Privileges are the permissions or right given to the user or group of systems for performing tasks that are needed to be run as a group or user. A user with privileges has the authority to perform security-relevant functions on the system. In order to take over the control of an entire network, attackers then escalate privileges to admin. Privilege escalation is a form of network intrusion where attackers leverage flaws in codes or handling methods. This allows access to the network, its associated data as well as applications.
Privilege escalation is of two kinds:
- Vertical privilege escalation: In this level of escalation, the attacker escalates his privilege to a user’s with higher privileges.
- Horizontal privilege escalation: At this level, the attacker assumes the identity of a user who has the same privileges as him.
How does an attacker escalate privileges?
If the attacker knows about the vulnerability in code flow of the running service or program, then, they can escalate their privileges. Attackers use various methods including Powershell, Executable binaries, Metasploit modules etc for escalating the privileges.
Hackers can maintain access to all the services and make them more vulnerable to exploitation. In case the services are not maintained properly and if the permissions are word-writable, then, anyone can write their scripts for execution purposes. This could result in huge damage such as capturing your confidential data or changing the flow of the data.
What are the different ways in which attackers escalate privileges?
Dumping Security Account Manager files (For Windows)
One of the most commonly adopted methods to escalate privileges is to dump Security Account Manager files. Security Account Manager or SAM files contain encrypted passwords. The attacker steals password hashes from these files and easily accesses the system.
Sensitive information stored in shared folders
Shared folders are infamously exploited because these folders usually contain sensitive information. These folders have either a few restrictions or sometimes none.
Attackers can exploit vulnerabilities such as buffer overlow that might be exploited for executing arbitrary code with privileges elevated to the Local System. If errors are not handled correctly, system service that is impersonating the lesser privilege user, can elevate that user’s privileges.
Cross Zone Scripting
This is a type of privilege escalation attack where a website destabilizes the security model of web browsers, thus, letting the malicious code run on client computers.
How can we prevent privilege escalation?
According to experts following mitigation techniques can help in preventing the escalation of privileges:
- Network Administrators must check the program or service permissions correctly. Issues must be resolved as soon as possible so that there is no misconfiguration.
- Use docker containers or virtual machines for remote services such as login to the client user, for mitigation or to decrease the misconfiguration detection as well as the exploitation of services by the attacker.
- Assess machines that switch permissions or might cause any other harm.
- Avoid the use of multiple scripts for different purposes since this can make it difficult to check the proper permissions of the script running.
- While these mitigation techniques are effective, it is important to inculcate the practice of regular vulnerability assessment and penetration testing. Pen testers invade the network, device or an application to achieve privilege escalation. In case of a successful attempt, testers will work on patching up the entry points that might lead to privilege escalation.
Cybersecurity companies like Kratikal have an expert team of pen testers that have provided VAPT services to 80+ clients globally. Companies should conduct Vulnerability Assessment and Penetration Testing periodically. The regular penetration testing will secure your system against any unauthorized access and prevent irrevocable damage to the organization.