Privilege Escalation Attack and Defense Explained

What is a Privilege Escalation Attack?

A Privilege escalation attack is defined as a cyberattack to gain illicit access of elevated rights, or privileges beyond what is entitled for a user. This attack can involve an external threat actor or an insider. Privilege escalation is a key stage of the cyberattack chain and typically involves the exploitation of a privilege escalation vulnerability, such as a system bug, misconfiguration, or inadequate access controls. In this blog, I will explain how privilege escalation works, the key attack vectors involved with privilege escalation, and the critical privileged access security controls you can implement to prevent or mitigate it.

Vertical vs Horizontal Privilege Escalation

Privilege escalation attacks are separated into two broad categories—horizontal privilege escalation and vertical privilege escalation. Often confused with each other, these terms are defined as follows:

• Horizontal privilege escalation involves gaining access to the rights of another account—human or machine—with similar privileges. This action is referred to as “account takeover.” Typically, this would involve lower-level accounts (i.e., standard user), which may lack proper protection. With each new horizontal account compromised, an attacker broadens their sphere of access with similar privileges.
• Vertical privilege escalation, also known as a privilege elevation attack, involves an increase of privileges/privileged access beyond what a user, application, or other asset already has. This entails moving from a low-level of privileged access to a higher amount of privileged access. Achieving vertical privilege escalation could require the attacker to perform a number of intermediary steps (i.e., execute a buffer overflow attack, etc.) to bypass or override privilege controls, or exploit flaws in software, firmware, the kernel, or obtain privileged credentials for other applications or the operating system itself. In 2020, elevation of privilege vulnerabilities comprised 44% of all Microsoft vulnerabilities, according to the Microsoft Vulnerabilities Report 2021.

How does Privilege Escalation Work?

Every local, interactive session or remote access session represents some form of privileged access. This encompasses everything from guest privileges allowing local logon only, to administrator or root privileges for a remote session and potentially complete system control. Therefore, every account that interacts with a system has some privileges assigned.

A standard user rarely has rights to a database, sensitive files, or anything of value. So, how does a threat actor navigate an environment and gain administrator or root privileges to exploit them as an attack vector? There are five primary methods:

1. Credential exploitation
2. Vulnerabilities and exploits
3. Misconfigurations
4. Malware
5. Social engineering

The attack chain diagram below shows the primary techniques used by a threat actor, regardless of being an insider or external threat, to begin their mission and propagate through an environment.

What Are Privilege Escalation Attacks?

Privilege escalation attacks start by threat actors gaining a foothold within the environment. An attacker could gain this beachhead by leveraging missing security patches, social engineering, or other methods. Once the initial infiltration has been successful, threat actors will typically perform surveillance and wait for the right opportunity to continue their mission.

Threat actors will customarily pursue the path of least resistance. If time permits, they will clean up their activities to remain undetected. Whether this involves masking their source IP address or deleting logs based on the credentials they are using, any evidence about their presence reflects an indicator of compromise (IoC). Once an organization identifies an intrusion, they may monitor the intruder’s intentions, and/or potentially pause or terminate the access session.

Typically, the second step in the cyberattack chain involves privilege escalation to accounts with administrative, root, or higher privileged rights than the account initially compromised. Of course, it’s possible the initial compromise involved an administrative or root account. If this is the case, a threat actor is further along in their malicious plans and may already own an environment.

5 Common Privileged Escalation Attack Methods

Let’s now look at five major classes of privilege escalation attacks.

1. Credential Exploitation

Valid single factor credentials (username and password) will allow a typical user to authenticate against a resource. However, if a threat actor knows the username, obtaining the account’s password becomes a hacking exercise. Often, a threat actor will first target a systems administrator since their credentials frequently have privileges to directly access sensitive data and systems. With a sysadmin’s credentials and access, a cybercriminal can move laterally, while arousing little or no suspicion.

Once a threat actor has compromised credentials, every privilege the account has is now fair game for the attacker. If the threat actor is detected, an organization typically resets passwords as a high a priority and reimages infected systems to mitigate the threat (especially if it involves servers). However, requesting a password change alone does not always resolve the incident because the method of obtaining the credentials in the first place may involve other attack vectors, like malware or a compromised cell phone. This provides the threat actor with a persistent presence until their infiltration has been fully eradicated.

