August 30, 2018
Got ourselves stuck in APCL here – WST
News broke on Twitter at the start of this week that a currently unpatched privilege escalation bug was found in 64-bit versions of the windows 10 and Windows Server 2016 operating systems.
The bug itself is a part of the advanced local procedure call (APCL) of task scheduler and allows a malicious user to set a DACL (Discretionary access control list). The change of DACL will allow the user to set the security of a file in the C:\Windows\tasks path. Which means a malicious hard link can be inserted into this file, pointed at any read access file, and the DACL will perform a write. Which is simple terms means this allows any user regardless of permissions to call and set local file permissions to anything they like. Which most notable to the hacker includes higher privilege level files.
What can I do until the patch?
The best advice we can give is to keep an eye on your logs. The reason why is the POC (Proof of Concept) code released on GitHub used the Print Spooler Service. Thus, any activity tied to spoolsv.exe spawning processes you don’t expect could be an indication that someone is using an unedited version of the code released. Other services can be leveraged for the attack if the user is able to edit the code themselves so keep in mind this is a not a perfect way to detect the exploit, but one you should be mindful of.
It was also noted that upon exploitation a Security event log called 4664 will be generated when the hard link is created in the task folder.
Pay special attention to any Security Bulletins by Microsoft as they have acknowledged the exploit, so a fix is likely being worked on now. 10-D Security also wants to remind you that Privilege Escalation bugs are found frequently and pose serious risk to organizations. One way to help prevent the impact of such exploits is to practice good network segmentation. Segmentation helps create barriers, hampering an attacker, so that even if they can elevate their privilege level on a user’s system they will still have a difficult time using that access to compromise critical infrastructure.