Skip to main content
search
All BlogsIdentity-Based SecurityZero Trust

Privilege Escalation Techniques: An Exploration via Examples

By August 22, 2024No Comments
All BlogsIdentity-Based SecurityZero Trust

Privilege Escalation Techniques: An Exploration via Examples

By August 22, 2024 No Comments

Author: Carol Caley, PMM, Xage Security

In a recent Patch Tuesday, Microsoft shared a whopping 88 vulnerabilities. The most common type? Privilege escalation, with 36 of the disclosed vulnerabilities involving elevation of privilege. For years, many of the most-exploited vulnerabilities have involved privilege and credentials.

Privilege escalation is one of the core tactics used by attackers. The recent attacks leveraging an ESXi authentication bypass vulnerability are another prime example, where ransomware groups used the vulnerability to bypass authentication and get full administrative control of a hypervisor. Hypervisors are an appealing target because of their broad reach, controlling numerous virtual machines (VMs).

Getting control of a hypervisor is just one example of the many ways bad actors can try to elevate their privileges within different parts of an environment to help them achieve their ends, whether that’s stealing data, persisting, or deploying ransomware or malware. 

Privilege Escalation Techniques

Case Studies in Privilege Escalation: Big Hacks

The Microsoft Exchange Hack

2021

Microsoft Exchange Server is (and was) a widely used email server, so the Hafnium attack leveraging a cluster of zero-days affected numerous organizations, including several government agencies. Attackers gained initial access to servers using the ProxyLogon exploit, and were able to use another zero-day to authenticate as the exchange server. They then used an insecure deserialization vulnerability (CVE-2021-26857) to escalate privileges, allowing them to run code as SYSTEM on the exchange server. They then used two additional vulnerabilities, both of which gave them the ability to add to the file system, meaning they could deploy web shells which could enable a wide variety of malicious actions.

The key here was SYSTEM privileges on Exchange Server. Microsoft tends to all-caps this for Exchange and Windows in general, but system privileges could also refer to other software like, for example, system privileges in a database management system (DBMS). This is a good time to note that there are a lot of different places where high privileges exist, and many of them have different terminology for the varying tiers. Admin, system, and root privileges are all common terms for different types of privileged accounts but they each have slightly different access and exist within different systems—for example, Linux vs Windows. We’ll dig into more on these terms later.

Stuxnet

2010

Privilege escalation is a big deal in the context of industrial control systems (ICS), where having admin privileges means control over real-world devices like, say, centrifuges spinning at high speed in order to enrich uranium.The Stuxnet worm was unknowingly brought in by outside contractors, reminding us all that third party vendors are an important attack vector to secure. It contained multiple zero-day exploits that allowed it to spread automatically and escalate its privileges. Centrally, it used a flaw in a Siemens PLC (CVE-2010-2772) to connect with a back-end database and gain administrator privileges. 

The worm itself was an example of a kernel rootkit. In fact, it was the first rootkit specifically designed for ICS systems. We’ll talk more about the term root later on. 

The SolarWinds Supply Chain Attack

This massive supply chain attack was first detected by FireEye when attackers attempted to escalate privileges. They tried to add a device to their MFA system using stolen credentials. If successful, it would have given them more access, but in this case it was their undoing.

In the investigation by Symantec of another organization compromised by the supply chain attack, a new malware termed Raindrop made it onto a computer which then acquired a copy of the legitimate software Directory Services Internals. This software is extremely privileged, able to retrieve credentials from Active Directory. 

Examples of Privilege Escalation Techniques

Vertical Privilege Escalation

Most privilege escalation is about getting root or admin privileges. Achieving elevated access and control within a single system is called vertical privilege escalation. Basically, trying to go up. There are many different types of systems with their own pyramid of privileges where a hacker could conceivably be trying to increase their privileges. They might be trying to get greater privilege with within a user account in a directory like AD/Entra ID, to advance from read to write privileges in a database, or attempting to elevate from cloud user to administrator. 

