Privilege escalation is a common threat vector for adversaries, which allows them to enter organizations’ IT infrastructure and seek permissions to steal sensitive data, disrupt operations and create backdoors for future attacks. Elevated privileges open doors for attackers to mess with security settings, configurations and data; they often get access to lower privilege accounts first and then use them to obtain high-level privileges and gain full access to organization’s IT environment.
Unfortunately, it is often easy for even unsophisticated hackers to obtain and escalate privileges because many organizations lack adequate security measures and controls, such as rigorously enforcing the principle of least privilege and knowing what sensitive data they have and where it is stored so they can harden its security.
In this blog post, we explain what escalation of privileges is and describe the techniques hackers use to escalate privileges and achieve their goals.
Horizontal vs vertical privilege escalation
Generally, privilege escalation is a type of activity when a hacker is exploiting a bug, taking advantage of configuration oversight and programming errors, or using any vulnerabilities in a system or application to gain elevated access to protected resources. Normally, this happens when an attacker has already done reconnaissance and successfully compromised a system by gaining access to a low-level account. In this phase, an attacker wants to have a strong grip on the system and seeks ways to heighten the privileges, either to study the system further or perform an attack.
There are two types of privilege escalation:
- Horizontal privilege escalation — This attack involves a hacker simply taking over someone else’s account. For example, one internet banking user might gain access to the account of another user by learning their ID and password. In horizontal privilege escalation, the attacker does not actively seek to upgrade the privileges associated with the account they have compromised, but simply to misuse them by assuming the identity of the other user.
- Vertical privilege escalation (aka elevation of privilege or EoP) — Here, a malicious user gains access to a lower-level account and uses it to gain higher level privileges. For example, a hacker might compromise a user’s internet bank account user and then try to get access to site administrative functions. Vertical privilege escalation requires more sophisticated attack techniques than horizontal privilege escalation, such as hacking tools that help the attacker gain elevated access to systems and data.
How does privilege escalation attack happen?
Attackers who try to perform unauthorized actions and obtain high-level privileges often use so-called privilege escalation exploits. Exploits are pieces of code with the goal to release a particular payload. The payload will focus on a known weakness in the operating system or software components. Privilege escalation exploit execution will later enable them to steal or damage data, disrupt operations or set up persistence on the network to perform further attacks. Typically privilege escalation attack consists of five steps:
- Find a vulnerability
- Create the related privilege escalation exploit
- Use the exploit on a system
- Check if it successfully exploits the system
- Gain additional privileges
Privilege escalation techniques
An attacker’s goal in a privilege escalation attack is to obtain high-level privileges (e.g. root privileges) and make their way to critical IT systems without being noticed. There are multiple privilege escalation techniques that attackers use to accomplish this. Let’s explore three of the most common ones:
- Manipulating access tokens
- Bypassing user account control
- Using valid accounts
Technique 1: Access Token Manipulation.
How it happens?
This privilege escalation technique exploits the way Windows manages admin privileges. Normally, Windows makes use of access tokens to determine the owners of all running processes, e.g. when a thread interacts with a securable object or tries to perform a system task that requires certain privileges.
In case of an access token manipulation, hacker’s main task is to fool the system into believing that the running processes belong to someone other than the user that actually started the process. When this happens, the process also takes on the security context associated with the new token.
Adversaries can leverage access tokens through three methods:
- Impersonate or steal a token – An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex) The token can then be used with ImpersonateLoggedOnUserfunction to enable the calling thread to impersonate a logged-on user’s security context, or with SetThreadToken function to assign the impersonated token to a thread.
- Create Process with a Token– This happens when an adversary creates a new access token with DuplicateToken(Ex) function and uses it with CreateProcessWithTokenW function to create a new process that runs under the security context of the impersonated user. This may be useful for creating a new process under the security context of a different user.
- Make and Impersonate Token– In this method, an adversary has a username and password, but the user is not logged onto the system. The adversary can then create a logon session for the user with the help of LogonUser The function will return a copy of the new session’s access token and the adversary can then use SetThreadToken to assign the token to a thread.
How to mitigate this threat?
Access tokens are an integral part of the security system within Windows and cannot be turned off. However, an attacker must already have administrator level access to make full use of this technique. Therefore, you need to assign access rights in accordance with the least-privilege principle and make sure that all the access rights are regularly reviewed. You also need to keep a close eye on privileged accounts to promptly respond to signs of suspicious activity performed by these accounts.
Technique 2: Bypassing User Account Control.
How it happens?
Windows has a well-structured mechanism for controlling privileges of all users in the network. The user account control (UAC) feature serves as a gate between normal users and users with admin privileges. It limits application software to standard user permissions until an administrator authorizes an increase of privileges. In this way, only applications trusted by the user may receive administrative privileges, which prevents malware from compromising the operating system.
However, this mechanism has security gaps. If the UAC protection level of a computer is set to anything but the highest level, some Windows programs are allowed to elevate privileges or execute Component Object Model (COM) objects that are elevated without prompting a user first. An example of this is use of rundll32.exe to load a specifically crafted Dynamic Link Library (DLL), which loads a COM object that already has elevated privileges. This performs file operations even in protected directories and opens the UAC mechanism to compromise from attackers.
How to mitigate this threat?
You need to check your IT environment for common UAC bypass weaknesses regularly to be aware of current risks to your systems and address issues where appropriate. Another good practice is to regularly review which accounts are in your local administrator groups on systems and remove regular users from these groups.
Technique 3: Using Valid Accounts.
How it happens?
Adversaries can use Credential Access techniques (e.g. Credential Dumping, Account Manipulation and other) to obtain the credentials of specific user accounts, or steal them through social engineering. As soon as attackers get access to organization’s network, they can use compromised credentials to bypass access controls placed on various resources on IT systems, or any other security restrictions, and may even gain access to remote systems and services, e.g. VPNs, Outlook Web Access and remote desktop. One of the main concerns here is the overlap of credentials and permissions across the network, because adversaries may be able to switch between accounts and systems to reach a higher level of access (i.e., domain or enterprise administrator).
How to mitigate this threat?
One of the simplest, yet most effective ways to mitigate this threat is to change passwords of administrative accounts regularly and enforce strong password policy (e.g. ensure that local administrator accounts have complex, unique passwords across all systems).
It is also essential to monitor what is going on in your IT environment to detect techniques like Credential Dumping. Limit credential overlap across systems to further reduce the risk of unauthorized access in case adversaries obtain account credentials, and do not put user or admin domain accounts in the local administrator groups unless they are tightly controlled. Finally, you need to monitor user behavior and keep an eye on what permission level each user has to quickly detect adversaries’ activities.
Although there is no way to fully secure your environment against hackers and malicious insiders escalating privileges, you can thwart attackers by minimizing your threat exposure and spotting cyber threats in their early stages. To reduce the risk of privilege escalation, you need to regularly look for and remediate the security weak spots in your IT environment; strictly follow the principle of least privilege; and implement security monitoring to be aware of what’s going on in your network. You should also evaluate the risks to your sensitive files and take steps to secure data in accordance with its value. Taking these steps proactively can help you avoid data loss, system disruption, compliance failures and other negative consequences.