Privilege escalation

 

Content in this page

  • What is privilege escalation?
  • About privilege escalation
  • Privilege escalation: Techniques
  • Privilege escalation: Security best practices and detection
  • Detection and remediation through Log360

What is privilege escalation?

Privilege escalation is the act of evading established access and authorization controls in an enterprise network to gain elevated privileges and access critical network assets. It is the intermediate phase in the cyber kill chain and one of the 14 major attack tactics in the MITRE ATT&CK framework. A threat actor with escalated privileges can exploit that to steal data, tamper with security settings, and persist on the network to launch multiple attacks.

About privilege escalation

Understanding privileges in an enterprise network

Enterprise networks consist of various resources for internal use such as file servers, print servers, business-specific applications hosted on their data center, and services running locally on individual systems. Users need to log on to the network using their account credentials to access these resources. The user accounts give users an identity on the network and each has associated privileges.

There are two main factors that help define what privileges mean:

  • The entities that a user is authorized to access.
  • The actions that a user is allowed to perform like view, alter, create, share, and execute.

Accounts and privileges

  • Local account privileges The user accounts created and stored on individual systems are known as the local accounts. The procedures for creating them, where they are stored, and how privileges are assigned will vary with different OS environments like Windows and Linux. These accounts are limited to their systems and can be elevated to gain root access, but they cannot be used on other systems. In general, local accounts can be used to do activities like accessing files and applications stored on the local drive, web browsing, and using some of the shared network resources with limited permissions.
  • Domain-level privileges Active Directory (AD)—the commonly used directory service to centrally store and manage all network entities—comprises a hierarchical structure of users and resources divided into multiple groups called domains. The user accounts have domain privileges to log in to any system on the domain and access the associated resources. Special trust relationships will be established to allow access to resources on other domains. To further control the user privileges, role-based access controls (RBAC) can also be implemented on a domain level.

    Now that privileges on a network are defined, let's understand how privilege escalation works.

Privilege escalation: Techniques

Given that an attacker has already compromised an account on the network with basic privileges, here are the different techniques that can be used to escalate those privileges:

System-level escalations

  • UAC bypass In Windows systems, the services, processes, or applications are launched with low privileges by default. When users want to run any application or process with admin privileges, the UAC on Windows systems prompts them for confirmation. Malicious actors with reverse shell access will bypass UAC by hijacking processes that can auto-elevate and run without prompting the users. They create new child processes with inherited privileges or inject arbitrary code into the files of those services.
  • Kernel exploits: Enumeration Kernel exploits are done to gain root access on a system and make OS-level changes. Using reverse shell access, an attacker can obtain details such as the kernel version of the system, processes running on the system and the privileges they have, users and their privileges, cached data, and more.

    There are detailed enumeration cheat sheets with commands for different OSs. Just with the simple detail of the kernel version, the threat actors can find active vulnerabilities for that version available openly on the internet. Or, they can proceed to perform a vulnerability scan and deploy a suitable exploit using tools like SearchSploit and Linux-Exploit-Suggester.

  • Boot logon autostart exploit Windows allows certain applications to auto-start post logon. These can be web browsers or security programs like Microsoft Defender and antivirus software. The Startup folder stores the shortcuts to all these apps and launches them with the privileges of the users who log on. If the threat actors gain write permissions to this folder, they can add malicious applications, then when administrators log on to this system, these malicious apps will be launched with elevated privileges.

Domain-level escalations

  • Tampering domain group policies through DC replication Attackers can launch a rogue domain controller (DC) through SID history injection, which can be used to add users, change permissions, and modify critical policies. Any changes made by a DC will be replicated in all other DCs in the domain and the replication stream activities are not logged. This helps threat actors to quickly gain elevated domain privileges, make permanent changes which will be applied on the actual DCs, and eventually disappear without detection by unregistering the rogue DC. Tools like Mimikatz can be used for this attack.
  • Protocol vulnerabilities - Kerberoasting The Kerberos authentication protocol issues ticket granting tickets (TGTs) to access the domain services. These tickets are generated by DCs and can be used to authenticate users without requiring credentials everytime. Attackers can forge these tickets by adding the SID, username, and group id of privileged accounts, and increase the lifetime of the ticket to be valid for years. This gives a free pass to access all the critical domain services.
  • Exploiting certificate misconfigurations Active Directory Certificate Services (AD CS) issues certificates to authenticate users, devices, and services, and to secure communication through public key encryption. Attackers leverage enumeration techniques to get details of the certificate templates with weak settings and configurations or with elevated permissions to generate new certificates with those templates.

