Privilege escalation

What is privilege escalation?

Privilege escalation is the act of evading established access and authorization controls in an enterprise network to gain elevated privileges and access critical network assets. It is the intermediate phase in the cyber kill chain and one of the 14 major attack tactics in the MITRE ATT&CK framework. A threat actor with escalated privileges can exploit that to steal data, tamper with security settings, and persist on the network to launch multiple attacks.

About privilege escalation

Understanding privileges in an enterprise network

Enterprise networks consist of various resources for internal use such as file servers, print servers, business-specific applications hosted on their data center, and services running locally on individual systems. Users need to log on to the network using their account credentials to access these resources. The user accounts give users an identity on the network and each has associated privileges.

Accounts and privileges

• Local account privileges The user accounts created and stored on individual systems are known as the local accounts. The procedures for creating them, where they are stored, and how privileges are assigned will vary with different OS environments like Windows and Linux. These accounts are limited to their systems and can be elevated to gain root access, but they cannot be used on other systems. In general, local accounts can be used to do activities like accessing files and applications stored on the local drive, web browsing, and using some of the shared network resources with limited permissions.
• Domain-level privileges Active Directory (AD)—the commonly used directory service to centrally store and manage all network entities—comprises a hierarchical structure of users and resources divided into multiple groups called domains. The user accounts have domain privileges to log in to any system on the domain and access the associated resources. Special trust relationships will be established to allow access to resources on other domains. To further control the user privileges, role-based access controls (RBAC) can also be implemented on a domain level.

  Now that privileges on a network are defined, let's understand how privilege escalation works.

Privilege escalation: Techniques

Given that an attacker has already compromised an account on the network with basic privileges, here are the different techniques that can be used to escalate those privileges:

System-level escalations

• UAC bypass In Windows systems, the services, processes, or applications are launched with low privileges by default. When users want to run any application or process with admin privileges, the UAC on Windows systems prompts them for confirmation. Malicious actors with reverse shell access will bypass UAC by hijacking processes that can auto-elevate and run without prompting the users. They create new child processes with inherited privileges or inject arbitrary code into the files of those services.
• Kernel exploits: Enumeration Kernel exploits are done to gain root access on a system and make OS-level changes. Using reverse shell access, an attacker can obtain details such as the kernel version of the system, processes running on the system and the privileges they have, users and their privileges, cached data, and more.

  There are detailed enumeration cheat sheets with commands for different OSs. Just with the simple detail of the kernel version, the threat actors can find active vulnerabilities for that version available openly on the internet. Or, they can proceed to perform a vulnerability scan and deploy a suitable exploit using tools like SearchSploit and Linux-Exploit-Suggester.

• Boot logon autostart exploit Windows allows certain applications to auto-start post logon. These can be web browsers or security programs like Microsoft Defender and antivirus software. The Startup folder stores the shortcuts to all these apps and launches them with the privileges of the users who log on. If the threat actors gain write permissions to this folder, they can add malicious applications, then when administrators log on to this system, these malicious apps will be launched with elevated privileges.

Domain-level escalations

• Tampering domain group policies through DC replication Attackers can launch a rogue domain controller (DC) through SID history injection, which can be used to add users, change permissions, and modify critical policies. Any changes made by a DC will be replicated in all other DCs in the domain and the replication stream activities are not logged. This helps threat actors to quickly gain elevated domain privileges, make permanent changes which will be applied on the actual DCs, and eventually disappear without detection by unregistering the rogue DC. Tools like Mimikatz can be used for this attack.
• Protocol vulnerabilities - Kerberoasting The Kerberos authentication protocol issues ticket granting tickets (TGTs) to access the domain services. These tickets are generated by DCs and can be used to authenticate users without requiring credentials everytime. Attackers can forge these tickets by adding the SID, username, and group id of privileged accounts, and increase the lifetime of the ticket to be valid for years. This gives a free pass to access all the critical domain services.
• Exploiting certificate misconfigurations Active Directory Certificate Services (AD CS) issues certificates to authenticate users, devices, and services, and to secure communication through public key encryption. Attackers leverage enumeration techniques to get details of the certificate templates with weak settings and configurations or with elevated permissions to generate new certificates with those templates.

Privilege escalation: Security best practices and detection

Privilege escalation activities and techniques are vast and can't be put down in a finite list to track and monitor. The UAC bypass technique alone has 60+ known methods for implementation, including exploits for open vulnerabilities on Windows OS with no patches released so far. The best bet for organizations is to implement strict access control policies, follow the best practices religiously, and never let a threat actor proceed till privilege escalation.

Here are some of the best practices to be followed and the detection mechanisms to use in case privileges get escalated.