Skip to main content
back to agenda
on this page

Root Cause Analysis "CSRSS Windows Attack Surface"

  • 16:20
  • Thu
  • 16 Nov
Briefing Stage 1


Reversing, exploiting and explaining root cause analysis for ""Windows Attack Service"", CSRSS process side-by-side loading technique, ""WinSxS"", for achieving Privilege escalation.

WinSxS is Windows side-by-side folder which stores multiple copies of system files and components.
The purpose of the WinSxS folder is to provide a centralized location for storing different versions of system files and components, that are shared by multiple applications and processes. Although, this approach helps ensure system stability and compatibility by allowing different applications to use the specific versions of files they require, its abuse could lead to elevation of privileges.

We will pick up a sample from VirusTotal and reversing how it could achieve the elevation of process to NT AUTHORITY\System abusing WinSxS technique.

It's worth mentioning that, this is a full attack surface in Microsoft Windows, so it's possible that abusing this technique maybe used further more again in the future.