Admin Rights in Action: How Hackers Target Privileged Accounts

Admin rights are one of the most important and fundamental aspects of cybersecurity. Without elevated permissions, hackers will have a hard time stealing your data or disrupting your services.

For that reason, they’re often trying to gain access to an administrator account to successfully carry off whatever attack they’re planning.

That’s where privileged access management (PAM) comes in. But to really understand why PAM is so complex and important, we need to first discuss how and why hackers target privileged accounts.

In this blog, we discuss why admin rights are fundamental to cyber attacks and how hackers successfully exploit them.

PAM in Action: Why Admin Rights Are Fundamental to a Successful Attack

Privileged access management is the category of cybersecurity that focuses on managing and protecting extended admin rights.

This can be incredibly complex, because there are a wide range of different privileged account types.

And in today’s remote-first world, admins can log in from any device or location. This creates a unique opportunity for hackers trying to do the same.

Read more: A Guide to Effective Cloud Privileged Access Management

Whoever a hacker is and whatever their goals, they’re almost certainly going to need elevated privileges to successfully carry off their attack.

But not all elevated permissions are the same. In fact, there are various tiers of accounts, each with their own particular set of administrative access:

• Standard business user: This is the most common account type. These users have no ability to access sensitive data or make changes to either their own devices or the wider network.
• Privileged business user: Similar to standard user accounts, these generally have access to specific sensitive data, due to the job role of the user. Examples can include managers or HR teams having access to sensitive employee information, the finance team having access to the company books, or sales teams having customer contact details.
• Local device admin: The most common form of admin. Here, the user has rights over their own device, including the ability to install software, manage local resources, and change device configurations.
• Domain admin accounts: This includes administrative privileges over a whole domain. These users can manage privileges, add or remove users, and manage network-wide resources. If accessed, these accounts allow the hacker to do significant damage.
• Superuser account: These are also known as root admin accounts. This account type is the highest level of privilege, with unrestrained access to files, assets, and data across an entire IT environment. They therefore pose the highest level of risk.

Read more: Privileged Accounts 101: Everything You Need to Know

The further down this list we travel, the higher the risk to your business if these accounts are infiltrated. But cyber threats can target every type of account. To understand how and why, we need to break down a hacker’s journey in more detail.

The Journey of a Hacker: From First Entry to Admin

Cyberattacks are complex and multi-faceted. Often, an attacker will first gain entry by infiltrating a standard user account, with few privileges. They do this because such accounts generally have the fewest security protections, making it much easier for them to evade detection. Then, they’ll aim to elevate their permissions as quickly as possible.

Here, Heimdal’s Andrei Hinodache explains how this lateral movement occurs and what hackers are looking to achieve at each stage of the process:

There are several techniques that hackers use to target both unprivileged and local admin accounts. Often they’ll use several of these techniques in combination to create a more complex and elusive attack.

1. Phishing – This is probably the most common entry method. Here the hacker will direct the actual user of their target account to a webpage they’ve created, usually via a link sent to the email or SMS inbox. This site is generally designed to look like a legitimate login page, tricking the real user into entering their credentials and sending them over to the hacker.
2. Social engineering – A range of similar tactics designed to trick the user into handing over their login details. This might involve the attacker impersonating a boss, IT admin, or other senior colleague in order to trick the user into revealing their password.
3. Credential stuffing – These automated attacks take advantage of weak password policies to gain entry. Hackers may try common passwords (eg Password12345, LogMeIn, etc.) across all accounts. Alternatively, they may target a single account with many password attempts, often using credentials they know have been used elsewhere – in the hope that the user has reused them.
4. Brute force – Hackers may also use one of several automated tools designed to generate random strings of characters at high volume. Such tools simply try different combinations until they find the right password.
5. Software vulnerabilities –  These may also be used to gain access, often by targeting vulnerabilities in web browsers or plugins. The hacker may also attempt to intercept network traffic to steal credentials or session tokens, known as man-in-the-middle attacks.
6. Wi-Fi attacks – Public Wi-Fi networks are another key target. Some tools give hackers the ability to monitor unencrypted traffic on Wi-Fi networks. Otherwise, they may create a decoy hotspot to trick real users into logging in and entering login data.
7. Insider threats – Sometimes, access is leaked via a rogue employee or contractor. These may be employees who only joined the company in order to gain insider access. Otherwise, it may involve legitimate employees who for one reason or another choose to abuse their access.
8. Initial access brokers – Some hackers will gain access to credentials (often using other techniques on this list), and choose to sell them on the dark web, rather than conducting their own attack. Other hackers then purchase these details and use them as the basis for an attack.

