What is privilege escalation? Everything you need to know

What is privilege escalation?

Privilege escalation is a network attack during which hackers exploit loopholes within the targeted system to gain unauthorized access to the system’s resources. Malicious actors usually steal administrative rights to resources by abusing bugs, configuration flaws, or weak spots in application design or operating systems. Depending on the privileges they gain, hackers can use them to access protected data and eventually do whatever they want on your system.

How does privilege escalation work?

Whenever hackers set their minds to run a privilege escalation attack, their first step is searching for the weak spots in their target’s defenses. The attackers’ golden ticket is usually gullible employees who may fall for various social engineering and phishing techniques. Sometimes, employees can be tricked into clicking malicious links that export their login data. Other times, hackers may even convince them to give away their credentials of their own will – pretending to be someone from the company’s IT or maintenance personnel.

Once a hacker manages to steal at least one employee’s credentials, they can start elevating their privileges and climb their fake career ladders at impressive speed.

Privilege escalation types

Hackers can exploit the breached systems in two ways – either moving horizontally or vertically within the hacked network. The main difference between the two is that using horizontal privilege escalation, attackers remain at the same privilege level while choosing vertical escalation, they gain higher administrative privileges on the go.

Horizontal privilege escalation

Horizontal privilege escalation, also known as account takeover, occurs when a hacker takes over someone else’s account with lower-level privileges and uses it to access similarly privileged accounts. Though the hacker remains on the same privilege level, they can move through the breached network horizontally, accessing other users’ data and acting on their behalf.

Vertical privilege escalation

Vertical privilege escalation, also known as privilege elevation, means a hacker uses a less-privileged account to obtain higher (usually admin) privileges. With root or kernel access to a device, a hacker can retrieve data, change settings, and manipulate the network or server in almost any way. This attack is much more difficult to enact than a horizontal attack but can also cause much more damage.

Privilege escalation techniques

There are many techniques to get into networks through privilege escalation. Some of them target particular objects in operating systems, while others rely on social factors. We’ve listed some of the most common privilege escalation cyberattack techniques below – check them out.

Access token manipulation

Some operating systems use access tokens to determine the owner of a running process. The access token identifies the user and their privileges and contains their session’s security credentials. A hacker can trick the system and make a token to identify themselves as a legitimate user. By claiming a token, the hacker also gets all the associated permissions. An attacker needs to already possess administrative rights to perform this attack. They usually employ this method to elevate their privileges from the admin to the system level.

There are three ways to execute this technique:

1. Copying an existing token by using the Windows DuplicateTokenEx function. A hacker can then use the ImpersonateLoggedOnUser command to allow a process to impersonate a logged-on user’s security context. Also, using the SetThreadToken function, they may apply this impersonated token to a process.
2. Creating a new process using the security permissions provided by a stolen token.
3. Applying the user’s username and password to initiate a login session (if they aren’t logged into the system) with the LogonUser function. This will generate a new token that an attacker can assign to a process.

Bypassing user account control (UAC)

Windows user account control manages privileges for users within a device. It protects devices from unwanted intrusions by automatically limiting the privileges of users unless an admin increases them. However, if the UAC’s settings are not set to the highest level, it can grant elevated privileges to an application without notifying the user. Hackers can use these apps to gain administrative rights or inject malware.

Process injection

Process injection is the technique of injecting code into an active process. The code might grant access to another process’s resources and, eventually, to higher system privileges. As a legitimate process shields the code, security systems are less likely to spot it.

Social engineering

A hacker might launch privilege escalation attacks by means of social engineering. They can send a phishing email with a malicious file or link, convincing users to click on it to extract victims’ sensitive information and login details. Malicious actors can go even as far as initiating fraudulent phone calls, known as voice phishing or vishing, to convince users to give away their login credentials or typosquat a legitimate URL and lead their victims to a malicious website instead. Once the attacker finds their way into the user’s network, they can steal the victim’s credentials and escalate their privileges on the systems where the victim is a user or admin.

Exploiting accessibility features

Windows Accessibility features can be launched with a key combination prior to logging into the operating system. This means a hacker can modify accessibility settings without logging in and creating a backdoor entrance into the system.

