Privilege escalation remains one of the top techniques utilized by attackers to discover and exfiltrate sensitive and valuable data from organizations. Defined, privilege escalation is the process of increasing privileges from initial access, typically a standard user or application account, all the way up to extending privileges to administrator, root, or even full system access.
When targeting privilege accounts, cybercriminals continually utilize proven techniques and follow similar courses of action to identify and exploit any weak credentials, misconfigurations or overprivileged users which exist within a particular organizational system or network. Domain admin and service accounts, local administrator accounts and privileged data user accounts are just some of the most common privileged accounts that cybercriminals frequently target. However, it should never be assumed that attackers only target accounts where access and privileges are plentiful. Cybercriminals are ultimately looking for ideal situations where privileged accounts are left unmanaged and unmonitored.
When evaluating an organization’s environment, attackers are looking for security vulnerabilities that allow for privilege escalation exploits, including:
- Passwords: Organizations often leave credential details for privileged users in a text file on a desktop, browser, or configuration file. Attackers can quickly search for stored passwords using common techniques such as searching the registry using the query: reg query HKLM /f password /t REG_SZ /s or finding a text file on the desktop labeled something like “passwords,” or “important stuff.”
- Overprivileged Users: Attackers are also searching for users who have been allocated more privileges than required for their job responsibilities with access to systems and data they do not need. For example, standard business users may have Local Administrator rights on their personal workstations. Attackers can leverage these Local Administrator rights to escalate privileges up to Full Domain using tools.
- Unprotected service permissions: These are situations where a particular service is running under system privileges, but a user has the permissions and ability to change the executable binPath, which could as a result create a reverse shell.
- Weak registry permissions: Like insecure service permissions, if an attacker can modify the registry configuration of a service, they can also change the path in the service configuration. This could again create a reverse shell or elevate privileges on the system.
These are only some of the common attack strategies used to escalate privileges as cybercriminals continue to develop new ways to discreetly execute their attack.
Cybersecurity Best Practices
On a more positive note, there are host of different defense mechanisms that can be implemented to protect against the rising sophistication attackers exhibit while escalating privileges. Firstly, it must never be assumed that an organization can successfully ‘prevent’ an attack. This is a dangerous assumption made by many organizations that leads to a false sense of security. Instead, organizations should focus on reducing risk, making it more challenging for attackers to be successful and increasing visibility to stop the progression of exploits before they can elevate privileges and stop them in their tracks before any serious damage is done.
There are several ways this can be achieved:
- Multi-Factor Authentication: Passwords should never be the only security control for accessing critical systems, applications, and privileges. By implementing multi-factor authentication controls, it adds an extra layer of protection, should an attacker be able to compromise a password. MFA should be required not only at system log-in, but also at the point of horizontal and vertical privilege elevation.
- Update and Patch Systems: While this practice is by no means completely effective, regularly updating and patching critical systems will make an attacker’s objective of executing a privileged attack and escalation more difficult.
- Utilize Privileged Access Management: Privileged Access Management can help organization store their passwords by moving them into secure vaults so that they are not easily found by attackers during the enumeration phase. Privileged Access Management will help avoid passwords being left on the desktop in clear text, hidden in configuration files, or stored in insecure browsers. It will also ensure that all services have a provisioned account with the correct security controls, including complex passwords, rotated frequently.
- Least Privilege Approach: All organizations should adopt a least privilege approach where users are only allocated the privileges needed to complete the task or action they are assigned to do. This reduces the possibility of exposing several of the privilege escalation paths, such as insecure services, registry, and directory paths.
- Control Applications: Organizations should focus on limiting running applications and scripts that can be used to enumerate or exploit privileges. Implementing approval or ‘allow’ lists will help control which applications and scripts can execute, while deny lists will ensure malicious applications and scripts are blocked or require additional auditing.
Audit Privilege Access Usage: Privilege usage should be constantly monitored for any suspicious behavior or activity. Alerts that immediately notify security and IT teams of any deviation from normal activity must be implemented. Should a privilege escalation exploit occur, you’ll be able to conduct incident response and identify the root cause of the attack to prevent it from happening again.