What is Privilege Escalation?

What is Privilege Escalation?

Table of contents

  1. How does privilege escalation work?
  2. Why is it important to prevent privilege escalation?
  3. What are the two types of privilege escalation?
  4. What are examples of privilege escalation?
  5. How to prevent privilege escalation attacks
  6. How UpGuard can help prevent privilege escalation attacks

1. How does privilege escalation work?

2. Why is it important to prevent privilege escalation?

3. What are the two types of privilege escalation?

  1. Vertical privilege escalation (privilege elevation):An attacker attempts to gain higher privileges or access with an existing account they have compromised. For example, an attacker takes over a regular user account on a network and attempts to gain administrative privileges. Typically the administrator or system user on Microsoft Windows, or root on Unix and Linux systems. Once they gain elevated privileges, attackers can steal sensitive data about a specific user, install ransomware, spyware or other types of malware, execute malicious code and damage the security posture of your organization.
  2. Horizontal privilege escalation:An attacker expands their privileges by taking over a privileged account and misusing the legitimate privileges granted to the user. For local privilege escalation attacks this might mean hijacking an account with administrator privileges or root privileges, for web applications might mean gaining access to a user’s bank account or the admin account of a SaaS app.

4. What are examples of privilege escalation?

  1. Access token manipulation: Takes advantage of the way Microsoft Windows manages administrator privileges. Normally, Windows uses access tokens to determine the owners of running processes. With token manipulation, the attacker fools the system into believing the running processes belong to a different user than the one that actually started the process. When this happens, the process takes on the security context associated with the attacker’s access token. This is a form of privilege elevation or vertical privilege escalation.
  2. Bypassing user account control: Windows has a structured mechanism for controlling user privileges called user account control (UAC) that serves as a barrier between normal users and administrators, limiting standard user permissions until an administrator authorizes increased privileges. However, if the UAC protection level on a computer is not properly configured, some Windows programs will be allowed to elevate privileges or execute Component Object Model (COM) objects without asking for administrator permission first. For example, the rundll32.exe can load a Dynamic Link Library (DLL) which loads a COM object that has elevated privileges, allowing attackers to bypass UAC and gain access to protected directories.
  3. Using valid accounts: Attackers gain unauthorized access to an administrator or user with elevated privileges and use it to log in to a sensitive system or create their own logon credentials.

5. How to prevent privilege escalation attacks

  • Keeping systems and applications updated:Many attacks exploit known vulnerabilities listed on CVE. By keeping a consistent patching cadence you are minimizing this cybersecurity risk.
  • Ensuring correct permissions for files, directories and web servers:Follow the principle of least privilege, check S3 security settings and ensure that only those who need access have access.
  • Closing unnecessary ports and removing unused accounts: Default system configurations often include unnecessary services and arbitrary code running on open ports, each one is a potential attack vector. Remove default and unused accounts to avoid attackers and former employees gaining access to sensitive systems.
  • Avoiding default login credentials: This might seem obvious but many organizations fail to change the default login credentials on their devices such as printers, routers and IoT devices. No matter how secure your network security is, one router is using the default admin/password login credentials could be enough for an attacker to intrude.
  • Removing or restricting file transfer functionality:FTP, TFPT, wget, curl and other file transfer functions are a common way to download and execute malicious code or malicious writable. Consider removing these tools or restricting their use to specific directories, users and applications.

6. How UpGuard can help prevent privilege escalation attacks

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store