One of the most common security vulnerabilities that are both easy to happen and usually overlooked is privilege escalation. It is one of the means that facilitate a hacker’s work in breaking into unauthorised computers and accessing privileged information. Privilege escalation differs from other cyberattack methods in going beyond giving the hacker access to the victim’s data. With privilege escalation, the hacker can reach the root level of the system, causing irreparable damage in the process.
What’s Privilege Escalation in depth? The points we’ll discuss in this article are the different types of privilege escalation attacks, how to detect them, and what means and tools you can use to prevent them from happening.
Table of Contents
What Is a Privilege Escalation Attack?
A privilege escalation attack is when a hacker uses common vulnerabilities in an organisation’s system to gain unauthorised access to its network. This type of attack has spread wildly due to the lack of focus on the granted access permissions within the organisation. This lack of monitoring allows the hacker to track a weak link in the organisation’s security chain. When they gain access to an account with weak credentials, not necessarily with high-level access permission, hackers can then use this account to make their way up the permission chain and reach sensitive organisation data.
The reason behind calling it a privileged attack is that the attackers use their unauthorised access to obtain privileges through the security chain. This means they can execute commands, steal sensitive data, and cause great harm and loss to application servers and operating systems, damaging the company’s reputation. An additional step the hacker takes is creating backdoors in the organisation’s network to reaccess the system if the initial attack is discovered.
How Does a Privilege Escalation Attack Work?
The most common entry point used by attackers to conduct a privilege escalation attack is by exploiting the system’s own vulnerabilities to gain access; however, this is not the only entry point. Aside from weak credentials, attackers look for vulnerabilities in the interfaces of application programs and the servers of web applications. After the attacker can access the system, he can authenticate himself as a developer and access these interfaces or servers to begin his attack.
Five methods give an attacker access to a user’s account. These methods are malware, social engineering, system vulnerabilities, system configurations, and exploiting weak credentials. After the hacker gains access through any of these malicious actors, he can continue climbing up the access chain until he reaches an administrative account in the system.
After gaining initial access to the system, the attacker uses one of three techniques to conduct the privilege escalation attack:
1. Bypassing User Account
Administrators use user accounts to control who has access to what; hence they control who has access to applications and software. This means that until an administrator increases a user’s privileges, this user cannot access data beyond their initial standard permission.
2. Access Token Manipulation
The attacker here cuts off a command chain created by an authorised user and manipulates the system into believing another user issued this command. If the attacker achieves this goal, he can infiltrate the system and gain additional access.
3. The Use of Valid Accounts
The attacker uses social engineering, such as phishing, among other methods, to steal employee access credentials. Once he can access the organisation’s network, he can use these stolen credentials to bypass the system’s access control and access other resources on the network, elevate his access level, and ultimately reach the network’s root level.
What Types of Privilege Escalation Attacks are there?
A privilege escalation attack is either vertical or horizontal, and they differ according to the attacker’s goal of launching the attack:
1. Vertical Privilege Escalation Attack
When the hacker gains access to the network and imitates legit users’ operations, this is called a vertical privilege escalation. The level of access the hacker needs stops at the account he hacked because this account allows him to access all the data he intended to steal. Since the hacker will typically stop at the level of initial access he got, it makes discovering vertical privilege escalation easy to track and eliminate. You can track the compromised account and change its credentials or revoke its permissions altogether.
2. Horizontal Privilege Escalation Attack
When the hacker misuses the privileges of the legitimate user to further his permissions after gaining unauthorised access to the network, this is called a horizontal privilege escalation attack. The hacker gains initial access to the user’s account through phishing campaigns. From there, the hacker either uses additional hacking tools like Metasploit to identify system vulnerabilities or exploits common vulnerabilities such as outdated software. In both cases, the attacker is at an access level where he can cause severe damage to the organisation’s work and reputation.
Examples of Privilege Escalation Attacks
After understanding what a privilege escalation attack is, its types, how it works, and the techniques the attacker uses, we can better comprehend the following real-life examples of this vicious cyberattack and how they work in the system:
1. Windows Sticky Keys
A Windows Sticky Keys attack form of privilege escalation is the easiest one. The easiness of this attack comes from having physical access to one of the system’s machines and the ability to boot using a repair desk. After booting from the disk, you must press the SHIFT key five times to alter the system file responsible for the sticky keys function.
2. Windows System Internals
For the Windows system internals method to work, the attacker has to have a backdoor into the system, such as from a previous attack or the Windows Sticky Keys method. The attacker must then elevate his privileged access to the administrative level to regain access to accounts with backdoors until he can access the root or system levels.
3. Process Injection
To use process injection as a method for a privilege escalation attack, the attacker will need to have elevated access than the regular user access. A process injector is part of penetration testing where the injector can enumerate all the processes run by the system and track the account initiating and controlling these processes.
4. Linux Passwd User Enumeration
This tool is exclusive to Linux systems and is a simple enumeration of all accounts on the system. The attacker doesn’t need elevated access here, just access to the system’s shell through misconfigured servers. The attacker can then use the “passwd” command to enumerate the accounts.
5. Android and Using Metasploit
Metasploit resembles a library listing possible vulnerabilities in Android systems and the privilege escalation doors to access a rooted Android system. Metasploit creates an executable file called Superuser Binary, which allows the attacker to run commands as root on the Android system and either evoke the legitimate user’s access to their Android device or exploit the user’s actions to harvest data.
How to Detect a Privilege Escalation Attack?
