Privilege escalation can be defined as an attack that involves gaining illicit access of elevated rights, or privileges, beyond what is intended or entitled for a user. This attack can involve an external threat actor or an insider. Privilege escalation is a key stage of the cyberattack chain and typically involves the exploitation of a privilege escalation vulnerability, such as a system bug, misconfiguration, or inadequate access controls. In this blog, I will explain how privilege escalation works, the key attack vectors involved with privilege escalation, and the critical privileged access security controls you can implement to prevent or mitigate it.
Types of Privilege Escalation:
- Horizontal privilege escalation involves gaining access to the rights of another account—human or machine—with similar privileges. This action is referred to as “account takeover.” Typically, this would involve lower-level accounts (i.e. standard user), which may lack proper protection. With each new horizontal account compromised, an attacker broadens their sphere of access with similar privileges.
- Vertical privilege escalation, also known as a privilege elevation attack, involves an increase of privileges/privileged access beyond what a user, application, or other asset already has. This involves increasing the level of privilege access from one that is already low. In order to bypass or override privilege controls, or to exploit vulnerabilities in software, firmware, or the kernel, the attacker may need to take a number of intermediate steps (such as running a buffer overflow attack, etc.). They may also need to obtain privileged credentials for other applications or the operating system itself. According to the Microsoft Vulnerabilities Report 2021, 44% of all Microsoft vulnerabilities in 2020 involved elevation of privilege flaws.
How does Privilege Escalation Work?
Every local, interactive session or remote access session represents some form of privileged access. This encompasses everything from guest privileges allowing local logon only, to administrator or root privileges for a remote session and potentially complete system control. Therefore, every account that can interact with a system has some privileges assigned.
A standard user rarely possesses rights to a database, sensitive files, or anything of value. So, how does a threat actor navigate an environment and gain administrator or root privileges to exploit them as an attack vector? There are five primary methods:
- Credential exploitation
- Vulnerabilities and exploits
- Social engineering