Privilege escalation might be a confusing cybersecurity term for many. That’s why in this article we’re going to shed a little bit more light on this topic. Keep reading to find more about what is privilege escalation, how many types of privilege escalation exist, examples of privilege escalation attacks on Windows and Linux, and also what are the best practices to prevent privilege escalation.

What Is Privilege Escalation?

In cyber-lingo, privilege escalation is a malicious attempt to abuse an app or OS bug or error of configuration at gaining unauthorized access to sensitive information by taking over a user’s account that has the necessary privileges to view or commit modifications to the said information and that wouldn’t be normally accessible to the current user.

By obtaining these types of rights, a malicious actor can perform a series of actions to the operating system or to the server such as running different commands or facilitating the infiltration of malware within the network, that will further trigger business disruption, exposure of sensitive data, or system resources, or even complete system takeover. So shortly, this can be employed through misuse of privileges.

How Privilege Escalation Works

To perform a privilege escalation attack, a threat actor should first infiltrate the targeted network. This is usually done through abusing vulnerabilities in the system or through social engineering techniques for instance. This can also go both ways: either hackers find a privileged account from the beginning and perform a privilege escalation attack, or they gain access to a standard account in the initial phase. In the second scenario, they can perform surveillance on the network until it’s time for the next move which would be to gain access to a privileged account, which is an account with special rights beyond those of a standard user with access to critical data and infrastructure within an organization.

Privilege Escalation Types

Privilege escalation can be split into two types: vertical privilege escalation and horizontal privilege escalation. In VPE (vertical privilege escalation), the attacker aims at taking over an account that has higher privileges. On the other hand, in HPE (horizontal privilege escalation) the hacker will first take over an account and then try to gain system-level rights. Both types of operations are achieved by taking advantage of existing operating system vulnerabilities.

Vertical Privilege Escalation

Vertical privilege escalation, also known as privilege elevation, is a term used in cybersecurity that refers to an attack that starts from a point of lower privilege, then escalates privileges until it reaches the level of the user or process it targets.

This type of attack takes advantage of the fact that most systems and networks are designed so that users at one privilege level can access resources at higher levels. For example, a system administrator may have access to resources normally reserved for kernel-level users, but may not have passwords for those resources. The attacker achieves this escalation by first gaining root-level access and then using those privileges to compromise other accounts with lesser access.

In vertical privilege escalation, you’re dealing with the ‘accountphage’ type of behavior. Basically, the hacker chews the user out of his or her account.

A hacker can perform sensitive data and credentials theft, even downloading ransomware payloads and deploying them into the system, deleting files, or executing different code commands.

What’s more here is that the attacker can leave without being noticed. How? Simply, he deletes its traces like access logs, you won’t even know he’s been there, delaying thus the discovery of a data breach, this leading to harder recovery or more time for him to get whatever he wants related to that business.

Vertical Privilege Escalation Example

Let’s say that user A, who’s working for company XYZ, has been given access to a financial database. Because user A is a finance officer, he’s been cleared to perform a set of company-defined operations on the financial database (e.g., read, write, open, but not delete). Fellow B, who’s in no way affiliated to XYZ, wishes to tap into the company’s financial database for whatever nefarious purpose.

Using various TTPs, B successfully takes over user A’s account and gains access to the database. This is a great example of a vertical privilege escalation.

Horizontal Privilege Escalation

Horizontal privilege escalation means that a user will achieve access permissions belonging to another user that owns the same access level as the user that has started the cyberattack.

Horizontal privilege escalations are a bit more challenging compared to vertical ones since they require a deep understanding of how operating systems work.

In vertical P.E., you don’t need to elevate rights (i.e. obtain the credentials necessary to access another informational class) because the account you’re about to take over has all the credentials necessary to access that particularly sensitive area. In horizontal privilege escalation, you will need to take over and, at the same time, elevate those privileges. No doubt some ‘Mission Impossible’ right there, but very doable if a hacker has the right tools. In most case HEP cases, the attacker would rely on phishing or spearphishing to infiltrate the victim’s machine and hacking tools such as Metasploit to gain SYSTEM-level (root) access. And that’s where the fun begins.

Privilege Escalation Risks: Why Is It Important and Dangerous?

Privilege escalation is one of the most dangerous types of attacks in cyber security because it grants attackers access to everything in an organization’s IT infrastructure.

It lets your sensitive data fall in the wrong hands

The major risk associated with privilege escalation is that it might mean that a malicious hacker has achieved access to sensitive and confidential data he shouldn’t have access to.

It can be the path to other cyberattacks

Even if a privilege escalation attack itself poses a risk to your organization’s infrastructure’s security, it can be the path to other cyberattacks through which threat actors can deploy a malicious payload in the system that is targeted. So, whenever privilege escalation is detected, you should look further into the problem to see if it doesn’t go deeper in the organization’s system by searching for indicators of malicious activity.

