A Deep Dive Into Privilege Escalation

According to Lockheed Martin's Cyber Kill Chain framework for understanding cyber attacks, all offensive campaigns follow 7 sequential stages. For defenders tasked with detecting and responding to cyber attacks in real-time, stages number 4 through 7 (Exploitation, Installation, Command and Control, and Actions on Objectives) are the most critical. These stages happen within the target organization's infrastructure and represent the true "battle" portion of a cyber campaign so to speak. They begin with initial access being gained in the Exploitation stage and achieving end goals in the Actions on Objectives stage. 

During the Exploitation stage, attackers may gain initial access to a victim's system through various techniques known as "first-stage" attacks. Each of these first-stage techniques bestows different starting conditions such as permission levels and locality within the compromised infrastructure which will determine their next moves to carry out their "Actions of Objectives"

Understanding attacker behavior during the middle stages allows defenders to better detect and respond to attacks, reduce dwell time, and remediate and recover from attacks before significant damage is done. This article will delve into the most common techniques attackers use to transition from their initial breach to achieving their end goals: Privilege Escalation. 

What is Privilege Escalation?

One of the most important factors in planning the secondary stages of an attack is determining what level of access has been gained. The degree of control achieved depends on what user permissions the attackers have and determines what exploits they can successfully execute within the compromised system or network. Depending on how initial access was gained, an attacker may immediately have full administrative access to a high-value target.  On the other hand, they may be limited to a regular user account on a relatively low-value workstation, service account, or system process.

Privilege Escalation (often shortened to "priv esc") refers to a process used by an attacker to increase their permission level on a system or network to carry out further attacks and move towards achieving their ultimate objectives. Unless attackers have been provided with a complete blue-print of the network they attacking from an insider, they assess the landscape after gaining initial access to map out their victim's infrastructure, evaluate the context of their foothold, and determine their available options. 

Privilege Escalation is one of the high-level attack tactics of the MITRE ATT&CK framework, and can be achieved using a wide array of techniques such as exploiting known vulnerabilities or zero-day vulnerabilities, exploiting system or network misconfigurations, searching for exposed sensitive information, or exploiting human weaknesses to social engineer privileged credentials. Next, we will cover the most common techniques attackers use for privilege escalation.

How Do Attackers Achieve Privilege Escalation?

As mentioned above, some exploits immediately grant an attacker administrator (aka root) privileges on the compromised system.  However, this is not always the case.  When an attacker gains unauthorized access without high-level privileges, they will try to use Privilege Escalation techniques to gain them.

Here are some of the most common MITRE ATT&CK techniques associated with the Privilege Escalation tactic:

• Steal Credentials/Access Tokens: One of the first things an attacker with low-level privileges will do on a compromised system is search for existing credentials to use them for Privilege Escalation. Depending on the compromised system, there are many password stores an attacker will look for credentials. One of the most common places is a browser's password cache. Attackers will also look for files with sensitive information such as cleartext passwords to administrator accounts. Attackers may find hashed passwords and crack them, or use them in replay attacks against less secure protocols such as NTLM or search a local file system for exposed access tokens that grant administrator access to services

• Abuse Loose File Permissions: In addition to searching for stored credentials, attackers can search a compromised system for overly loose (permissive) file access controls that would allow writing to or modifying sensitive files.  Overly permissive configurations could allow an attacker to execute an autostart program or custom script with high-level privileges during system boot or user log-on. Another technique for exploiting loose file permissions is service binary replacement. Here, an attacker replaces the contents of a service application file with a malicious code and then executes it. Attackers can also enumerate all files on a local system looking for files with a misconfigured Setuid or Setgid. The Setuid and Setgid permission settings will change the context of a file when it's executed, no matter which user executes it.  Sometimes, the execution context may be changed to the administrator (root) user. Loose file permissions can also impact files periodically executed with system privileges such as a screensaver or scheduled tasks

• Exploiting Application Vulnerabilities: Attackers can search a compromised system for applications with known vulnerabilities and exploit them to gain arbitrary code execution. Some examples include escaping from virtualization technology such as containers or VMs to execute commands on the underlying host with high-level permissions, exploiting a DLL Search Order Hijacking, DLL SideLoading vulnerability in a Windows application, or direct process injection

