ALPC local privilege elevation

Executive summary

Microsoft has released security updates to address a vulnerability in Windows that can be used by a non-admin user to elevate privileges and obtain system-level access. The vulnerability (CVE-2018-8440) can be exploited by using advanced local procedure call (ALPC) to set arbitrary discretionary access control lists (DACLs) in the operating system, which can then allow non-admin users access to protected directories and areas of the operating system.

Microsoft Defender ATP researchers have analyzed proof-of-concept (PoC) code utilizing the Task Scheduler, Print Spooler, and Notepad ALPC to launch processes with system-level privileges. The PoC makes use of the Task Scheduler API SchRpcSetSecurity, which doesn’t properly check for permissions and can therefore be used to set an arbitrary DACL. Before writing the DACL, the PoC creates a hard link to a readable file, resulting in an arbitrary DACL write. The PoC itself was written to overwrite a printer-related DLL, which can then be used as an attack vector.

There have been reports of the PoC being used in actual attacks. Using antivirus definitions released a few hours after the exploit PoC was published, Microsoft telemetry indicates no actual attacks. This is likely because attacks that use the exploit code require active implants on targeted machines.

Exploitation of this vulnerability requires local code execution, so customers should follow standard guidance to prevent introducing malicious code through email, documents, and the web. The latest Office security baselines and Windows security baselines provide detailed guidance about securing Office macros, protecting against unsafe URLs with SmartScreen, and securing other possible vectors.

Enterprise environments with a robust SIEM can find value in doing file system auditing via Windows event logs, which will log changes to DACLs. Note that these logs can contain a large number of events.

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

  • To address this exploit, install the September 2018 Security Updates published September 11, 2018.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

Detections

Windows Defender Antivirus

Windows Defender Antivirus detects threat components as the following malware:

  • Trojan:Win32/Rpdactaele.A
  • Trojan:Win32/Rpdactaele.B
  • Trojan:Win32/Rpdactaele.C
Endpoint detection and response (EDR)

Alerts with the following titles in the Microsoft Defender Security Center portal can indicate threat activity on your network:

  • Anomalous file write to a secure directory by an unprivileged process
Advanced hunting

To locate possible exploitation activity, run the following query:

​FileCreationEvents
| where EventTime > ago(7d)
and FileName =~ "printconfig.dll"
and InitiatingProcessIntegrityLevel != "System"
and InitiatingProcessIntegrityLevel != "High"
and FolderPath contains @":\Windows"

The provided query checks events from the past seven days. Change EventTime to focus on a different period.

References