Compromised credentials are the easiest privileged attack vector for a threat actor to achieve success. The accounts associated with credentials control almost every aspect of a modern information technology environment—from administrators to service accounts. Unfortunately, credential theft can be accomplished via password reuse attacks, memory-scraping malware, and almost countless other ways.

Privileged escalation of credentials from a standard user to administrator can happen using a variety of techniques described in this blog. Credentials compromised for the most sensitive accounts (domain, database administrator, etc.) can be a “game over” event for some companies. IT security teams should always scrutinize superuser accounts and identify them during a risk assessment. Privileged account credentials are a prime attack vector for horizontal privilege escalation and you should prioritize their protection over the course of your privileged access management (PAM) journey.

2. Privileged Vulnerabilities and Exploits

Vulnerabilities are mistakes in code, design, implementation, or configuration that may allow malicious activity to occur via an exploit. Vulnerabilities can involve the operating system, applications, web applications, infrastructure, and so on. They can also involve protocols, transports, and communications in between resources from wired networks, Wi-Fi, and tone-based radio frequencies (old school – i.e., 2600 club).

A vulnerability itself does not allow for a privileged attack vector to succeed; it just means a risk exists. Absent an exploit, a vulnerability is just a potential problem.

When it comes to actual exploits, some are only proof-of-concept, some are unreliable, while others are easily weaponized. Some exploits are included in commercial penetration testing tools or free, open-source hacking tools. In addition, some vulnerabilities are sold on the dark web to perpetrate cybercrimes. Other vulnerabilities are used exclusively by nation-states until they are patched or made public (intentionally or not).

Depending on the vulnerability, available exploit, and resources assessed with the flaw, the actual risk could be limited in scope, or an impending disaster. The combination of vulnerability, available exploit, exposure of resource, mitigating controls, and likelihood of an attack all contribute to how effectively a vulnerability can be leveraged against an organization. This helps formulate a risk score.

It is important to note only a small subset of vulnerabilities allows vertical privilege escalation as a part of the exploitation payload. However, if the vulnerability itself leads to an exploit allowing changes (privileged escalation from one user’s permissions to another), the risk is a worrisome privileged attack vector.

Depending on the privileges of the user or application executing in conjunction with the vulnerability, the escalation and effectiveness of the attack vector can change. For example, an operating system vulnerability can have two completely different sets of risks once exploited (horizontal escalation) depending on whether it is executed by a standard user versus an administrator. As a standard user, the exploit may fail, could be limited to the user’s privileges, or it could gain full administrative access to the host (vertical escalation). However, if the user is leveraging a domain administrator account or other elevated privileges, the exploit could gain permissions to the entire environment.

Elevation of privilege vulnerabilities (which allow for vertical privilege escalation) are responsible for many of the worst exploits in recent years—including BlueKeep, WannaCry, and NotPetya.

The security industry has multiple security standards to convey the risk, threat, and relevance of a vulnerability. These standards are:

• Common Vulnerabilities and Exposure (CVE)—a standard for information security vulnerability names and descriptions.
• Common Vulnerability Scoring System (CVSS)—a mathematical system for scoring the risk of information technology vulnerabilities.
• The Extensible Configuration Checklist Description Format (XCCDF)—a specification language for writing security checklists, benchmarks, and related kinds of documents.
• Open Vulnerability Assessment Language (OVAL)—an information security community effort to standardize how to assess and report upon the machine state of computer systems.
• Common Configuration Enumeration (CCE)—provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.
• Common Weakness Enumeration Specification (CWE)—provides a common language of discourse for discussing, finding, and dealing with the causes of software security vulnerabilities as they are found in code.
• Common Platform Enumeration (CPE)—a structured naming scheme for information technology systems, software, and packages.
• Common Configuration Scoring System (CCSS)—a set of measures of the severity of software security configuration issues. CCSS is a derivation of CVSS.

This information allows security professionals and management teams to discuss and prioritize the vulnerability risks using standard scoring and terminology. Vulnerabilities posing the highest risk have privileged escalation exploits operating without any end-user intervention. Historically, these have been weaponized in the form of malware called “worms”. Some famous ones are Code Red, Blaster, and Big Yellow.

