Understanding Privilege Escalation and 5 Common Attack Techniques
Privilege escalation is a type of network attack used to obtain unauthorized access to systems within the security perimeter, or sensitive systems, of an organization. In this article, we’ll provide insight into the concept of privilege escalation, and illustrate the difference between horizontal and vertical privilege escalation.
We’ll also discuss windows privilege escalation techniques, such as access token manipulation and bypass user account control, and see how to mitigate them. Read on to find out about Linux privilege escalation and to see what enumeration is.
Privilege escalation is a common way for attackers to gain unauthorized access to systems within a security perimeter.
Attackers start by finding weak points in an organization’s defenses and gaining access to a system. In many cases that first point of penetration will not grant attackers with the level of access or data they need. They will then attempt privilege escalation to gain more permissions or obtain access to additional, more sensitive systems.
In some cases, attackers attempting privilege escalation find the “doors are wide open” – inadequate security controls, or failure to follow the principle of least privilege, with users having more privileges than they actually need. In other cases, attackers exploit software vulnerabilities, or use specific techniques to overcome an operating system’s permissions mechanism.
Horizontal vs. Vertical Privilege Escalation
There are two types of privilege escalation:
Horizontal privilege escalation—an attacker expands their privileges by taking over another account and misusing the legitimate privileges granted to the other user. To learn more about horizontal privilege escalation see our guide on lateral movement.
Vertical privilege escalation—an attacker attempts to gain more permissions or access with an existing account they have compromised. For example, an attacker takes over a regular user account on a network and attempts to gain administrative permissions. This requires more sophistication and may take the shape of an Advanced Persistent Threat.
Windows Privilege Escalation Techniques and How to Mitigate Them
There are many privilege escalation methods in Windows operating systems. Here is a brief review of three common methods and how you can prevent them.
Access Token Manipulation
Attack description Windows uses access tokens to determine the owners of running processes. When a process tries to perform a task that requires privileges, the system checks who owns the process and to see if they have sufficient permissions. Access token manipulation involves fooling the system into believing that the running process belongs to someone other than the user who started the process, granting the process the permissions of the other user.
Techniques There are three ways to achieve access token manipulation:
Duplicating an access token using the Windows DuplicateToken(Ex) and then using ImpersonateLoggedOnUserfunction or SetThreadToken function to assign the impersonated token to a thread.
Creating a new process with an impersonated token using the DuplicateToken(Ex) function together with the CreateProcessWithTokenW function.
Leveraging username and password to create a token using the LogonUser function. The attacker possesses a username and password, and without logging on, they create a logon session, obtain the new token and ue SetThreadToken to assign it to a thread. In this method, an adversary has a username and password, but the user is not logged
Mitigation There is no way to disable access tokens in Windows. However, to perform this technique an attacker must already have administrative-level access. The best way to prevent the attack is to assign administrative rights in line with the least-privilege principle, regularly review administrative accounts and revoke them if access is no longer needed. Also, monitor privileged accounts for any sign of anomalous behavior.
Attack description The Windows user account control (UAC) mechanism creates a distinction between regular users and administrators. It limits all applications to standard user permissions unless specifically authorized by an administrator, to prevent malware from compromising the operating system. However, if UAC protection is not at the highest level, some Windows programs can escalate privileges, or execute COM objects with administrative privileges.
Mitigation Review IT systems and ensure UAC protection is set to the highest level, or if this is not possible, apply other security measures. Regularly review which accounts are a local administrator group on sensitive systems and remove regular users who should not have administrative rights.
Attack description Attackers can perform “DLL preloading”. This involves planting a malicious DLL with the same name as a legitimate DLL, in a location which is searched by the system before the legitimate DLL. Often this will be the current working directory, or in some cases attackers may remotely set the working directory to an external file volume. The system finds the DLL in the working folder, thinking it is the legitimate DLL, and executes it.
Techniques There are several other ways to achieve DLL search order hijacking:
Replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction
Performing search order DLL hijacking on a vulnerable program that has a higher privilege level, causing the attacker’s DLL to run at the same privilege level. This can be used to elevate privileges from user to administrator, or from administrator to SYSTEM.
Covering the attack by loading the legitimate DLLS together with the malicious DLLs, so that systems appear to run as usual.
