Moderate
Task Scheduler S4U Logon Elevation of Privilege
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Moderate
(2 users assessed)
High
(2 users assessed)Unknown
Unknown
Unknown
Task Scheduler S4U Logon Elevation of Privilege
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
The windows task scheduler allows a split token administrator to register a task which runs as a batch job from a limited privilege context. This doesn’t require a user’s password to accomplish as the task will be run non-interactively and so doesn’t need access to the password in order to access remote resources. Due to the way that batch logons work in the latest versions of Windows for a split token admin user this actually creates the fully privileged token to execute the task under.
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityVery High
Technical Analysis
This exploit does not appear to need admin credentials in order to trigger: https://www.rapid7.com/db/vulnerabilities/WINDOWS-HOTFIX-MS14-054, https://www.tenable.com/plugins/nessus/77574
Any privilege escalation using built in Windows components is a valuable tool for attackers.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild Report
Ratings
-
Attacker ValueLow
-
ExploitabilityLow
Technical Analysis
Details
This is possibly another ‘getsystem’ technique for UAC bypass.
The effort required to exploit this vulnerability is higher because it requires
a particular set of circumstances that are not universal.
From the report:
My 2c: You’re already an admin, it’s not letting you do anything you couldn’t already do, it’s just not giving you a heads up (UAC warning).
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