Privilege Escalation Attack Examples

I’ve described above how generally privilege escalation works. Now, let’s illustrate a more practical part of this topic. Let’s see some privilege escalation attack examples depending on the operating system. In the following lines, I am going to give you examples of Windows privilege escalation attacks and also examples of Linux privilege escalation attacks. These examples come along with recommended mitigation measures.

Windows Privilege Escalation

Windows Privilege escalation can be achieved in many ways. Let’s see 3 examples of windows privilege escalation attacks and what you can do about them.

Windows Sticky-Key Attack

The so to say “beauty” of this kind of privilege escalation attack lies in its simplicity. A hacker doesn’t really need that computer-native to carry it out. Here’s the gig: using the ‘enable sticky keys feature’ the threat actor can bypass normal endpoint auth and gain system-level privileges. Sounds crazy, but it really works. From here, he can create a (fake) admin account, install a secret backdoor, and much more.

Windows Sticky Key Attack Mitigation Measure: prevent the launch of sticky keys. Go to HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys\Flags in your Windows registry and change the value from “510” to “510”. This will add encryption protection to your Windows partition.

Credential Dumping or Also Known as Purloining Stored Credentials

Credential dumping is a great way of recovering (hashed) credentials from key system locations. Compared to the sticky-key attack, credential dumping is a bit more challenging since it requires tools, time, and, of course, the nose of a bloodhound. So, how does this work? Well, all machines running Windows cache login credentials are in various locations. Basically, if you know where to look, you can easily pull out stuff like admin login passwords, master passwords for local passphrase vaults, and so on.

The hacker still needs to figure a way to ‘unhash’ those passwords.  Think of it this way – credential dumping is like searching every thrash can in your city, hoping that you come across a piece of paper that holds the key-code to the warehouse housing your dream PC or something.

Credential Dumping Attack Mitigation Measure: increase password complexity, enable PPL (Protect Process Light) for LSA, check Domain controller backups, restrictor disable NTLM, add a user to the Protected Users list in your Access Directory.

Access Token Manipulation

Through token manipulation, an attacker can perform 3 types of privilege escalation techniques, as Red Team Notes specified in their article: token theft, this method involves the creation of a new access token for the purpose of impersonating a legitimate token, generating process via token creation, where the threat actor creates a token and uses it to force-run a process on the victim’s machine. This process will operate under a legit security context, one associated with a legit user and also the make&bake technique where once the legit user logs off, the threat actor will invoke a new logon session (usually using the LogonUser command in a CMD window). The function will then pass the threat actor a copy of the session’s token. Finally, this newly-obtained token can be tied to a thread.

Access Token Manipulation Prevention Measure: Bar user groups or users from creating tokens. Enforce the least-privilege principle and police admin accounts.

NTLM relay or Hot-Tater Attack

The Hot-tater attack is a highly sophisticated attack that involves exploiting vulnerabilities found in the NTML relay and the local NBNS Spoofer. The scope is to obtain NT AUTHORITY\SYSTEM privileges on the victim’s machine. ‘Hot-tatting’ a target is a triphasic process: interrogating the NBNS spoofer, requesting a fake WPAD proxy server, and MITMing the NTLM protocol. The result: the threat actor persuades the victim’s machine to authenticate via the NTML protocol. The auth process’s details are sent to the attacker who, by this time, would have gained system-level privileges.

Hot-Tater Attack Prevention Measure: Enable SMB Signing (however, not yet proven).

Linux Privilege Escalation

When talking about Linux privilege escalation, a process dubbed “enumeration” is used by hackers. This will help them detect vulnerabilities that will further permit the unfolding of a privileged escalation attack. For this, a series of automated tools are employed. Threat actors get more knowledge about the system through port scanning, Google searches, or direct interaction or they might look for available Perl or Phython, which are basically two high-level programming languages that will permit them to deploy an exploit code into the system.

There are two techniques associated with Linux privilege escalation: kernel exploit and SUDO rights exploitation.

Kernel Exploit

A kernel exploit attack is possible if there are flaws in the Linux kernel that let the hacker abuse them in order to achieve Linux root system access.

Kernel Exploit Mitigation Measure: According to MITRE ATT&CK, in this case, Linux updates and patches should be installed in a timely manner. Files as FTP, SCP or curl that permit file transfer actions should be restricted or removed or they should be simply associated with just a handful of users or IPs, to prevent an exploit infiltration.

SUDO Rights Exploitation

What is SUDO? It stands basically for a Linux program that will give different users the ability to run programs by means of privileged rights that belong to somebody else who will grant them access to do so. The risk of commands execution with root privileges would be the consequence in this case.

SUDO Right Exploitation Mitigation Measure: According to MITRE ATT&CK, compilers, interpreters, or editors should never be granted rights that allow access to programming language compiler, and neither different program’s that facilitate a shell running action should not have these kinds of special rights.