• Install Keyloggers or Screen Capture Malware: Attackers with low-level access can run malware programs at the user level to capture keystrokes or take screenshots with the hopes of capturing sensitive information and gaining access to valid accounts with admin rights

• Account or Configuration Manipulation: Adversaries may manipulate accounts or modify configuration settings to elevate access levels. One example is modifying credentials or permission groups for a user account. Also, modifications to Windows domain settings including altering domain Group Policy Objects (GPOs) or changing trust settings for domains, or federation trusts can effectively give an attacker with low-level privileges access to more network resources

• Social Engineering: If attackers can socially engineer a scenario to trick an admin user into entering their credentials into an attacker-controlled input, they can steal the credentials outright and use them at a later time.  Also, to execute the attacker's malicious code, if the user is in the local administrators group the attacker can leverage techniques such as "Bypass User Account Control" or Elevated Execution with Prompt, hoping to have the user click through the prompt or enter an administrator password to complete the attacker's desired action. Other social engineering techniques to steal passwords include spoofing legitimate website login pages to steal passwords and even MFA fatigue attacks to steal MFA tokens

• Brute-Force Credential Attacks: Brute-force password attacks try many common passwords or even attempt to enumerate all the possible combinations for a password. If given enough time brute-force attacks can be successful. However, they are noisy forms of aggression and are easily thwarted by enforcing strong passwords and using rate-limiting and brute-force detection techniques

Mitigating Privilege Escalation 

Here are some key security measures to protect against Privilege Escalation techniques:

• Implement Rigorous Access Control and Regular Audits: Establish comprehensive file permissions and enforce strong password policies. Many privilege escalation methods exploit weak access controls, such as overly permissive configurations. Regular audits ensure these controls remain effective and uncompromised

• Deploy Endpoint Detection and Response (EDR) Solutions: EDR technologies are crucial for the early detection of cyberattacks. They can intercept attempts to escalate privileges before attackers can achieve their ultimate goals

• Enforce Multi-Factor Authentication (MFA) for Administrative Accounts: MFA is a critical layer of defense. It ensures that compromised credentials alone are insufficient for unauthorized access, requiring additional identity verification at each login

• Implement a Vulnerability Management Program: Vulnerability management helps to identify and remediate known vulnerabilities in a network by proactively scanning for vulnerable software and misconfigurations to ensure that security patches are installed in a timely manner

• Least Privilege Principle Enforcement: Ensure that users have only the minimum level of access necessary to perform their duties. This limits the potential impact of compromised accounts

• Use Security Training for Employees: Educate staff about the risks of social engineering attacks and the importance of security awareness in their daily activities, such as not sharing credentials and recognizing common phishing attacks

• Use of Privileged Access Management (PAM) Tools: PAM tools assist in monitoring and controlling privileged accounts, offering an additional layer of security against unauthorized access attempts

• Employ Strong Network Security Controls: Create separate network zones to restrict access to sensitive areas, reducing the risk of widespread system compromise from a single point of intrusion, and use network security tools such as firewalls, Intrusion Detection Systems (IDS), and honeypots to detect anomaly network behavior

• Conduct Regular Penetration Testing: For high-risk assets, penetration testing is the gold standard for identifying and closing security gaps that might allow for privilege escalation. This proactive approach simulates real-world attack scenarios to ensure that defenses look not only good on paper, but also stand firm against actual hacking techniques

Conclusion

Privilege Escalation is a fundamental cyber attack tactic used to give an attacker more permissions on a compromised system or network.  Some initial access methods immediately give an attacker admin privileges; however, when attackers do not have high-level permissions they can use a variety of techniques to them.

Understanding the various ways attackers can escalate their permissions is critical for defenders to design appropriate security controls to prevent a low-level attack from gaining access to critical resources before it can be detected and mitigated.

Ready to further elevate your knowledge of cybersecurity threats? Sign up for our newsletter today or reach out to our team for your free, zero-obligation quote.