After the initial penetration into the target corporate network, attacker can face a situation when the obtained access is limited by the rights of an unprivileged user account. Such rights are usually not enough for the further development of the attack into the corporate network. So, for example, local administrator rights will be required if the attacker needs to use Mimikatz or any similar tool to dump credentials from the memory of lsass process or from the SAM database in hope to get credentials of privileged users, which have rights on many hosts in corporate network. In such cases, local privilege escalation is required. Here is where attackers have many different opportunities — from exploitation of configuration errors (like abusing weak service or registry permissions) to exploitation of kernel vulnerabilities or third-party drivers.

The speaker will demonstrate a lot of known local privilege escalation vectors in Windows and show, how can you detect these vectors using Windows security audit, Sysmon and ELK stack. Approaches that will be demonstrated during the presentation are used in the work of the real Security Operation Center and are based on more than 2 years of practical threat hunting experience of the speaker.