Stopping Privilege Escalation Is an Essential Security Initiative

Privilege escalation is a common tactic present in almost every cyberattack today. Malicious insiders, ransomware gangs and other threat actors often use it in combination with to lateral movement to traverse a victim’s network to gain unauthorized access to sensitive IT resources. Elevated access rights are vital for malicious activity, including stealing sensitive data, disrupting business operations and creating backdoors for future stages of an attack. Due to the widespread use of Active Directory, Windows privilege escalation attacks are more common than Linux privilege assaults, yet both are seen in the wild.

Why Elevated Privileges Are Important to Attackers

Elevated privileges are the keys to the kingdom that threat actors need to modify system configurations, data permissions and security controls. Attackers usually gain access to a network using a compromised standard user account. Privilege elevation is achieved by stealing the credentials of a system administrator or high-level service account; this enables access to critical servers, network appliances, data repositories and backup systems.

Unfortunately, the ability to escalate privileges is often easy even for unsophisticated hackers because many organizations lack adequate security measures. Indeed, access control is too often configured with convenience in mind rather than the enforcement of the principle of least privilege.

Horizontal vs Vertical Privilege Escalation

Cyberattacks often involve the exploitation of some type of vulnerability, such as an unpatched system, improper configuration or programming error. Once a system has been compromised, the attacker performs reconnaissance to identify privileged users to compromise and way to increase the access rights of accounts they already control.

There are two types of privilege escalation that threat actors use:

Horizontal privilege escalation — An attacker compromises an account and then gains access to the same level of privileges or permissions as another user or application on a different system. For example, after compromising the account of one internet banking user, an adversary might gain access to the account of another user by learning their ID and password.

Vertical privilege escalation (aka elevation of privilege or EoP) — A malicious user gains access to a lower-level account and exploits a weakness in the system to gain administrative or root-level access to a resource or system. Vertical privilege escalation requires more sophisticated attack techniques than horizontal privilege escalation, such as hacking tools that help the attacker gain elevated access to systems and data.

How does privilege escalation occur?

Attackers who try to perform unauthorized actions often use privilege escalation exploits. These exploits involve known or discovered weaknesses involving an operating system, software component or security misconfiguration. The attack usually involves this five-step process:

Find a vulnerability.
Create the related privilege escalation exploit.
Use the exploit on a system.
Check if it successfully exploits the system.
Gain additional privileges if necessary.

What are the top privilege escalation techniques?

There are multiple privilege escalation techniques that attackers use. Three of the most common ones are:

Manipulating access tokens
Bypassing user account control
Using valid accounts

Technique 1: Access Token Manipulation

Access token manipulation takes advantage of the way Windows manages admin privileges. An access token is created by a Windows system at the time of a user login. By modifying an access token, an adversary can fool the system into allowing them to perform a system task or gain access to a running process or service that requires elevated privileges.

Adversaries can leverage access tokens using one of three methods:

Impersonate or steal a token — An adversary can create a new access token that duplicates an existing token using the DuplicateToken(Ex) function. The token can then be used with the ImpersonateLoggedOnUserfunction to enable the calling thread to impersonate a logged-on user’s security context, or with the SetThreadToken function to assign the impersonated token to a thread.
Create a process with a token — This happens when an adversary creates a new access token with the DuplicateToken(Ex) function and uses it with the CreateProcessWithTokenW function to create a new process that runs under the security context of the impersonated user. This may be useful for creating a new process under the security context of a different user.
Token impersonation — Here an adversary has a username and password, but the user is not logged onto the system. The adversary can create a logon session for the user with the help of LogonUser The function will return a copy of the new session’s access token, and the adversary can use SetThreadToken to assign that token to a thread.

How to Mitigate this Threat

Access tokens are an integral part of the Windows security system and cannot be turned off. However, an attacker must already have administrator level access to make full use of this technique. Therefore, you need to assign access rights in accordance with the least-privilege principle and make sure that all access rights are regularly reviewed. You also need to keep a carefully monitor privileged accounts and promptly respond to signs of suspicious activity performed by these accounts. Ideally, you can replace nearly all standing administrative accounts with just-in-time access.

Technique 2: Bypassing User Account Control

The Windows user account control (UAC) feature serves as a gateway between normal users and accounts with admin privileges. It limits application software to standard user permissions until an administrator authorizes an increase of privileges. It requires an administrator to input their credentials to get past the prompt. In this way, only applications trusted by the user may receive administrative privileges, preventing malware from compromising the operating system.

This mechanism isn’t perfect, however. If the UAC protection level of a computer is set to anything but the highest level, some Windows programs are allowed to elevate privileges or execute Component Object Model (COM) objects that are elevated without prompting the user first.

How to Mitigate this Threat

You need to check your IT environment for common UAC bypass weaknesses regularly and address the risks as appropriate. Another good practice is to regularly review which accounts are in your local administrator groups on all Windows systems and remove regular users from these groups. You can do this using Group Policy or Intune.

Technique 3: Using Valid Accounts

Adversaries can use credential access techniques such as credential stuffing, account manipulation or social engineering to compromise the credentials of legitimate users. They may even gain access to remote systems and services using a VPN or remote desktop connection. One of the main concerns here is the overlap of credentials and permissions across the network because adversaries may be able to toggle between accounts and systems to reach a higher level of access, such as Domain Admin or Enterprise Admin.

How to Mitigate this Threat

One of the most effective ways to mitigate this threat is to enforce a strong password policy for all accounts that includes password length and complexity requirements. In addition, change the passwords of all administrative accounts regularly, and use unique passwords for the local admin account on each system to prevent attackers from moving laterally at will across the network by compromising a single local admin account.

It is also important to monitor your IT environment for suspicious user behavior that might indicate a threat in progress. Early detection is imperative.

How to Protect Against Privilege Escalation

Although there is no way to fully secure your environment against hackers and malicious insiders intent on escalating privileges, you can reduce the risk of privilege escalation by hardening the attack surfaces of your endpoint operating systems and software and enforcing the principle of least privilege for all resources. You should also require multifactor authentication to provide better security whenever it is warranted, based on the risk associated with the activity being attempted. Perform regular risk assessments to detect and evaluate risks to your sensitive files and take steps to secure data in accordance with its value.

Many enterprises use some type of privileged access management (PAM) solution. The Netwrix Privileged Access Management Solution gives you visibility into privileges across all your systems and applications. It alerts you when new privileged accounts are created or modified, and discovers privileged accounts you may not even know about. In short, it puts you in charge of privilege across your IT estate.

Combining a PAM solution with adherence to security best practices can help you block privilege escalation and lateral movement to avoid data loss, business disruption and compliance penalties.

Dirk Schrader

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.