Privilege escalation: Security best practices and detection

Privilege escalation activities and techniques are vast and can't be put down in a finite list to track and monitor. The UAC bypass technique alone has 60+ known methods for implementation, including exploits for open vulnerabilities on Windows OS with no patches released so far. The best bet for organizations is to implement strict access control policies, follow the best practices religiously, and never let a threat actor proceed till privilege escalation.

Here are some of the best practices to be followed and the detection mechanisms to use in case privileges get escalated.

Best practices

  • Implement access control policies like role-based access control (RBAC), mandatory access control (MAC), and discretionary access control (DAC).
  • Enforce multi-factor authentication (MFA) and strong password policies.
  • Enable log collection on your devices, retain your logs, and deploy tools like SIEM and UEBA to continuously monitor and correlate activities.
  • Conduct penetration testing periodically to be aware of the vulnerabilities on your network.
  • Keep your OS environment and applications updated with the latest patches. Have a system to automate patch management.

Detection

Privilege escalation detection requires proactive monitoring and hunting for indicators of compromise like:

  • Unusual logon activities, as well as files and applications accessed by accounts with low privileges for the first time.
  • Indicators of access token manipulation, process injection attacks, and SID history injection.
  • Launch of DC sync and DC shadow attacks, and the presence of forged Kerberos tickets.
  • Unauthorized changes made to services that run with administrator privileges.
  • Detecting the use of command line tools like Mimikatz and SearchSploit.
  • System events like sudden application crashes, system shutdowns, and malfunctioning caused by the presence of malware and threat actors tampering with the OS and Kernel.

Enhance your security posture by leveraging the capabilities of Log360

Let our experts evaluate your security requirements and demonstrate how Log360 can help satisfy them.

  • Please enter a valid text.
  • Please enter a valid text.
  •  
  • -Select-
By clicking 'Personalized demo', you agree to processing of personal data according to the Privacy Policy.

Thank you for reaching out to us.

We will get back to you shortly.

Learn how Log360 can combat privilege escalation attacks with a suite of security features like:

  • Real time network monitoring
  • Machine learning based anomaly detection
  • Correlation of network events
Explore with our 30-day free trial

Detection and remediation through Log360

  • Detection through correlation
  • Investigation through reports
  • Real-time alerts
  •  

Detection through correlation

Log360 offers around 40 predefined correlation rules that are precisely created to match attack patterns and avoid raising false alerts. The following rules can be used to detect possible privilege escalation attempts:

1. Suspicious file access: Tracks modification of a file after multiple attempts to access it.

2. Multiple file permission changes: This rule is matched when a user modifies permissions of multiple files within a short span of time. Event ID 4670 is used to track this.

3. Possible worm activity: This rule tracks installation of malicious services on multiple devices in a short span of time. Event IDs 601 and 4697 are used.

4. Suspicious service installed: This rule is matched when a user logs onto a system after multiple failed attempts and then installs and runs a service.

5. Repeated failed SUDO commands: User attempting and failing to run SUDO commands (which offer admin privileges).

Remediation: Once the correlation alerts are triggered, you can respond to them immediately by executing workflows to kill the process, disable the user, and shutdown the system.

Investigation through reports

MITRE ATT&CK dashboard

Log360 has an integrated MITRE ATT&CK dashboard that contains exhaustive reports for all major privilege escalation techniques, including the following:

1. Abuse elevation control mechanism: These reports track UAC bypass attacks and the different ways they can be achieved using multiple tools.

2. Access token manipulation: These reports track SID history injection and the use of tools like Meterpreter and Cobalt Strike.

3. Boot or logon autostart execution: These reports detect direct autorun keys modification by tracking the Event ID 4688.

4. Credential access reports that detect forged Kerberos tickets by tracking the result codes of TGT failure Event ID 4769.

Apart from the Mitre ATT&CK reports, Log360 has reports for Windows and Linux systems that track user logon activities, domain events, system events, application crashes, threat reports, and device severity reports.

Real-time alerts

All the reports mentioned in the investigation section are available as predefined alerts in Log360's real-time alerts dashboard. You can enable or disable the alerts, customize them to add additional criteria, and configure notifications via email and SMS.

Implement defensive strategies and incident response measures using the advanced security features of Log360.

Download now

Get the latest content delivered
right to your inbox!

 

Cyber Security - Knowledge Base

     
     

  Zoho Corporation Pvt. Ltd. All rights reserved.