Execution of SymbolicLink-Testing-Tools Utility for Privilege Escalation

The symboliclink-testing-tools toolkit, publicly available on GitHub, is leveraged to exploit Windows symbolic link vulnerabilities. This toolkit enables attackers to manipulate NTFS junctions, object manager symbolic links, and opportunistic locks (oplocks) to redirect file operations performed by privileged processes. This exploitation leads to local privilege escalation, allowing a standard user to gain SYSTEM privileges. These tools are typically used post-exploitation and are often utilized in scenarios where attackers have already gained initial access to a system. This threat matters because successful exploitation allows attackers to perform arbitrary actions with SYSTEM privileges, leading to complete system compromise, data theft, or the installation of malware.

Attack Chain

1. Attacker gains initial access to the target Windows system, typically through phishing or exploiting a remote vulnerability.
2. The attacker downloads or transfers the symboliclink-testing-tools toolkit to the compromised system.
3. The attacker uses CreateNtfsSymlink.exe to create a symbolic link pointing to a sensitive system file or directory.
4. The attacker utilizes SetOpLock.exe to set an opportunistic lock (oplock) on the target file, triggering a callback to the attacker-controlled process when the file is accessed.
5. A SYSTEM-level process attempts to access the original target file.
6. The oplock triggers, allowing the attacker to intercept the file operation.
7. The attacker redirects the privileged file operation to an arbitrary path, potentially overwriting or deleting critical system files.
8. The attacker escalates privileges to SYSTEM due to the redirected privileged file operation, allowing arbitrary code execution.

Impact

Successful exploitation of symbolic link vulnerabilities leads to local privilege escalation, granting attackers SYSTEM-level access. This can result in unauthorized access to sensitive data, installation of malware, and complete compromise of the affected system. The impact is high, especially in environments where least privilege principles are not strictly enforced. The compromise of even a single endpoint can provide an attacker with a foothold to move laterally within the network, impacting all connected systems.

Recommendation

• Deploy the Sigma rule SymbolicLinkTestingToolsExecution to detect the execution of specific tools from the symboliclink-testing-tools toolkit and tune for your environment.
• Monitor process creation events (Sysmon EventID 1 or Windows Event Log Security 4688) for processes listed in the rule.
• Investigate any alerts generated by the Sigma rule, focusing on identifying the parent process and the user context of the executed tool.
• Implement application control solutions to restrict the execution of unauthorized or unknown executables on endpoints to prevent the execution of the symboliclink-testing-tools utilities.
• Review and enforce least privilege principles to minimize the impact of successful privilege escalation attempts, even if these tools are executed.