An exploit with the potential to gain privileges, execute code, and proceed undetected is dependent not only just on the vulnerability, but also on the privileges the exploit has when it executes. Therefore, vulnerability management, risk assessments, patch management, and privileged access management are so important. Exploits can only execute in the confines of the resource they compromise. If no vulnerability exists due to remediation, the exploit cannot execute. If the privileges of the user or application of the vulnerability are low (standard user), and no vertical privilege escalation exploitation is possible, then the attack is limited in its capabilities or may fail.

But don’t be fooled: exploitation—even at standard user privileges—can inflict devastation in the form of ransomware or other vicious attacks. Fortunately, most exploits can be contained or mitigated by reducing privileges and minimizing the surface area for a cyberattack.

Exploits wreak the most havoc with the highest privileges, hence the security best practice recommendation to operate with least privilege and remove administrative rights from all end users. The Microsoft Vulnerability Report 2021 (published by BeyondTrust) found 56% of critical Microsoft vulnerabilities over the last five years could be mitigated by being a standard user versus an administrator.

3. Misconfigurations

Configuration flaws are another form of exploitable vulnerabilities. These are flaws requiring mitigation – not remediation.

What is the difference between remediation and mitigation? Remediation implies the deployment of a software or firmware patch to correct the vulnerability. This process is commonly referred to as patch management. Mitigation, on the other hand, refers to an alteration in the existing deployment that deflects (mitigates) the risk from being exploited. Generally, these mitigations are just a change in settings or in the runtime using supported features.

The most common configuration problems exploited for privileges involve accounts with poor default security settings. Examples of poor security settings include:

• Blank or default passwords for administrator or root accounts established upon initial configuration
• Insecure access that is not locked down after an initial installation (often due to lack of expertise)
• Undocumented backdoors into the environment

If the flaw is severe enough, a threat actor can gain root or administrator privileges with minimal effort.

Configuration errors in cloud resources represent a rapidly growing source of privileged attacks.

4. Malware

Malware, which includes viruses, spyware, worms, adware, ransomware, etc., refers to any class of undesirable or unauthorized software designed to have malicious intent on a resource. The intent can range from surveillance, data exfiltration, disruption, command and control, denial of service, to extortion. Malware provides a vehicle for attackers to instrument cybercriminal activity.

Malware, like any other program, can potentially execute at any permission from standard user to administrator (root) based on the context it was originally executed within. Malware can install on a resource via:

• Vulnerability and exploit combinations
• Legitimate installers
• Weaknesses in the supply chain
• Social engineering via phishing or drive by Internet attacks.

Irrespective of the malware delivery mechanism, the motive is to execute code on a resource. Once running, it becomes a race between detection by endpoint security vendors and threat actors to keep executing, evade discovery, and remain persistent. Modern malware continues evolving to better elude detection and disable cyber defenses to continue its proliferation.

Malware may perform functions like scraping memory for password hashes and keystroke logging. This allows for the stealing of passwords to perform attacks based on privileges by the malware itself, or other attack vectors deployed by the threat actor.

Malware is just a transport vehicle to continue the propagation of a sustained attack. As such, malware ultimately needs permissions to obtain the target information sought after by the attacker. The malware subset that scrapes memory, installs additional malicious software, or provides surveillance is the most pertinent to privileged escalation. Its goal is surveillance to execute a vertical privileged attack in the future.

5. Social Engineering

Social engineering attacks capitalize on the trust people have in the communications (voice, email, text, etc.) addressed to them. If the message is well-crafted, and potentially even spoofs someone trusted, then the threat actor has already succeeded in the first step of the ruse

From a social engineering perspective, threat actors attempt to capitalize on a few key human traits to meet their goals:

• Trustworthiness: The belief the correspondence, of any type, is from a trustworthy source.
• Credulity: The belief the contents, as crazy or simple as they may be, are, in fact, real. This drives much of our behavior in believing “fake news”.
• Sincerity: The intent of the content is in your best interest to respond or open.
• Distrust: The contents of the correspondence do not raise any concern by having misspellings and poor grammar, or by sounding like a robot corresponding on the phone.
• Curiosity: The attack technique has not been identified (as part of previous training), or the person remembers the attack vector, but does not react accordingly.
• Laziness: The correspondence initially looks good enough but investigating the URLs and contents for malicious activity does not seem worth the effort.

