Skip to content

ACL / Security Descriptor Manipulation

Modifying ACLs or security descriptors on kernel objects to escalate access.

Description

With an arbitrary write primitive, an attacker can modify the DACL of a privileged process or service to grant themselves full access, or modify a security descriptor to remove integrity checks.

Techniques

  • Overwrite DACL to add GENERIC_ALL ACE for attacker's SID
  • NULL-out DACL pointer (grants everyone full access)
  • Modify mandatory integrity label to bypass integrity checks

AutoPiff Detection

  • privilege_check_added
  • handle_force_access_check_added