Detecting a privilege escalation attack is tricky, mainly due to the attacker using a regular user’s account, deleting event logs, and shadowing IP addresses. However, if you suspect you’re under a privilege escalation attack, you must deal with all entry points to the system as under attack. Take these points into consideration and study them well:
- Identify the main compromise point.
- Which vector was used for the initial threat?
- What permissions and privileges was the attacker able to obtain?
- Which accounts did the attacker target and why?
- The amount of damage caused.
- Suppose your system uses Windows OS, and the attacker tried to use access tokens as a tool for privilege escalation. In that case, your system will display this warning “Audit Token Right Adjusted Event Notification (4703)”.
- If your system uses Linux OS, the best way to keep privilege escalation attacks at bay is by keeping an updated Linux Kernel and following its security policies, which are programmed to detect privilege escalation attacks, among other cybersecurity attacks. New versions of the Linux Kernel have embedded tools that allow them to scan for and detect privilege escalation attacks, among other security threats.
How to Prevent Privilege Escalation Attacks? What Tools to Use?
A privilege escalation attack is sneaky and difficult to spot, but there are many ways to protect your system, users, data, and business from this vicious attack. These are our tips to prevent privilege escalation attacks in the future.
1. Protect and Scan Everything
A real-time security program isn’t enough to detect all possible threats to your system. You need to regularly scan your system and the components of its IT infrastructure for common vulnerabilities to prevent any new threats from gaining access. A vulnerability scanner is the best tool for looking for insecure and unpatched applications, operating systems, weak passwords, misconfigurations, or any other possible vulnerability.
On the other hand, it’s not practical to update or patch all unpatched applications or systems as a means of avoiding vulnerabilities because it’s impractical in large-scale production systems or organisations. Instead, you can add extra security levels, such as using a Web Application Firewall, which can detect and stop malicious attacks at the network level. The WAF will protect the underlying system even if it is unpatched or outdated, keeping privilege escalation and other attacks at bay.
2. Manage Privilege Accounts
Your security team needs to have a complete list of all the accounts in your organisation, where they are allowed to work on the system, and what they have access to. The sensitivity of the data privileged users deal with is why it’s vital to manage all privileged accounts in your system and ensure they are all properly secured and using their granted privileges only.
For further control of privileged accounts, you can limit the number of these accounts and keep track of the operations they undertake on the system and keep a log of these operations. You can also analyse each account for potential threats or risks that might arise from this account or if it has an attacker’s backdoor.
Since you should limit the number of privileged accounts, scanning for vulnerabilities and locating threats will be easier, which isn’t possible if privileged access is granted to many employees. Additionally, you can use prevention measures whenever you can and prevent your admins from sharing their login credentials.
3. Keep an Eye on User Behaviour
Apart from keeping an eye on privileged accounts, it would be best to keep an eye on the behaviour of your regular users as well. Traditionally, the attacker will target accounts that have system access. Still, if he succeeds in doing so, he can infiltrate the system and go undetected for some time on the network.
It’s difficult to monitor each user account, especially if you’re a large organisation; this is why it’s best to use a User and Entity Behavior Analytics tool, which monitors user activity over time to create an outline of the activity of each user. The tool later uses this outline to identify irregular behaviour in each account that could indicate a possible vulnerability or compromise the system.
For each user, the UEBA tool creates a profile with the user’s resources, location, data files and the services frequently used by the user, any specified access to internal or external networks, the number of hosts, and the number of executed processes. UEBA uses this baseline to identify whether the user deviates from this line and detects a possible attack.
4. Enforce Strong Password Policies
When devising the cybersecurity plan for your organisation, make it a necessity that users choose strong passwords to protect their accounts. You can also employ multi-factor authentication to ensure these passwords are as protected as possible. The organisation’s IT team can use tools such as password auditors, which scan the system for weak passwords and help avoid them by suggesting strong passwords to your users.
Moreover, organisations can employ enterprise password management tools. Such tools will help users generate and create secure and complex passwords that comply with the policies of any services requiring authentication, such as multi-factor authentication. Using MFA to protect the password manager will protect the saved passwords from possible hackers. Enterprise password management tools include Dashlane, Keeper, and 1Password.
5. Secure Your Database
Vulnerable user input fields and databases can easily allow access to skilled attackers. This is why it’s imperative to use practical tools such as strong authentication to make sure the input fields and databases are well protected from possible malicious code that could eventually lead to system access.
One of the best practices to this end is the encryption of all data, both in transit and at rest, to ensure the attacker can’t easily use the data. After that, you can patch all databases and sanitise all user inputs. Additionally, you can leave most files as read-only while granting write access to the users who absolutely need it. This will help you narrow the number of users responsible for altering any organisation files.
6. Train Your Users
Statistics have continuously proven that the human factor is the weakest link in any organisation’s security system. This emphasises the necessity of properly training employees to effectively and securely perform their tasks and detect a breach in their computer or operating system. Proper training includes guidelines to scan any incoming links, attachments, and emails for possible malicious factors to prevent any unwanted visitors from gaining access to the system.
Additionally, as an organisation, you must have a response plan or an action plan in the event of the discovery of a cyberattack or unwanted visitors on the network, and you must make sure everyone knows of this plan and what they can do to help execute it. Immediate response upon discovering an attack on the network is crucial in eliminating this threat. It will give your IT team the time to deploy the proper tools to handle the danger.
Unfortunately, the means of cybersecurity attacks keep developing. However, no matter how evolved they become, you can still deploy robust tools to help you keep your data and business safe. So, stay well-informed of these developments and protect yourself.