If we consider each of these characteristics, we can appropriately train team members to improve resistance to social engineering attacks. The difficulty is overcoming human traits. For instance, if a team member is victimized by a social engineering attack, then the threat actor can gain access, and potentially install malware, ransomware, or escalate privileges. Successful social engineering allows the employee to “open the door” for a threat actor to conduct their nefarious mission.

Operating Systems and Privileged Escalation

We have considered common methods leveraged for privileged escalation, and the most common techniques to obtain administrative privileges—but how does this apply to your organization? Consider the table below:

Table Legend:

• H – High occurrence and probability of an attack vector with a wide variety of threats against the organization
• M – Medium probability of an attack vector against an organization with a medium chance of wide scale success
• L – Rare or infrequent occurrence of an attack against an organization and a low probability it would be successful

Note: There are always exceptions. Mirai Botnet and Poodle prove that remaining vigilant in low risk scenarios for privileged escalation is still imperative.

Some operating systems are more prone to social engineering simply based on user interaction. For instance, social engineering is a more common contributor to Windows privilege escalation attacks. On the other hand, Unix and Linux privilege escalation attacks are rarely the result of social engineering, but rather misconfigurations, vulnerabilities and exploits, and targeted insider attacks. This is true simply because Windows is far more prevalent on end- user desktops than other operating systems.

However, credential exploitation can happen on any operating system and device. If credentials are exposed using any of the techniques we have discussed, then a privileged escalation can occur using any of the additional methods available to threat actor. No asset, application, or resource is immune to a credential-based attack. And none of them are immune from privileged escalation. By adopting technologies like Single Sign On (SSO) and Multi-Factor Authentication (MFA), organizations can mitigate the risk. When this is combined with good cybersecurity hygiene like segmentation, privileged access management (PAM), patch management, vulnerability management, and change control, a strong defense- in-depth emerges. But remember none of these security practices is 100% effective.

Privilege Escalation Attack Vectors

An attack vector is a technique by which a threat actor, hacker, or attacker gains access to a system, application, or resource to perform malicious activity. This can include everything from installing malware, altering files or data, or even some form of persistent reconnaissance.

Privileged escalation attack vectors arguably represent the worst of all cyber threats because the attacker can become the administrator and owner of all the information technology resources within your company. And with this power, all your data, assets, applications, and resources potentially can fall under some form of foreign control.

Now that we understand the techniques for privileged attacks, let’s explore the most common methods privileges and credentials are compromised and hence, stolen and leveraged for escalation.

Password Hacking: A threat actor can crack or steal a password using several techniques. These attacks can lead to administrator privileges if the account has been granted these rights. This represents another reason to limit the number of administrator accounts in an environment and enforce least privilege. If the account is an administrator, the threat actor can easily circumvent other security controls, achieve lateral movement, and opportunistically attempt to crack other privileged account passwords.

As a point of reference, password hacking is different from password exposure, such as shared passwords and the insecure documentation of passwords. Password hacking involves attackers attempting to crack or determine a password using a variety of programmatic techniques and automation using specialized tools.

Password Guessing: One of the most popular techniques for password hacking is simply guessing the password. A random guess is rarely successful unless it is a common password or based on a dictionary word. Flat-out guessing is somewhat of an art but knowing information about the target identity enhances the likelihood of a successful guess. Relevant information can be gathered via social media, direct interaction, deceptive conversation, or even data gleaned and merged or aggregated from prior breaches. Password guessing attacks also tend to leave evidence in event logs and result in auto-locking of an account after “n” attempts.

In addition, if the account holder reuses passwords between resources, then the risks of password guessing, and lateral movement dramatically increase. Imagine a person who uses only one or two base passwords everywhere—for all their digital presence and privileged accounts. Unfortunately, this happens all the time!

Shoulder Surfing enables a threat actor to gain knowledge of credentials through observation. This includes observing passwords, pins, and swipe patterns as they are entered, as well as passwords scribbled on a sticky note. The shoulder surfing concept is simple, yet ancient. A threat actor watches physically, or with the aid of an electronic device like a camera, for passwords and later reuses them for an attack. Therefore, we should all be mindful of shielding the entry of our ATM PIN.

