Privilege escalation is a type of network attack used to gain unauthorized access to systems within a security perimeter.
Attackers start by finding weak points in an organization’s defenses and gaining access to a system. In many cases that first point of penetration will not grant attackers with the level of access or data they need. They will then attempt privilege escalation to gain more permissions or obtain access to additional, more sensitive systems.
In some cases, attackers attempting privilege escalation find the “doors are wide open” – inadequate security controls, or failure to follow the principle of least privilege, with users having more privileges than they actually need. In other cases, attackers exploit software vulnerabilities, or use specific techniques to overcome an operating system’s permissions mechanism.
We’ll cover the five most common privilege escalation attack vectors, and show specific examples of privilege escalation techniques attackers use to compromise Windows and Linux systems.
In this article:
There are two types of privilege escalation:
For attackers, privilege escalation is a means to an end. It allows them to gain access to an environment, persist and deepen their access, and perform more severe malicious activity. For example, privilege escalation can transform a simple malware infection into a catastrophic data breach
Privilege escalations allow attackers to open up new attack vectors on a target system. For example, it can involve:
When security teams suspect privilege escalation it is important to perform an in-depth investigation. Signs of privilege escalation include malware on sensitive systems, suspicious logins, and unusual network communications.
Any privilege escalation incident must be dealt with as a severe security incident and, depending on the organization’s compliance obligations, might have to be reported to authorities.
Privilege escalation attacks typically involve the exploitation of vulnerabilities such as software bugs, misconfigurations, and incorrect access controls.
Every account that interacts with a system has some privileges. Standard users typically have limited access to system databases, sensitive files, or other resources. In some cases, users have excessive access to sensitive resources, and may not even be aware of it, because they do not try to gain access beyond their entitlements. In other cases, attackers can manipulate weaknesses of the system to increase privileges.
By taking over a low-level user account and either abusing excessive privileges, or increasing privileges, a malicious attacker has an entry point to a sensitive system. Attackers might dwell in a system for some time, performing reconnaissance and waiting for an opportunity to deepen their access. Eventually, they will find a way to escalate privileges to a higher level than the account that was initially compromised.
Depending on their goal, attackers can continue horizontally to take control of additional systems, or escalate privileges vertically, to gain admin and root control, until they have access to the entire full environment.
Here are the most important attack vectors used by attackers to perform privilege escalation.
Single factor authentication leaves the door wide open to attackers planning on performing privilege escalation. If attackers obtain a privileged user’s account name – even without the password – it is a matter of time before they obtain the password. Once they obtain a working password, they can move laterally through the environment undetected.
Even if the attacker is detected and the organization resets the password or reimages the affected system, the attacker may have a way to retain a persistent presence – for example, via a compromised mobile phone or rootkit malware on a device. This makes it important to thoroughly eradicate the threat and continuously monitor for anomalies.
Here are common ways attackers can gain access to credentials:
Attackers can perform privilege escalation by exploiting vulnerabilities in the design, implementation, or configuration of multiple systems – including communication protocols, communication transports, operating systems, browsers, web applications, cloud systems, and network infrastructure.
The level of risk depends on the nature of the vulnerability and how critical is the system in which the vulnerability is discovered. Only a small fraction of vulnerabilities allow vertical privilege escalation. However, any vulnerability that can allow an attacker to change privileges should be treated with high severity.
See the following sections for examples of vulnerabilities that can lead to privilege escalation on Windows and Linux.
Privilege escalation very commonly results from misconfiguration, such as failure to configure authentication for a sensitive system, mistakes in firewall configuration, or open ports.
Here are a few examples of security misconfigurations that can lead to privilege escalation:
Attackers can use many types of malware, including trojans, spyware, worms, and ransomware, to gain a hold on an environment and perform privilege escalation. Malware can be deployed by exploiting a vulnerability, can be packaged with legitimate applications, via malicious links or downloads combined with social engineering, or via weaknesses in the supply chain.
Malware typically runs as an operating system process, and has the permissions of the user account from which it was executed. So there are two directions for exploitation:
Here are common examples of malware that can be used for privilege escalation:
Social engineering is used in almost all cyber attacks. It relies on manipulating people into violating security procedures and divulging sensitive or personal information. It is a very common technique used by attackers to gain unauthorized access and escalate privileges.
Social engineering is highly effective because it circumvents security controls by preying on human weaknesses and emotions. Attackers realize that it is much easier to trick or manipulate a privileged user than break into a well-defended security system.
Here are common types of social engineering attacks and how they are used for privilege escalation:
There are many privilege escalation methods in Windows operating systems. Here is a brief review of three common methods and how you can prevent them.
Windows uses access tokens to determine the owners of running processes. When a process tries to perform a task that requires privileges, the system checks who owns the process and to see if they have sufficient permissions. Access token manipulation involves fooling the system into believing that the running process belongs to someone other than the user who started the process, granting the process the permissions of the other user.
