Hey Folks, this is TheToySec back again with a crucial topic that every cybersecurity professional should be well-versed in Privileged Escalation
What is Privileged Escalation?
Privileged escalation refers to an attack where a hacker can gain elevated permissions on a system, moving from a low-level account to an administrator or root account. With privileged access, the attacker essentially has the keys to the kingdom – allowing complete control over the target system to steal data, create backdoors, or conduct further malicious activity under the radar.
Vertical Escalation
One of the most common types of privileged escalation is vertical escalation. This refers to escalating privileges from a low-level user account up to a higher privileged account like root or admin. There are a few primary methods hackers use to achieve vertical escalation:
- Exploiting vulnerabilities in apps or services that run at elevated permissions. By compromising a process that operates as root or admin, the hacker can gain the same high-level privileges.
- Cracking passwords through brute force attacks. Guessing weak admin passwords until successful.
- Abusing misconfigurations in sudo/su configurations or start-up scripts that unintentionally allow lower-level accounts to claim higher privileges.
- Hijacking tokens or sessions from higher privileged accounts.
- Kernel exploits targeting flaws in operating system code that runs with elevated permissions.
Real-world examples of dangerous vertical escalation vulnerabilities include the 2021 ProxyLogon Exchange flaws, 2019 Steam Client Local Privilege Escalation, and the 2022 Follina Microsoft Support Diagnostic Tool exploit.
Horizontal Escalation
In horizontal escalation, the attacker compromises an account at the same permission level – gaining lateral movement between accounts at the same privilege. This often involves stealing credentials from one admin user to access another admin account. Horizontal escalation allows malicious actors to expand their control and pursue additional pathways for vertical escalation.
Third-Party Escalation
A third-privileged escalation technique uses a third-party service or software that runs at elevated permissions to gain higher privileges. For example, if a flawed driver has root access, the hacker may be able to exploit this driver to gain root themselves. Other examples include using cloud services, plugins, or scripts that have extra permissions to elevate access.
Real-World Examples
Looking at real privileged escalation attacks helps drive home the seriousness of this threat:
The 2021 ProxyLogon attack against Exchange Server enabled initial unauthenticated access to then fully compromise networks through admin escalation.
The 2020 Zerologon attack manipulated Netlogon cryptography to obtain domain admin privileges and fully compromise Microsoft domains.
The 2019 Capital One breach began with an improperly configured firewall to reach privileged AWS instances and escalate into massive data theft.
The 2022 Follina Word doc exploit targets the Windows Support Diagnostic Tool using it to steal NTLM creds and further escalate access.
Defense Strategies
Organizations can protect against privileged escalation through several essential cybersecurity best practices:
- Properly segment networks, isolate critical systems and leverage firewalls to control access between varying privilege levels.
- Harden systems by keeping software updated, limiting services/ports, restricting tools, and removing unnecessary programs.
- Implement the principle of least privilege – only grant users the bare minimum permissions necessary.
- Use multi-factor authentication for admin accounts to prevent lateral movement.
- Monitor, audit, and log privileged account activity to quickly detect attacks.
Thank you for reading this and have a nice stay there!