Dictionary Attacks are an automated technique (unlike password hacking or guessing) utilizing a list of passwords against a valid account to reveal the password. The list itself is a dictionary of words. Basic password crackers use these lists of common single words like “baseball” to crack a password, hack an account, and reveal the complete credential used for authentication.

If the threat actor knows the resource they are trying to compromise, like password length and complexity requirements, they can customize the dictionary to more efficiently target the resource. Therefore, more advanced programs often use a dictionary on top of mixing in numbers or common symbols at the beginning or end of the attempt to mimic a real-world password with complexity requirements.

An effective dictionary attack tool lets a threat actor do the following:

• Set complexity requirements for length, character requirements, and character set
• Allow for the manual addition of words, such as names or another personally identifiable combination of words
• Include common misspellings of frequently used words
• Operate with dictionaries in multiple languages of words

A weakness of dictionary attacks is they rely on real words and derivations supplied by the user of the default dictionary. If the real password is fictitious, uses multiple languages, or uses more than one word or phrase, it will thwart a dictionary attack.

The most common methods to mitigate the threats of a dictionary attack are account lockout attempts and password complexity policies. Lock-out protections mean after “n” times of wrong attempts, a user’s account is automatically locked in a period of time, manually unlocked by an authority (i.e., the help desk), or via an automated password reset solution.

However, in many environments, especially for nonhuman accounts, account lockout attempts can hamper business runtime. Therefore, many disable this security setting. Consequently, if logon failures are not being monitored in event logs, a dictionary attack is an effective attack vector for a threat actor. This is especially true if privileged accounts do not have this setting enabled as a mitigation strategy. And remember, a dictionary attack can include the most common words altered using simple password complexity tricks like changing “a” to “@” or “o” to “0”. Therefore, complexity alone is not the best solution.

Rainbow Table Attacks are a subset of dictionary attacks. If the attacker knows the password-hashing algorithm used to encrypt passwords for a resource, rainbow tables can allow them to reverse engineer those hashes into the actual passwords. The hacker has dictionary hashes to map back to the original password. Modern breaches have exposed vast troves of password hashes, but without a basis in the encryption algorithm, rainbow tables and similar techniques are nearly useless without some form of seed information.

Brute Force Password Attacks are the least efficient method for trying to hack a password, so are generally used as a last resort. Brute force password attacks utilize a programmatic method to try all the possible combinations for a password. This method is efficient for passwords that are short in string (character) length and complexity but can become infeasible—even for the fastest modern systems—with a password of eight characters or more.

If a password only has alphabetical characters, all in capitals or all in lowercase (not mixed), it will take 8,031,810,176 guesses. You have a better chance of winning the lottery! This estimation also assumes the threat attacker knows the length of the password and complexity requirements. Other factors include numbers, case sensitivity, and special characters in the localized language.

While a brute force attack with the proper parameters will eventually find the password, the time and computing power required may render the brute force test itself a moot point by the time it is done. And the time it takes to perform the attacks is not only based on the speed required to generate all the possible password permutations, but also the challenge and response time of a failure on the target system. The response lag time is what really matters when trying to brute force a password.

Pass-the-Hash (PtH) is a hacking technique allowing an attacker to authenticate to a resource by using the underlying NT LAN Manager (NTLM) hash of a user’s password, in lieu of using the account’s actual human-readable password. After a threat actor obtains a valid username and hash for the password using a variety of techniques, like scraping a system’s active memory, they can use the credentials to authenticate to a remote server or service using LM or NTLM authentication.

PtH attacks exploit an implementation weakness in the authentication protocol, where the password hash remains static for every session until the password itself is changed. You can perform a PtH against almost any server or service accepting LM or NTLM authentication, regardless of whether the resource is using Windows, Unix, Linux, or another operating system. Unfortunately, modern malware can contain techniques to scrape memory for hashes, making any active running user, application, service, or process a potential target. Once you obtain the hash, command and control or other automation allows for additional lateral movement (horizontal) or data exfiltration.

Modern systems can defend against pass-the-hash attacks in a variety of ways. However, changing the password frequently (after every interactive session) is a good defense to keep the hash different between the sessions. Password management solutions with frequently rotating passwords or customize the security token are good defenses against this technique.

Security Questions: Financial institutions and merchants use security questions to verify a user against their account. The concept is to ask them questions challenging them to respond to private and personal information only the end user should know.