Heimdal Official Logo
System admins waste 30% of their time manually managing user rights or installations

Heimdal® Privileged Access Management

Is the automatic PAM solution that makes everything easier.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

How to Prevent Privilege Escalation Attacks?

Use an automated Privileged Access Management solution

A good counterattack method of privilege escalation starts always with a good privileged access management strategy. This could only be truly efficient through an automated tool that will help you monitor and protect privileged accounts from either insider or external threats. An automated PAM tool like Heimdal™ Privileged Access Management will let you escalate and deescalate rights from anywhere in the world from your Heimdal™ Dashboard and even from your phone, you can customize your PAM interface by establishing approval/denial flows and also individuals rights can be set up per escalation period or per AD group.

It also features detailed reports of an incident that will help you both with audit requirements and also with investigating what happened on a machine.

It is recommended to use it with Heimdal™ Application Control that allows you to block or allow application execution in various ways: by file path, by certificate, by vendor name, by the publisher, MD5, and more. Supporting a granular approach, Application Control combined with the PAM solution lets you customize admins sessions, this combo making for a shield against cyberattacks that target sensitive memory areas, a shield that won’t let hackers move laterally across the network, and also business assets will be well safeguarded.

Here’s a tip you might not want to miss: when used with Heimdal™ Next-Gen Antivirus, the PAM tool will allow the automated de-escalation of rights if a threat is detected on the machine. This will also be efficient to not let the malware spread laterally across the network and infect other systems too. How cool is that?

Enforce the principle of least privilege

A PAM strategy should of course be always based on the principle of least privilege, meaning that users and applications or services should have restricted access, or better said, the minimum required access to organizational resources to complete a task.

Use an automated patch management solution

Remember that I’ve mentioned at the beginning of this article that a privilege escalation attack usually happens because hackers abuse a vulnerability in the OS or a software flaw. So, how to stay safe if your software is outdated? Here I want to underline the importance of an updated system. You can prevent privilege escalation if you keep your software always patched with the latest released security updates.

This will surely be a tiresome process if manually managed and even impossible to do it properly. And here comes into play an automated Patch Management solution like ours Heimdal™ Patch and Asset Management, that will help you automate your vulnerability management. Our product covers patches like Microsoft, third-party and proprietary ones. What’s even cooler with this solution is the end-user-vendor-waiting time, this meaning that in less than 4 hours every patch, hotfix, rollup, or update is uploaded in your Heimdal™ cloud already adware-cleaned, tested, and repackaged, and ready to be deployed.

Use a high-quality traffic filtering tool

Domain name-level (DNS) threats are more frequent than ever. A high-quality traffic filtering tool is required to keep these away. And since today’s cyber world lives in the cloud, you will need a solution that can face cloud challenges like our Heimdal™ Threat Prevention. Combining machine learning, AI-based prevention, and cybercrime intelligence, it has the power to detect and stop both emergent and hidden cyber-threats with a 96% accuracy. What traditional Antivirus can’t detect, it will surely land in Threat’s Prevention yard.

Not to mention that it won in October Best-Cloud Delivered Solution Security of the Year at the Network Computing Awards 2021 and also AI and Machine Learning-Based Security Solution of the Year at the Computing Security Awards 2021.

Set a strong password policy

How many times did you come across passwords that are so usual that anyone can guess? In your organization, you have to implement a well-defined password policy that anyone should follow. Strong passwords should be long enough, have a mix of letters, numbers, and symbols that makes it hard to guess and it’s not the employee’s birthday or whatever name of a pet. User accounts should also have Multi-Factor Authentication applied.

Not to mention that default credentials on routers, printers, or IoT devices should not even exist. Even if your applications and operating systems are well secured, a single overlooked router with default credentials could be the open door hackers look for.

Educate your employees on cybersecurity

Last, but not least, your employees can always be the weakest link in your organization in terms of social engineering techniques. Hackers might trick them with phishing or spear-phishing attacks in order to click on a malicious link to provide their credentials and many more. Employees’ cybersecurity awareness should be a top priority for all organizations.

A privilege escalation attack is a common threat to user data. This type of attack can cause data breaches, system crashes, and other damage. Make sure you stay safe and use the proper tools to safeguard your business’ critical assets.

Feel free to drop a comment below if you’s want to add anything. Also, don’t forget to follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

This article was written in collaboration with my colleague, Vladimir Unterfingher.

Just-in-Time Access Explained. What It Means, Benefits and Best Practices of JIT

What Is Privileged Access Management (PAM)?

What Is Privileged Account and Session Management (PASM)?

What Is the Principle of Least Privilege (POLP)?

What Is Endpoint Privilege Management?

Leave a Reply

Your email address will not be published. Required fields are marked *