Permission Check Via Accesschk.EXE
Attackers are abusing the legitimate Sysinternals `Accesschk.exe` utility to perform permission discovery on Windows systems, a common step in privilege escalation attacks, allowing them to identify misconfigurations for gaining higher privileges.
Adversaries are leveraging the legitimate Microsoft Sysinternals utility Accesschk.exe to perform reconnaissance and permission checking on compromised Windows systems. This tool, originally designed for system administrators to audit permissions, is a favored binary for threat actors due to its native capabilities and often being pre-trusted by security solutions. Its abuse enables attackers to quickly identify misconfigurations, weak permissions, or unquoted service paths on files, directories, registry keys, services, and processes. This information is crucial for planning subsequent privilege escalation techniques, allowing an attacker to move from a low-privileged foothold to administrative or system-level access, thereby advancing their objectives such as persistence, lateral movement, or data exfiltration.
Attack Chain
- Initial Compromise: An attacker gains initial access to a target Windows system, typically through methods like phishing, exploiting a vulnerable service, or compromising credentials.
- Tool Staging: The
Accesschk.exeutility (or its 64-bit variants likeaccesschk64.exe) is transferred to the compromised system, often via existing C2 channels, PowerShell, or embedded within a larger malicious payload. - Permission Discovery: The attacker executes
Accesschk.exefrom a command prompt or script using specific flags such asuwcqv(users with write access to services),kwsu(kernel objects, services, users), oruwdqs(users with write access to directories/shares) to enumerate detailed permissions across various system objects. - Output Analysis: The command output is parsed by the attacker to identify specific misconfigurations or weak access control lists (ACLs) that could be exploited. This might include writable service binaries, DLL hijack paths, or modifiable registry keys.
- Identify Escalation Paths: Based on the gathered permission data, the attacker pinpoints viable privilege escalation vectors, such as services configured to run with SYSTEM privileges but having a writable binary path, or registry keys that control critical system functions and are modifiable by low-privileged users.
- Exploitation Planning: The attacker formulates a strategy to exploit the identified weaknesses, which could involve replacing legitimate binaries with malicious ones, modifying service parameters, or injecting code into processes to achieve higher privileges.
- Privilege Escalation: The attacker executes their chosen method to elevate privileges, often resulting in gaining administrator or SYSTEM-level access on the compromised host.
- Post-Escalation Actions: With elevated privileges, the attacker can proceed with further malicious activities, including deploying additional malware, establishing persistence, moving laterally within the network, or exfiltrating sensitive data.
Impact
Successful abuse of Accesschk.exe as part of a privilege escalation chain can lead to full system compromise, allowing attackers to gain complete control over the affected Windows machine. This enables them to bypass security controls, install rootkits, steal credentials, deploy ransomware, or exfiltrate critical intellectual property and sensitive data. While Accesschk.exe itself doesn't cause direct damage, its role in uncovering vulnerabilities can directly lead to significant security breaches, financial loss, reputational damage, and operational disruption for affected organizations across all sectors.
Recommendation
- Deploy the Sigma rule
Permission Check Via Accesschk.EXEto your SIEM and tune for your environment to detect suspicious usage of this utility. - Ensure Sysmon process creation logging is enabled for all Windows endpoints to capture
ImageandCommandLinedetails necessary for the rulePermission Check Via Accesschk.EXE. - Regularly audit permissions on critical system resources and services to identify and remediate misconfigurations that
Accesschk.execould reveal to an attacker.
Detection coverage 1
Permission Check Via Accesschk.EXE
mediumDetects the usage of the 'Accesschk' utility to verify process privileges and system permissions, often abused by attackers for privilege escalation.
Detection queries are available on the platform. Get full rules →