Many organizations require a user to answer this question when they set up a new account. These question-answer pairs serve as a form of two-factor authentication to verify a user’s identification in the case of a forgotten password. The end user is prompted to respond to security questions when logging on from a new resource, when they select “forgot password”, or even when they change their password to improve the confidence of their identity.

Some common security questions include:

• What city were you born in?
• Your high school mascot?
• Your first car?
• Your favorite food?
• Your mother’s maiden name?
• What was your first pet’s name?

However, the security questions themselves present potentially far-reaching risks. Think about these scenarios:

• How many people would know the answer to any of these questions?
• Are your answers publicly available online via social media, biographies, or even school records?
• Have you played any social media games that may have revealed this information?
• Have the security questions, and possibly their answers, been stolen in a previous breach?

The relationship is clear. The more places and people that know the answers to your security questions, the more likely they can be answered by someone else. In addition, if the information is public, then it is not a legitimate security question at all.

When a resource request you complete and use security questions, my recommendation is to use the most obscure questions no one besides yourself may know the answers to. Moreover, be careful to never share information online similar to another site that uses the same security questions.

Credential Stuffing: Credential stuffing is a type of automated hacking technique using stolen credentials comprised of lists of usernames (or email addresses) and the corresponding passwords to gain unauthorized access to a system or resource. The technique generally involves automation to submit login requests against an application and to capture successful login attempts for future exploitation.

Credential stuffing attacks do not attempt to brute force or guess any passwords. In these attacks, the threat actor automates authentication based on previously discovered credentials. The result can be millions of attempts to determine where a user potentially reused their credentials on another website or application. Credential stuffing attacks prey on password reuse and are only effective because so many users reuse the same credential combinations across multiple sites.

Password Spraying: Password spraying is a credential-based attack that tries to access a multitude of accounts by using a few common passwords. This is conceptually the opposite of a brute force password attack.

During a password-spray attack, the threat actor attempts a single, commonly used password (such as “12345678” or “Passw0rd”) against many accounts before moving on to attempt a second password. Essentially, the threat actor tries every user account in their list with the same password before resetting the list and trying the next password. This technique minimizes the risk of the threat actor being caught, avoids account lockouts, and evades hacking detection on a single account due to the time between attempts.

Password Changes and Resets: How often do you change your passwords? Every 30 or 90 days when prompted to at work? How about at home? How often do you rotate passwords for your banking, e-commerce, streaming, or social media accounts? Probably not often, if ever, and surprisingly, that might be okay!

Without a password manager, keeping all of one’s passwords unique and complex is a daunting task—even for the most seasoned security professional.

Unfortunately, there is a common risk in resetting (not to be confused with changing) passwords that makes them targets for threat actors. Resetting a password is the act of a forced password change by someone else—not a change initiated by the password user. Risks associated with password resets include:

• Easily guessable pattern-based passwords (as described earlier) when reset
• Passwords reset via email or text message and kept by the end user
• Passwords reset by the help desk that are reused every time a password reset is requested
• Automated password resets blindly given due to account lockouts
• Passwords that are verbally communicated and can be heard aloud
• Complex password resets that are written down by the end user

Anytime a password is reset, there is an implicit acknowledgment that the old password is at risk and needs to be changed. Perhaps it was forgotten, expired, or triggered a lockout due to numerous failed attempts. The reset, transmission, and storage of the new password are a risk until the password is changed again by the end user.

When an identity has been compromised, a threat actor may request a password reset. The attacker then creates their own credentials for the account. Anytime a user requests a password reset, the following best practices should be implemented:

• The password should be random and meet the complexity requirements per business policy
• The password should be changed by the end user after the first logon and require, if implemented, two-factor or MFA to validate
• Password reset requests should always come from a secure location
• Public websites for businesses (not personal) should never have “Forgot Password” links
• Password resets via email assume the end user retains access to email to access the new password. If the email password itself requires resetting, another method needs to be established.
• Do not use SMS text messages—they are not sufficiently secure for sending password reset information
• If possible, password resets should be ephemeral. That is, the password reset should only be active for a predefined duration. If the end user has not accessed the account again within the predefined amount of time, an account lockout will occur.

While changing passwords frequently remains a security best practice for privileged accounts, resetting passwords and transmitting them through unsecure mediums is not. For the individual, a simple password reset can be the difference between a threat actor trying to own your account and a legitimate reason.

