Escalating Privileges

Privilege escalation can be defined as an attack that involves gaining illicit access of elevated rights, or privileges, beyond what is intended or entitled for a user. This attack can involve an external threat actor or an insider. Privilege escalation is a key stage of the cyberattack chain and typically involves the exploitation of a privilege escalation vulnerability, such as a system bug, misconfiguration, or inadequate access controls. In this blog, I will explain how privilege escalation works, the key attack vectors involved with privilege escalation, and the critical privileged access security controls you can implement to prevent or mitigate it.  

Types of Privilege Escalation:

    • Horizontal privilege escalation involves gaining access to the rights of another account—human or machine—with similar privileges. This action is referred to as “account takeover.” Typically, this would involve lower-level accounts (i.e. standard user), which may lack proper protection. With each new horizontal account compromised, an attacker broadens their sphere of access with similar privileges.
    • Vertical privilege escalation, also known as a privilege elevation attack, involves an increase of privileges/privileged access beyond what a user, application, or other asset already has. This involves increasing the level of privilege access from one that is already low. In order to bypass or override privilege controls, or to exploit vulnerabilities in software, firmware, or the kernel, the attacker may need to take a number of intermediate steps (such as running a buffer overflow attack, etc.). They may also need to obtain privileged credentials for other applications or the operating system itself. According to the Microsoft Vulnerabilities Report 2021, 44% of all Microsoft vulnerabilities in 2020 involved elevation of privilege flaws. 

    How does Privilege Escalation Work?

    Every local, interactive session or remote access session represents some form of privileged access. This encompasses everything from guest privileges allowing local logon only, to administrator or root privileges for a remote session and potentially complete system control. Therefore, every account that can interact with a system has some privileges assigned.

    A standard user rarely possesses rights to a database, sensitive files, or anything of value. So, how does a threat actor navigate an environment and gain administrator or root privileges to exploit them as an attack vector? There are five primary methods:

    1. Credential exploitation
    2. Vulnerabilities and exploits
    3. Misconfigurations
    4. Malware
    5. Social engineering 

    Privilege Escalation Using DLL Hijacking

    • Most Windows applications do not use the fully qualified path when loading an external DLL library instead they search directory from which they have been loaded first.
    • If attackers can place a malicious DLL in the application directory, it will be executed in place of the real DLL. 

    Resetting Passwords Using Command Prompt

    • If attacker succeeds in gaining administrative privileges, he/she can reset the passwords of any other non-administrative accounts using command prompt.
    • Open the command prompt, type net user command and press Enter to list out all the user accounts on target system.
    • Now type net user useraccountname * and press Enter, useraccountname is account name from list.
    • Type the new password to reset the password for specific account.

    Privilege Escalation Tool: Active@ Password Changer

    • Active@ Password Changer resets local administrator and user passwords.

    entity broken SAM

    Privilege Escalation Tools 

    • Offline NT Password & Registry Editor

    Linux: chntpw

    How to Defend Against Privilege Escalation

    • Restrict the interactive logon privileges.
    • Use encryption technique to protect sensitive data.
    • Run users and applications on the least privileges.
    • Reduce the amount of code that runs with particular privilege.
    • Implement multi-factor authentication and authorization.
    • Perform debugging using bounds checkers and stress tests.
    • Run services as unprivileged accounts.
    • Test operating system and application coding errors and bugs thoroughly.
    • Implement a privilege separation methodology to limit the scope of programming errors and bugs.
    • Path the systems regularly.

    Admin Permissions are still the most important, nothing is lost

    Similar Posts

    Leave a Reply

    Your email address will not be published. Required fields are marked *