There are three ways to achieve access token manipulation:
In this method, an adversary has a username and password, but the user is not logged
There is no way to disable access tokens in Windows. However, to perform this technique an attacker must already have administrative-level access. The best way to prevent the attack is to assign administrative rights in line with the least-privilege principle, regularly review administrative accounts and revoke them if access is no longer needed. Also, monitor privileged accounts for any sign of anomalous behavior.
The Windows user account control (UAC) mechanism creates a distinction between regular users and administrators. It limits all applications to standard user permissions unless specifically authorized by an administrator, to prevent malware from compromising the operating system. However, if UAC protection is not at the highest level, some Windows programs can escalate privileges, or execute COM objects with administrative privileges.
Review IT systems and ensure UAC protection is set to the highest level, or if this is not possible, apply other security measures. Regularly review which accounts are a local administrator group on sensitive systems and remove regular users who should not have administrative rights.
Attackers can perform “DLL preloading”. This involves planting a malicious DLL with the same name as a legitimate DLL, in a location which is searched by the system before the legitimate DLL. Often this will be the current working directory, or in some cases attackers may remotely set the working directory to an external file volume. The system finds the DLL in the working folder, thinking it is the legitimate DLL, and executes it.
There are several other ways to achieve DLL search order hijacking:
Here are several ways to prevent a DLL search order hijack:
In Linux systems, attackers use a process called “enumeration” to identify weaknesses that may allow privilege escalation. Enumeration involves:
Attackers use automated tools to perform enumeration on Linux systems. You should also use the same tools to pre-empt an attack, by scanning your own system, identifying weaknesses, and addressing them.
Below are two specific techniques for escalating privilege on Linux and how to mitigate them.
From time to time, vulnerabilities are discovered in the Linux kernel. Attackers can exploit these vulnerabilities to gain root access to a Linux system, and once the system is infected with the exploit, there is no way to defend against it.
Attackers go through the following steps:
Follow security reports and promptly install Linux updates and patches. Restrict or remove programs that enable file transfers, such as FTP, SCP, or curl, or restrict them to specific users or IPs. This can prevent transfer of an exploit onto a target device. Remove or restrict access to compilers, such as GCC, to prevent exploits from executing. You should also limit which folders are writable or executable.
SUDO is a Linux program that lets users run programs with the security privileges of another user. Older versions would run as the superuser (SU) by default. Attackers can try to compromise a user who has SUDO access to a system, and if successful, they gain root privileges.
A common scenario is administrators granting access to some users to perform supposedly harmless SUDO commands, such as ‘find’. However, the ‘find’ command container parameters that enable command execution, and so if attackers compromise that user’s account, they can execute commands with root privileges.
Never give SUDO rights to the programming language compiler, interpreter or editors, including vi, more, less, nmap, perl, ruby, python, gdb. Do not give sudo rights to any program that enables running a shell. And severely limit SUDO access using the least-privilege principle.
In this article, we were only able to cover a few common privilege escalation attacks. For more attacks and additional details on how to mitigate and detect each attack, refer to MITRE ATT&CK privilege escalation tactics.
Cynet 360 is a holistic security solution that can help with three important aspects of privilege escalation—network security, endpoint security, and behavioral analytics.
1. Network Analytics
Network analytics is essential to detect and prevent initial penetration and privilege escalation on your network.
The challenge—sophisticated attackers target an organization’s weak points. Following an initial endpoint compromise, the attacker looks to expand their reach and gain privileges and access to other resources in your environment. Their ultimate aim is to access your sensitive data and to transfer it to their premises. Key parts of these attack vectors can only be discovered via generated anomalous network traffic.
The solution— Cynet Network Analytics continuously monitors network traffic to trace and prevent malicious activity that is otherwise invisible, such as credential theft and data exfiltration.
2. Endpoint Protection and EDR
Unauthorized access to endpoints is a common entry point in a privilege escalation attack.
The challenge—attackers with strong motivation will eventually bypass the prevention measures on the endpoint. They will use several tools to work undetected until they achieve their desired outcome.
The solution— Cynet EDR continuously monitors the endpoints, so defenders can detect the active malicious presence, immediately understand its impact and scope, and respond.
3. User and Event Behavioral Analytics
Behavioral analytics can help you detect anomalous activity on organizational systems or user accounts, which may indicate intrusion attempts or privilege escalation. It is also especially important to detect privilege escalation conducted by malicious insiders.
The challenge—attackers with clear objectives in mind, or those with insider privileges, might bypass detection, succeed in compromising user accounts and use them for data access and lateral movement.
Cynet User Behavior Analysis monitors and profiles user activity continuously, to establish a legitimate behavioral baseline and detect anomalous activity that suggests compromise of user accounts or privilege escalation.