Access Token manipulation provides adversaries with a vehicle to modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. The Microsoft Windows operating system uses access tokens to determine the runtime ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to a user other than the one who started the process. If this occurs, the process also takes on the security attributes associated with the new token.

The Windows API allows for a threat actor to copy access tokens from existing processes. This is called token stealing. Applying stolen tokens to an existing process or used to spawn a new process and are analogous to theft or impersonation in the real world. Fortunately, a threat actor needs to be an administrator to steal a token.

However, threat actors commonly use token theft to elevate the processes of their profile from the administrator to operating as SYSTEM. In addition, a stolen token can be used for lateral movement to authenticate to a remote system if the account for that token can authenticate as a valid user on the remote system. As an example, any standard user can use the “RunAs” command via the user interface or command line, and the Windows API functions, to create an impersonation token. Actual administrator access to an account is not a requirement. Therefore, this provides a method for a privileged attack if a threat actor has local access to a host.

UAC (User Account Control) bypass techniques provide a vehicle for threat actors to bypass UAC security controls to elevate running process privileges on a system. Windows UAC functionality allows a program to elevate its privileges to perform a task after prompting the user to accept the changes to its runtime permissions. The user has a choice to select these options based on a UAC prompt:

• Deny the operation to continue and terminate the process immediately
• Allow the user to perform the action if they are in the local administrators group
• Prompt the user to supply credentials that have privileges to continue the operation.

Depending on the UAC protection level set on the computer (only high is immune), certain Windows applications can elevate privileges or execute some operating system functions, like COM, without prompting the user. A threat actor could bypass UAC controls if the protection level is set lower than “high” for application compatibility or for usability. Malicious software may also be injected into a trusted process to gain elevated privileges—without prompting a user—making this privileged attack vector a prime choice for exploitation.

Identity Enumeration attacks, including those exploiting sudo, occur when a threat actor can apply techniques like brute-force to either guess or confirm valid users are available for authentication to a resource. User enumeration is often associated with web-based applications, although it can also be found in any application requiring a traditional user and credential-based authentication. Two of the most common areas where user enumeration occurs are:

• In an application login page, based on a failed authentication response
• ‘Forgot Password' functionality that may trigger a workflow or reply “no account found”

Essentially, the threat actor is looking for the server's response based on the validity of submitted credentials to determine if the account they tried is valid. This is a common response mechanism for many applications.

When the user enters a valid username and invalid password, the server returns a response saying the password is incorrect. If the threat actor enters an invalid username, regardless of the password, typical applications respond with no account found. Consequently, a threat actor can determine if their hacking attempt is using a valid account and incorrect password, or if the account they are trying will never authenticate. Based on automation and brute force checks, they can enumerate valid accounts for a resource and attempt future privileged attacks based on common passwords, reused passwords, or others gleaned from previous attacks.

Finally, if the threat actor can determine the naming pattern for a company (i.e., first initial last name), then building a list for enumeration and future attacks becomes much easier.

Malware is any piece of computer software (including firmware, microcode, etc.) written with the intent of damaging devices, stealing data, and, generally, causing a resource to behave in ways not in accordance with its intended design.

There are eight different types and sources for malware, any of which can be used for privilege escalation attacks:

• Bugs: A type of error, flaw, vulnerability, or failure that produces an undesirable or unexpected result due to poor software coding or unexpected operational conditions. Bugs can exist in any type of software. When bugs can be leveraged against an application and its data, they are called vulnerabilities (i.e., elevation of privilege vulnerability), and the software used to leverage them are called exploits. Technically, a bug alone is not true malware as it is not created with malicious intent, but when it is leveraged it can be just as devastating. In the gaming world, these are typically referred to as “glitches”.
• Worms: Worms rely on bugs, vulnerabilities, and exploits to deliver a payload and propagate themselves to other resources. Initial infections may hide in attachments or file downloads, but once they execute, they can scan a network (or Internet) for other vulnerable systems to propagate. Based on their design, they consume vast amounts of bandwidth or operate in a slow, stealthy mode. Worms have the potential to completely disable a network or web server. Ransomware can self-propagate to infect multiple systems on its own is a form of a worm.
• Virus: A virus is any piece of malicious software loaded onto your website or computer without your knowledge. The intent of the virus may not be apparent from an initial infection and, in general, it can reside on a resource until it is triggered to perform a malicious action. A virus may use techniques to obfuscate detection, like with DLL (Dynamic Link Library) hijacking or hiding as a root kit.
• Bots: Bots are malicious software programs created to perform a specific set of tasks with a known intent. A threat actor can utilize bots to send spam or participate in a Distribution Denial of Service (DDoS) attack to bring down an entire website, network, or Internet-based service. Bots can serve as a vehicle for horizontal privileged escalation when combined with worms and are often the surveillance part of the attack.
• Trojan: Much like the mythical Trojan Horse, this malware disguises itself as a normal file or application and tricks the user into downloading, opening, or executing it. The payload can launch any other form of malware and continue to deceive the user into believing they are interacting with a legitimate piece of software. Authentication-based attacks are typically based on Trojans.
• Ransomware: Ransomware denies access to your files, typically through encryption, and demands a ransom (usually in the form of digital and cryptocurrencies like Bitcoin) to release the threat actor’s grip on your data. If the ransom is paid, and the threat actor is operating a real ransomware service, they will provide a method to decrypt your files and allow you to gain access to the assets. In some cases, the victim pays the ransom, but the threat actor has long abandoned their scheme, leaving the victim with infected systems and an irrecoverable financial loss.
• Adware: Adware is a type of malware used to automatically displays unwanted, and potentially illegal, advertisements to an end user. Clicking an email link or opening an attachment could download malicious software, launch an exploit, or redirect you to a malicious website. The goal is to expose inappropriate services to the end user and trick them into performing additional steps to load more malware or surveillance-based software.
• Spyware: Spyware is a type of malware used to conduct surveillance on a user’s activity. These functions can include monitoring the user’s screen, capturing keystrokes, and even enabling the asset’s camera and microphone for surveillance. This information is collected and transmitted through the Internet or stored locally for later retrieval by the threat actor. In today’s world, next to ransomware, this is the most dangerous malware used by threat actors because the information gathered tends to make it easy for privileged escalation.

How to Prevent and Mitigate Privilege Escalation Attacks

Because privilege escalation attacks can start and advance myriad different ways, multiple defense strategies and tactics are required for protection. However, implementing an identity-centric approach and privileged access management controls will help your organization protect against the broadest range of attacks and go the furthest to reducing the attack surface. Here are some best practices:

1. Fully manage the identity lifecycle, including provisioning and de-provisioning of identities and accounts to ensure there are no orphaned accounts to hijack.
2. Use a password management solution to consistently apply strong credential management practices (discovery, vaulting, central management, check-in, check-out) for both humans and machines. This also entails eliminating default and hardcoded credential.
3. Enforce least privilege: Remove admin rights from users and reduce application and machine privileges to the minimum required. Just-in-time access should also be implemented to reduce persistent or standing privileges.
4. Apply advanced application control and protection to enforce granular control over all application access, communications, and privilege elevation attempts.
5. Monitor and manage all privileged sessions to detect and quickly address any suspicious activity that might indicate a hijacked account or an illicit attempt at privilege escalation or lateral movement.
6. Harden systems and applications: This complements the principle of least privilege and can involve configuration changes, removing unnecessary rights and access, closing ports, and more. This improves system and application security and helps prevent and mitigate the potential for bugs that leave vulnerability to injection of malicious code (i.e., SQL injections), buffer overflows, etc. or other backdoors that could allow privilege escalation.
7. Vulnerability management: Continuously identify and address vulnerabilities, such as with patching, fixing misconfigurations, eliminating default and/or embedded credentials, etc.
8. Secure remote access should always be monitored and managed for any form of privileged access since attacks can occur horizontally and vertically to exploit privileges.

Learn how BeyondTrust can protect you against privilege escalation attacks, lateral movement, and other privileged threats, including those arising from insecure remote access. Contact us today.

Related Reading on Protecting against Privilege-Based Threats

Cybersecurity Strategies to Stop Lateral Movement Attacks & Leave Your Adversaries Marooned (blog)

A Zero Trust Approach to Windows & Mac Endpoint Security (paper)

How to Achieve the NIST Zero Trust Approach with Unix & Linux Remote Access (paper)

Privileged Attack Vectors (book)