When attackers attempt to steal data, having insider access to a system is their best bet. And if that insider access is gained through a privileged account that holds the keys to critical systems and data, that would be like hitting the jackpot—but only for the attackers. This is why we consider privilege escalation, the attempt to compromise an account and then expand its privileges, a key component of nearly all advanced cyber attacks.
Let's now explore privilege escalation, along with its different types, common techniques used by attackers and defenders to achieve it, and what organizations can do to mitigate this very common, and very dangerous, cybersecurity threat.
- What is privilege escalation?
- How many types of privilege escalation are there?
- Privilege escalation techniques
- How to prevent a privilege escalation attack
- Final words
What is privilege escalation?
In order to enter a network and reach their final objective—data exfiltration—cyber attacks typically follow a sequence of techniques. During the first stage, reconnaissance, attackers plan and research a prospective target by gathering personal or company information. And to gain more intel about the target, phishing emails are often used.
Using the information gathered and analyzed, the attacker can successfully compromise a system, usually by gaining access with a low-level account. In this scenario, and phase of the cyber attack life cycle, attackers look around the network, map it and search for exploitable vulnerabilities. The level of access they have in this phase won't get them to the desired data, so they would need to obtain access to more sensitive information and other parts of the system. This is when attackers attempt privilege escalation to gain more permissions—privileges and access to additional systems.
"Privilege escalation", therefore, is defined by the techniques and activities attackers use to gain elevated permissions and access to a system, network or applications. Attackers exploit vulnerabilities, system weaknesses and misconfigurations after they've successfully compromised the system through a low-level account, and now need to heighten their privileges to study the system and carry out the cyber attack. Generally, any violation of set boundaries for account and user permissions is considered a privilege escalation.
Unfortunately, attackers often have a clear pathway for privilege escalation with organizations burdened by inadequate security controls and measures. These include the lack of enforcing the least-principle privilege, which states that a user should be given only those privileges needed to complete their tasks and nothing more.
Privilege escalation exploits are pieces of code that release a payload focusing on finding known vulnerabilities—CVEs—in the target system. Executing that exploit will allow attackers access to sensitive data and the ability to corrupt, destroy or steal it and disrupt business operations, or simply remain in the network to execute further attacks and establish persistence.
How many types of privilege escalation are there?
There are two main types of privilege escalation: horizontal and vertical.
Vertical privilege escalation
Vertical privilege escalation can best be illustrated with a look at a phishing email. Take, for example, the standard email message that appears to come from a service or website you use: "We have noticed unusual activity from your account. Please click this link and log in to verify your identity". If you were to actually fall for this, and click that link to log in, you would likely be taken to a webpage mimicking the authentic website, where once you input your credentials, the attacker would be able to use them and gain access directly to your account. The attacker could then perform the same actions you and your account have permissions for.
This type of privilege escalation is the "easier" of the two, as it doesn't entail elevating permissions. Attackers don't work by upgrading the privileges of the account they've compromised, they simply use the privileges granted with that account.
Horizontal privilege escalation
Now this is the more complex and sophisticated type of privilege escalation. In horizontal privilege escalation, attackers would, once they sent the above-mentioned phishing email and managed to compromise the account, need to elevate permissions with it. Let's say that the email is sent from "PayPal": Once attackers gain access to your account, they attempt to gain admin privileges. With horizontal privilege escalation, attackers need to use more sophisticated techniques and tools, exploit known security vulnerabilities, etc.
Once attackers have gained elevated privileges they would be able to steal sensitive data, destroy data, execute malware, and all in all wreak havoc on compromised systems and networks. Higher permissions and admin privileges also give attackers the ability to remove logs as well as any evidence that the account and system are compromised. This means an attack can remain undetected for longer periods of time, such as we see with advanced persistent threats.
Privilege escalation techniques
There are numerous privilege escalation techniques attackers use to gain high-level permissions and privileges. Additionally, blue teams use the same techniques in order to test an organization's susceptibility to privilege escalation. We'll be talking about the most common privilege escalation techniques in use, but a more in-depth list can be found here.