Lateral Privilege Escalation

Attackers frequently need to hop between accounts and systems. They might start with credentials for a cloud user account, but they’re really interested in the PII that lives on a server in the company datacenter. This kind of movement is called lateral privilege escalation, and it usually involves an attacker trying to get control of a new account using one they’ve already hacked—like that cloud user account we talked about.

Lateral privilege escalation is one of the many things that zero trust architectures help to prevent. In traditional architectures, there was often inherent trust between different systems that lived within the same perimeter. A server might be able to access shared folders on the same network, even if there’s no functional reason for it to be able to. That kind of open communication between assets can be leveraged by attackers unless you tighten up your architecture.

Living off the Land

The behavior of the Raindrop malware involved living off the land (LotL) techniques, meaning that it hijacked legitimate systems for its aims. The malware itself isn’t LotL, but the co-opting of Directory Services Internals was. LotL is a broader term that can refer to many tactics outside of privilege escalation, but in the case of SolarWinds, it was all about gaining privileged access.

Pass-the-Hash Attacks

Pass-the-Hash (PtH) tactics can allow someone to authenticate using the NT LAN Manager (NTLM) hash instead of the actual password. NTLM has a history of buggy issues like this. 

Terminology: Some Terms for Types of Privilege

Root privileges: The term root comes from the world of Linux and Unix, where root refers to superusers or administrators with full control over the system. Basically, there’s nothing these accounts aren’t allowed to do, including the ability to install software, change configurations, access and modify all files, and so forth. The term can also be used in the context of macOS and Android, which have their origins in Unix and Linux respectively. 

System privileges: Most commonly used in the context of Windows, the term system privileges can pop up in a number of contexts. As discussed before, it’s also used for DBMSs to describe accounts that have full access. Basically, any change it’s possible to make to the database system, accounts with system privileges can do it. 

Administrator/Admin: The term administrator or admin gets used across tons of different applications and infrastructure. It’s an account type on a local machine for both Windows and MacOS—e.g., the user account on a laptop that can make all the exciting decisions like whether to do a software update. It’s also used in numerous applications like WordPress, Jenkins, Salesforce. 

System admin: System administrator is another common term which is used both to refer to a high level of privilege and also a job title—sometimes shortened to sysadmin. VMware’s virtualization software uses the term system admin.

A Note on Active Directory

Active Directory has long been the default directory service for Windows (the cloud iteration of this is now called Entra ID). It has a vast array of its own terminology for privilege. An extremely simplified explanation is that there are four primary categories of high privilege: Enterprise Admins, Domain Admins, Built-in Administrators, and Schema Admins. Microsoft goes into (extensive) detail on these in its documentation

Blocking Bad Actors from Leveling Up

All a bad actor needs to gain initial access is one set of valid credentials. Unfortunately, those are increasingly available online. Once they have access, privilege escalation is extremely appealing because it can power up the basic account access they have into something far more lucrative and destructive. One of the easiest ways for them to do that is via vulnerabilities that elevate their privilege—a type of vulnerability that is far more common than we’d like. 

On the flip side, locking down privileges can make your network a series of dead ends for attackers, even when they’ve already got a foothold. It’s a key part of the move towards zero trust and a necessary change to defend organizations in an increasingly complex and interconnected world. 

Learn how privileged access management can help.

Related Posts

All BlogsCyber News
October 29, 2024

Cyber Attack News – Risk Roundup – Top Stories for October, 2024

NERC-CIP compliance All BlogsCritical InfrastructureGovernment Cybersecurity
October 25, 2024

How Xage Enables Critical Infrastructure Protection for Utilities

United States Navy to Advance Zero Trust Initiatives All BlogsCyber NewsGovernment CybersecurityZero Trust
October 9, 2024

Xage Security Announces $1.5 Million Contract with the U.S. Navy to Accelerate Zero Trust Initiatives

Close Menu