Whichever of these techniques the hacker uses, the goal is clear: to first gain entry into an environment and then acquire admin rights. Once they’ve done that, the hacker is in business.

See It In Action: How Hackers Accumulate Extra Privileges

Using the techniques in the last section, the hacker can both infiltrate an IT environment and gain access to a local admin account.

Once they’ve climbed onto this first admin tier, there is a whole range of techniques they can use to both further plan their attack and cover their tracks.

But they’re not done yet. If the hacker wants to do serious damage, they’ll likely need to accumulate even more privileges.

Let’s say I’m a hacker who’s gotten my hands on local admin rights. What do I do next?

Local admin rights on their own aren’t enough. If I’m a cyber attacker, I want to launch a large-scale attack on your entire environment. Local admin rights aren’t enough to make you pay me money or help me further sell this access online. So now, I need to go a step further.”

Andrei Hinodache, Cybersecurity Architect & Technical Product Marketing Manager, Heimdal

Let’s take a deeper look at one tactic the hacker may use in this instance: active memory scraping. This is a technique used to gain access to additional (ideally privileged) accounts, thus gaining even more admin rights.

Here’s a quick summary of Andrei’s demonstration from the webinar:

• When the hacker has local admin rights, they can retrieve information from the device’s active memory.
• They’ll generally do this by extracting what’s called an ‘LSASS memory dump’. This will include a vast swathe of information about the recent activity of any users who have logged in since the RAM was last wiped.
• Most importantly, this includes password hashes. These are encrypted versions of users’ login credentials. The Windows operating system often saves these in active memory to avoid users having to repeatedly log into the same system.
• From here, there are a number of techniques a hacker can use to decrypt the hash. This can include brute force (using automated bots to generate random combinations until they find the right answer), or hacking the ‘rainbow table’, which shows plain text passwords beside their encrypted hashes.
• Hashes are often generated using a specific formula or sequence, meaning decrypting one or two hashes can give the hacker access to all passwords they have hashes for.
• Increasingly, hackers also use a technique called ‘pass the hash’, meaning they can use the hash itself for authentication without decrypting the plain text password.

This is just one way that hackers accumulate additional privileges once they’ve gained local admin rights. So what do they do next?

What Do Hackers Do With Compromised Admin Credentials?

The ultimate goal of most hackers is to install ransomware, retrieve sensitive information (often to sell on the dark web), or take down the target organization’s critical infrastructure.

But here’s the challenge: Your average business user rarely has the privileges required to carry out these actions. Even if the hacker has local admin rights, they still probably don’t have the access they need to successfully execute their plan.

While local admins can’t install network-wide ransomware, or disable mission-critical servers – there are a number of privileges they do have that hackers may be looking to take advantage of. Generally, the goal at this stage is to aid a wider attack by accumulating extra privileges, performing reconnaissance, or covering their own tracks.

Here are the most important actions a hacker might take after accumulating local admin rights:

• Alter registry entries – This is one popular action a hacker can take after gaining local admin rights. Registry entries govern access rights on specific devices, and are designed to be governed centrally by IT teams – via Group Policy Objects. By altering these registry entries, the hacker can accumulate additional privileges.
• Install additional programs – The hacker may also choose to install software onto the local device at this point; usually some form of malware. This could be keylogging software designed to record the credentials of anybody who logs in, or malware that can retrieve information from the active memory. It could also include any number of other programs designed to help achieve the other actions on this list.
• Disable defenses – At this point, the hacker will want to understand more about the cybersecurity protections in place and disable as many of them as possible. One worrying recent example of this is the EDR terminator, a piece of malware hackers can buy on the dark web, which effectively disables EDR tools like Crowdstrike. Here’s a demonstration of this below:
• Lateral movement – This is an umbrella term for any actions the hacker might take to retrieve information or further escalate their own privileges. This may involve a series of scans designed to identify security defenses or additional assets to compromise.
• Change system/device configurations – The hacker might also look to change system settings or configurations. One example might be configuring the device to automatically open malware like keylogging software whenever it starts.
• Remove evidence – The hacker will likely also want to remove any evidence of their activities. This will ensure they remain undetected until after the attack has been successfully completed. It will also make it much harder for the organization to understand when, where, and how the hacker infiltrated after the damage has been done.
• Impersonate root or domain admin – This is the most dangerous action a hacker can take, and is often the ultimate goal. It effectively involves elevating the hacker’s own privileges to the maximum possible level, giving them unrestricted authority over the entire IT domain or network. At this point, they can change access settings, retrieve sensitive information, install ransomware, or carry out any number of dangerous actions.