Privilege escalation on Linux
While organizations are generally more likely to run Windows clients, Linux is still often used in the workplace. When an organization's most critical infrastructure is running on a Linux OS, guarding against vulnerability to Linux privilege attacks is crucial in keeping their security posture.
There are several different techniques used for privilege escalation on Linux:
Kernel exploits are programs that leverage kernel vulnerabilities to execute arbitrary code with elevated permissions. If successful, kernel exploits allow attackers access in the form of a root command prompt. Often, escalating to root in Linux is as simple as downloading the kernel exploit to the target system, compiling the exploit, and executing it. One of the more (in)famous Linux kernel exploits is the DirtyCow.
Older versions of the Linux kernel were vulnerable and the exploit allowed attackers to make read-only memory mappings writable. DirtyCow is a local attack, meaning that it must be combined with other techniques in order to gain root access, but it is one of the more serious privilege escalation vulnerabilities ever discovered, affecting almost all of the big Linux distros.
Common Linux privilege escalation attacks are carried out by enumerating the user accounts on a machine. In order to execute the attack, an attacker needs access to the shell of the system. Once they gain shell access, they're able to list all users on the machine.
Exploiting SUID executables
SUID stands for "set user ID", and is a Linux feature that, when used properly, actually enhances Linux security and allows users to execute a file with the permission of a specific user. We can see this by using the ping command as an example: ping command on Linux usually needs root permissions in order to open network sockets. Making the ping the SUID with the owner as root, and with ping executables with root privileges, ping would execute with root privileges anytime it's used.
For example, older versions of Nmap have a functionality where you can run Nmap in an interactive mode which allows users to escape the shell. Often, admins set the SUID to Nmap so that it can be used to scan the network properly, as not all Nmap scanning techniques work if you don't run it with root privilege. If Nmap has an SUID set it will run with root privileges and allow attackers to gain access to the root shell.
Exploiting SUDO rights
When unable to gain root access with different techniques, attackers might try and compromise users who have SUDO access—SUDO is a Linux program that lets a user run programs with the privileges of another user. While SUDO rights don't have to be configured to allow all access to all users that have them, and can allow users to run only a few commands, this can still lead to privilege escalation. If an attacker gets access to any of the SUDO users, this basically means they now have root access and can execute commands with root privileges.
Privilege escalation on Windows
The Windows operating system has many privilege escalation methods. Here are four of the most common:
Access token manipulation
One of the most common privilege escalation techniques is access token manipulation. Windows uses access tokens to determine the ownership of running processes, and access token manipulation exploits this. With this technique, attackers manipulate the access tokens and trick the system into believing that the running process belongs to someone other than the user that started it. The process then takes on the security context from the attacker's access token.
Attackers can perform access token manipulation by duplicating a token using the DuplicateToken(Ex) function and then use ImpersonateLoggedOnUser function to call a thread and impersonate a user's security context, or SetThreatToken function to assign the fake token to a threat. They can also create a new process using the impersonated token with CreateProcessWithTokenW function, in conjunction with the DuplicateToken(Ex) function. Additionally, attackers can use credentials to create a token using the LogonUser function, by creating a logon session (without logging in), obtaining a new token and using SetThreadToken to assign it to a thread.
Bypassing user account control
The user account control (UAC) feature on Windows works to control privileges of all users on a network and creates a distinction between "normal" users and those users with admin privileges. UAC limits all applications to standard user permissions until an admin authorizes upgrading the privileges, making only apps trusted by the user able to receive admin privileges.
Sounds great? Well, it is if it's protected properly. If it isn't, some programs are allowed to elevate privileges or execute Component Object Model (COM) objects with admin privileges.
Using valid accounts
Attackers can use phishing emails, credential dumping and other credential access techniques to obtain the credentials of a specific user. Once they obtain those credentials they are in the network—able to bypass access controls, access remote systems and services and reach higher levels of permissions.
DLL search order hijacking
Attackers may execute their own malicious payloads by hijacking the search order used to load DLLs. Hijacking DLL loads can be used for establishing persistence in the network and to elevate privileges and evade restriction on file execution. They can achieve DLL search order hijacking by replacing an existing DLL or modifying a .manifest or .local redirection file, directory or junction, and perform search order DLL hijacking on a vulnerable program that has high privilege access.
