System administrators have discovered that the Just Enough Administration (JEA) technology that is used to run administrative commands in PowerShell can be abused by hackers to exploit victim machines.
Just Enough Administration Can Be a Gateway for Hackers and Exploits
The security expert Matt Weeks has uncovered a way that allows malicious users to exploit the PowerShell technology Just Enough Administration (JEA) to escalate a designated user profile to a system administrator.
This feature is new to Windows 10 and Windows Server 2016 and allows specific privileges to be given to target users running PowerShell commands and scripts. This is a security feature that has been designed by Microsoft to prevent the full-time use of the system administrator account which limits the potential of hackers to abuse the technology.
This is very similar to the sudo command used by various UNIX-like operating systems like Linux.
A JEA Helper Profile Attack has been identified which uses several different mechanisms. One of them involves the abuse of the cmdlet “Add-Computer” which has been identified as a reliable way to break the JEA security barrier and inducing privilege escalation of the target user.
Microsoft has also published a repository of comprehensive JEA profiles on GitHub. It contains various modules that contain various levels of security capabilities.
A General Level 2 instance allows the execution of cmdlets which allows users to immediately launch any command will full SYSTEM rights. This is a privilege escalation that bypasses the JEA security barrier to create a complete system control.
The second type, known as General Level 1, allows the execution of the Get-WinEvents and Get-EventLog cmdlets. They allow the user to read all events logs on the system, which by itself is a critical vulnerability.
A complete guide on the JEA issues and a demonstration of attack is detailed on the researcher’s blog.