Once the hacker has completed one or more of these tasks, there is a good chance they’re ready to carry out the attack.

How to Secure Privileged Accounts And Prevent Lateral Movement

In this blog, we’ve largely focused on the tools and techniques that hackers use to infiltrate and move through IT environments. As you’ll have noticed, there are a lot of tools at their disposal.

This begs the question: How do you prevent against the various techniques we’ve described?

Read more: Effective Privileged Access Management Implementation: A Step-by-Step Guide

First and foremost, you need to reduce admin rights as much as possible; a technique known as least privilege. This is particularly the case with local admin rights, which have a tendency to expand across an organization. The fewer privileged accounts you have, the harder it will be for hackers to access them.

But you also need the right security tools. The most up-to-date privileged access management tools include a range of features designed to secure admin accounts and prevent lateral movement. This includes:

• Privileged account audit: Detect all privileged user and service accounts, including unknown accounts. This gives you the information you need to enforce least privilege by removing unnecessary privileges.
• Just-in-time access: An advanced PAM feature. This allows IT teams to provision and revoke admin rights on a case-by-case basis, avoiding the need for certain accounts to have ‘always on’ access. Crucially, this access can be revoked if suspicious behavior is detected.
• Privileged session management: Most modern PAM tools also include tools to monitor the activity of privileged users. Using anomaly detection, they can often detect suspicious behavior such as lateral movement or escalation of privilege.
• Role-based access controls: This allows IT teams to provision or remove admin rights centrally, based on the needs of specific users’ job roles. This makes it easier to reduce unnecessary admin accounts and enforce least privilege.
• Advanced password management: Many of the hacking techniques in this blog can be prevented with up-to-date password policies. These can include multi-factor authentication, password vaulting, encryption, password rotation, and more. The best PAM tools offer a range of options that allow IT teams to create and configure effective and secure password policies.

Want to find out more about effective PAM features? Check out our recent full product page to find out more.

Heimdal®: A Unique Approach to Privileged Access

Here’s the secret to effective privileged access management: It’s not all or nothing. There are lots of techniques and features that can help you govern access to the most sensitive assets and data.

There’s no silver bullet here, and the right solution is going to be different for every company.

That’s why it’s so important to create a layered approach with multiple PAM defenses across your privileged accounts.

At Heimdal®, we take a different approach. Instead, our entire range of privileged access management (PAM) tools is available through one simple PAM module. This includes:

• Enterprise credential vault: A secure vault to ensure passwords are safely monitored, stored, and managed.
• Session monitoring: Real-time session analytics, recording, and playback – offering unique insights into the behavior of privileged users and simplified auditing and compliance.
• Advanced role-based access controls: Through an intricate RBAC system, you can optimize permissions management and minimize the risk of over-privileged accounts.
• Just-in-time access: Dynamically grant or revoke access based on contextual signals, ensuring privileged accounts can still be locked down if certain risks are detected.

All of this is available through the PAM module on our XDR platform.

Frequently Asked Questions: Admin Rights And Privileged Access Management

What do you need admin rights for?

Certain business users will always require elevated permissions for a particular task associated with their job. This could include the ability to access sensitive information, such as employee or customer contact details, or company finance information. It could also include the ability to modify IT assets and install software, either on a single device or across an entire domain or network. Often, administrator rights are given to users who don’t need them simply to avoid an impact on user productivity.

Why do hackers need admin rights?

Admin rights give hackers the ability to perform a wide range of actions. This includes altering registry entries, installing malware, altering network security settings, disabling defenses, lateral movement, removing evidence, and gaining additional privileges. All of this helps them plan their attack and cover their tracks.

How do hackers gain admin accounts?

There are several techniques that hackers use to gain elevated permissions, either on a local, domain, or root level. This can include phishing, social engineering, credential stuffing, brute force attacks, exploiting software vulnerabilities, purchasing stolen logins on the dark web, and more.

Cristian Neagu

CONTENT EDITOR

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.