How to prevent a privilege escalation attack
Privilege escalation is one of the most a common types of cyber crime, and a usual step in the attacker's trajectory toward successful data theft or other goal. As privilege escalation works to exploit both human psychology (with social engineering tactics) and security vulnerabilities commonly found in operating systems and applications, following strategic tactics to maintain a good security posture can go far in preventing an organization's ordeal with privilege escalation.
Privileged account management
Privileged accounts are regarded as those accounts with the most "power" in an IT environment. These include the Windows administrator, UNIX root, database administrator and other accounts used by security and IT teams to set up the architecture, install new software, run critical services and conduct maintenance. Privileged accounts hold the keys that access highly sensitive data and digital assets which, if left in the wrong hands, can have detrimental security, business and reputational effects.
Privileged account management, or PAM, is part of identity and access management, —or IAM, which handles the protection and management of those privileged accounts. Some best practices would be to maintain a complete and updated list of all privileged accounts on your network; store their privileged identities (such as passwords, SSH keys and SSL certificates); and secure and audit all identity-related operations such as privileged account logins, password access attempts, credential reset activities, and the like. Additionally, monitor all privileged accounts in real time.
And, for possibly the most important part of PAM, follow the principle of least privilege, which is based on allowing users only the amount of access needed to fulfill their role in the organization. Using the least-privilege principle aids organizations in reducing the amount of risk if attackers do manage to get into the network by compromising low-level accounts. We talked about this principle in our Zero Trust blog post, so be sure to read it for a more in-depth look.
Strong password policies
Adding to privileged account management are password policies that go beyond protecting only privileged accounts. As privilege escalation begins with taking over a low-level account, having a strong, organization-wide password policy will go far in making sure attackers don't have open doors to infiltrate your network.
Some of the best practices for establishing and maintaining strong password policy is ensuring users have complex and unique passwords for each of their accounts, that the passwords are changed periodically, that weak passwords are flagged, and that 2FA and MFA are used for an additional layer of security.
An enterprise password manager is a great solution that empowers organizations to more effectively enforce these policies, and for more info you can check out the blog post on our favorite secure password managers.
SQL injection is a perfect example of one of the most common vulnerabilities attackers use. Attackers can leverage this vulnerability for unauthorized access and privilege escalation.
SQL injection vulnerability is also one of the oldest, most prevalent and even one of the most dangerous application vulnerabilities in existence. This vulnerability can affect any website or application that uses an SQL database. Attackers can use it to find credentials of other users in the database and impersonate them, and with the impersonated accounts having admin database privileges, this can lead to privilege escalation. Attackers can also leverage SQL's ability to select and output data from the database, and use SQL injection to gain complete access to all data in the database server, alter that data or add new data.
Employing best practices in database security such as treating all user input as untrusted will go far as any user input used in an SQL query carries a risk of SQL injection. Don't filter user input based on blacklists—as attackers are often able to find a way to circumvent it. Use whitelists only to verify and filter user input. Additionally, for all-encompassing database security best practices, use web application and database firewalls, encrypt all data (especially data in transit), manage database access and monitor all database activity.
Follow best development practices
With SQL injection often being the result of programming errors from developers, such as failure to preserve SQL query structure, there are other common programming errors attackers often target. These include failure to preserve web page structure which leads to cross-site scripting (XSS), failure to constrain operations within the bounds of a memory buffer leading to buffer overflow, and the like. Following best development practices will help organizations avoid these common programming errors. Some of the most notable development best practices are simplicity of code, continuous testing, and code reviews throughout the entire software development life cycle (SDLC).
Cybersecurity awareness training
It might seem like we go back to cybersecurity awareness training in every post—and you would be correct in that assumption. But it's for a very good reason. Humans are the weakest link in an organization's security chain and attackers know this all too well. The only way to protect your users from phishing attacks and other social engineering tactics is to inform and maintain a proper cybersecurity culture through security awareness training, which needs to be continuous, relevant and engaging to be truly effective.
As we've seen, privilege escalation is a crucial component in most advanced cyber attacks. For organizations, preventing and detecting privilege escalation means the ability to stop attackers before they reach their final objective.