Mitigation Here are several ways to prevent a DLL search order hijack:
Disallow loading of remote DLLs
Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions
Use auditing tools such as PowerSploit to detect DLL search order hijacking vulnerabilities and correct them
Identify and block software executed through search order hijacking, using whitelisting tools like AppLocker.
In Linux systems, attackers use a process called “enumeration” to identify weaknesses that may allow privilege escalation. Enumeration involves:
Using Google searches, port scanning and direct interaction with a system to learn more about it and see how it responds to inputs.
Seeing if compilers, or high-level programming languages like Perl or Python, are available, which can allow an attacker to run exploit code.
Identifying software components, such as web servers and their versions.
Retrieving data from key system directories such as /etc, /proc, ipconfig, lsof, netstat and uname.
Attackers use automated tools to perform enumeration on Linux systems. You should also use the same tools to pre-empt an attack, by scanning your own system, identifying weaknesses, and addressing them.
Below are two specific techniques for escalating privilege on Linux and how to mitigate them.
Attack description From time to time, vulnerabilities are discovered in the Linux kernel. Attackers can exploit these vulnerabilities to gain root access to a Linux system, and once the system is infected with the exploit, there is no way to defend against it.
Attackers go through the following steps:
Learn about the vulnerabilities
Develop or acquire exploit code
Transfer the exploit onto the target
Execute the exploit on the target
Mitigation Follow security reports and promptly install Linux updates and patches. Restrict or remove programs that enable file transfers, such as FTP, SCP, or curl, or restrict them to specific users or IPs. This can prevent transfer of an exploit onto a target device. Remove or restrict access to compilers, such as GCC, to prevent exploits from executing. You should also limit which folders are writable or executable.
Attack description SUDO is a Linux program that lets users run programs with the security privileges of another user. Older versions would run as the superuser (SU) by default. Attackers can try to compromise a user who has SUDO access to a system, and if successful, they gain root privileges.
A common scenario is administrators granting access to some users to perform supposedly harmless SUDO commands, such as ‘find’. However, the ‘find’ command container parameters that enable command execution, and so if attackers compromise that user’s account, they can execute commands with root privileges.
Mitigation Never give SUDO rights to the programming language compiler, interpreter or editors, including vi, more, less, nmap, perl, ruby, python, gdb. Do not give sudo rights to any program that enables running a shell. And severely limit SUDO access using the least-privilege principle.
In this article, we were only able to cover a few common privilege escalation attacks. For more attacks and additional details on how to mitigate and detect each attack, refer to MITRE ATT&CK privilege escalation tactics.
Protecting Against Privilege Escalation with Cynet
Cynet 360 is a holistic security solution that can help with three important aspects of privilege escalation – network security, endpoint security, and behavioral analytics.
1. Network Analytics Network analytics is essential to detect and prevent initial penetration and privilege escalation on your network.
The challenge—sophisticated attackers target an organization’s weak points. Following an initial endpoint compromise, the attacker looks to expand their reach and gain privileges and access to other resources in your environment. Their ultimate aim is to access your sensitive data and to transfer it to their premises. Key parts of these attack vectors can only be discovered via generated anomalous network traffic.
The solution—Cynet Network Analytics continuously monitors network traffic to trace and prevent malicious activity that is otherwise invisible, such as credential theft and data exfiltration.
2. Endpoint Protection and EDR Unauthorized access to endpoints is a common entry point in a privilege escalation attack.
The challenge—attackers with strong motivation will eventually bypass the prevention measures on the endpoint. They will use several tools to work undetected until they achieve their desired outcome.
The solution—Cynet EDR continuously monitors the endpoints, so defenders can detect the active malicious presence, immediately understand its impact and scope, and respond.
3. User and Event Behavioral Analytics Behavioral analytics can help you detect anomalous activity on organizational systems or user accounts, which may indicate intrusion attempts or privilege escalation. It is also especially important to detect privilege escalation conducted by malicious insiders.
The challenge—attackers with clear objectives in mind, or those with insider privileges, might bypass detection, succeed in compromising user accounts and use them for data access and lateral movement.
The solution—Cynet User Behavior Analysis monitors and profiles user activity continuously, to establish a legitimate behavioral baseline and detect anomalous activity that suggests compromise of user accounts or privilege escalation.