploit it → code execution within PPL context
// From inside: full access to PPL memory
// COM objects can be activated cross-process and cross-integrity
// If COM server runs at higher integrity → potential escalation
// Attack: find COM object that:
// 1. Runs as SYSTEM or high integrity
// 2. Exposes dangerous methods (file write, command exec)
// 3. Accessible from medium/low integrity
// Discovery:
// OleViewDotNet — enumerate COM objects, check permissions
// Look for: LaunchPermission allows Everyone/Users
// Check: methods that take file paths or command strings
// Historical: CMSTPLUA, ICMLuaUtil (UAC bypass via COM)
// These COM objects auto-elevate and expose ShellExec methods
// Windows RPC: thousands of interfaces, many accessible remotely
// Each interface = potential attack surface
// Enumeration:
// rpcdump.py — list RPC interfaces on target
// RpcView — GUI tool for local RPC interface analysis
// NtObjectManager — PowerShell module for RPC analysis
// Attack methodology:
// 1. Enumerate interfaces (rpcdump, ifids)
// 2. Identify interesting interfaces (file ops, process creation)
// 3. Check access permissions (who can call?)
// 4. Fuzz interface methods
// 5. Exploit: type confusion, buffer overflow, logic bugs
// PetitPotam (MS-EFSRPC): RPC interface that coerces NTLM auth
// PrinterBug (MS-RPRN): RPC interface that coerces NTLM auth
// Both: accessible remotely with domain user credentials
# Auto-elevating binaries (Microsoft-signed, manifest has autoElevate=true):
# fodhelper.exe, computerdefaults.exe, sdclt.exe, slui.exe
# eventvwr.exe, cmstp.exe, wsreset.exe, changepk.exe
# Technique: registry key hijacking
# These binaries read HKCU registry before executing
# Attacker writes command to HKCU → binary auto-elevates → executes attacker command
# Example: fodhelper.exe
# Reads: HKCU\Software\Classes\ms-settings\Shell\Open\command
# Write payload there → run fodhelper → payload runs elevated
# Environment variable abuse:
# Some auto-elevate binaries use %SYSTEMROOT% or %WINDIR%
# If attacker can control env var → DLL hijack in fake system directory
// Low integrity → Medium integrity is a security boundary
// Escape vectors:
// 1. Exploit vulnerability in medium-integrity process
// 2. Abuse shared resources (clipboard, drag-drop)
// 3. Exploit broker process (if application uses broker pattern)
// 4. Kernel vulnerability (bypasses all integrity levels)
// 5. Time-of-check-time-of-use on shared files