The Windows Security Journey — Mandatory Integrity Control (MIC)

In general, “Mandatory Integrity Control” (MIC) has been added to Windows from Vista for adding support of MAC (Mandatory Access Control) to running processes (https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control). This is done using a new attribute called “Integrity Level” (IL). MIC is designed to control access to securable objects (https://medium.com/@boutnaru/windows-securable-objects-311a9d6c83ad). The mechanism works in conjunction with DACL (https://medium.com/@boutnaru/the-windows-security-journey-dacl-discretionary-access-control-list-c74545e472ec). It is important to know that MIC evaluates access before the access check is made versus the object’s DACL, and itself is implemented as ACEs (Access Control Entries) using special SIDs (https://medium.com/@boutnaru/windows-security-sid-security-identifier-d5a27567d4e5).

Moreover, each security principal (https://medium.com/@boutnaru/windows-security-sid-security-identifier-d5a27567d4e5) and any securable object is marked with an integrity level which is aimed at determining their level of access/protection. In Windows we have different integrity levels: “untrusted” (S-1–16–0), “low” (S-1–16–4096), “medium” (S-1–16–8192), “high” (S-1–16–12288) and “system” (S-1–16–16384). By default, standard users are given an integrity level of “medium” while elevated users get “high”. Also, objects which lack an integrity level are treated as “medium” (https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/integrity-levels).

Lastly, the integrity level SIDs (as shown above) are stored in the SACL (https://medium.com/@boutnaru/the-windows-security-journey-sacl-system-access-control-list-32488dcc80d7) of the secure object (https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control). The Windows security policy states that a process can’t interact with another process that has a higher integrity level (https://en.wikipedia.org/wiki/Mandatory_Integrity_Control), due to that it is also used by different sandbox implementations (like with Web Browsers). By the way, the integrity level is stored in the access token (https://medium.com/@boutnaru/windows-security-access-token-81cd00000c64) of a process/thread — as shown in the screenshot below.

See you in my next writeup ;-) You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru). Also, you can read my other writeups on medium — https://medium.com/@boutnaru. You can find my free eBooks at https://TheLearningJourneyEbooks.com.