I really enjoy reading white papers in the morning when I have time. I just finished up this brief one written earlier in the year about bypassing PPLs in Windows:

https://papers.vx-underground.org/papers/Malware%20Defense/AV%20Tech/Elastic%20Security%20-%20Sandboxing%20Antimalware%20Products.pdf

PROCESS_QUERY_LIMITED_INFORMATION is capable of successfully opening tokens and reading them, which can then allow visibility on what permissions are needed to access and hollow out a service. There is nothing new here it seems, but still very interesting IMO. Elastic Security's implementation of a fix seems to be good by denying TOKEN_WRITE with certain trust labels.

#blueteam #windows #exploit #token #malware #services #processhollowing #vxunderground