Brute force attacks

Malicious actors often use an automated password-guessing algorithm to find the correct match to a targeted password and break into the networks. The algorithm of the brute force attack can generate up to 1 billion password versions per second. This means if someone within the enterprise uses a weak password, they open a freeway for hackers to break into the network and perform privilege escalation.

Credential dumping

During credential dumping attacks, hackers try to steal as many credentials as they can find within the network they breached. Access to multiple accounts allows attackers to move across the network laterally while accessing all sorts of sensitive information or even gaining control over critical systems.

Shoulder surfing

For hackers who are low on tech, shoulder surfing can become a go-to solution. This credential-stealing technique involves attackers observing their victims as they enter passwords and PINs to unlock their accounts. Afterward, threat actors use the noted combinations to access their victims’ accounts.

Dictionary attacks

When hackers initiate dictionary-based attacks, they use a special tool containing common words often used as passwords. By checking each plausible password combination against the targeted password, malicious entities try to find their way into the safeguarded system. As in the case of brute force attacks, weak passwords that contain common words are the most vulnerable to dictionary attacks.

Credential stuffing

Internet users who have ever used the same password for multiple accounts are susceptible to becoming victims of credential stuffing. Hackers employ this technique when they try to unlock multiple accounts of the same person using the credentials of one of their breached accounts.

Finding vulnerabilities within operating systems

Different operating systems are vulnerable to different types of privilege escalation techniques. For instance, hackers that aim to infiltrate Windows servers often employ dynamic link library (DLL) hijacking, token manipulations, and user account bypasses. Meanwhile, common privilege escalation techniques used on Linux involve kernel exploitation, enumeration, and Sudo accessing to get root privileges.

How to recognize a privilege escalation attack

Detecting a threat actor who managed to infiltrate the enterprise’s network can be very difficult. Once the hacker uses stolen credentials to access the system, they appear as a legitimate user. In this case, your best bet is to search for signs of suspicious behavior or patterns in system changes, possibly initiated by the malicious intruder.

The time between the intrusion into the network until the intruder reaches their goal is called “dwell time.” The more dwell time an intruder has, the higher privileges they can access, collecting more valuable data and high-level credentials. Usually, when the hacker reaches their ultimate goal in the targeted system, they are able to cover their tracks and involvement successfully.

It may take weeks to months to detect a privilege escalation attack, mainly depending on how smoothly the cybercriminal manages to run their attack.

Privilege escalation attack examples

It’s common for hackers to execute privilege escalation attacks with the help of malware. If you’re interested to learn about some of the types of malware they use, you can read about them below.

Worms

Worms are self-replicating malware that can spread to other than host devices and networks without human interaction. Computer worms can also carry various payloads and perform malicious actions on infected systems. This includes deleting files, data theft, or creating a backdoor for attackers to access the systems.

Ransomware

Whenever a hacker gets hold of sensitive data from you or your company, they may ask you to pay a ransom to retrieve it. As if that wouldn’t be enough, they may lock your devices or cripple operating systems and demand a payment to get them released from their grip. Be sure to never pay cybercriminals in the case of ransomware attack – it will only give them more reasons to blackmail you in the future.

Scareware

As the name suggests, hackers use scareware to scare their victims into downloading malware onto their devices. Imagine, a pop-up appears on your screen claiming that malware has infected your computer. It prompts you to download antivirus software to get rid of the computer virus. What you don’t know is that the suggested antivirus software is actually malware in disguise. You decide to do what the pop-up urges you to and download the fake antivirus software. And, surprise – now you’ve actually installed malware into your computer.

Rootkits

Adversaries created rootkits to hand them control over targeted networks with the help of a compound of malicious software. If you activate a rootkit on your device, malicious actors can establish a backdoor into your network and continuously cripple it by spreading all sorts of malware.

How to protect yourself from privilege escalation attacks

To minimize system vulnerabilities that allow hackers to perform privilege escalation, consider the following measures:

• Use strong passwords and never use the same ones within a single network.
• Give users the minimum privileges they need. It is safer to grant privileges on an as-needed basis. If a hacker gains access to an account, they will have fewer tools to work with.
• Keep your software updated and always use cutting-edge security measures.
• Do not leave default security settings. While this might seem obvious, it is a pretty common mistake that leaves the door wide open to adversaries. They may easily crack default passwords and bypass UAC systems. Make sure you always have security functions set at their highest.
• Do not give admin rights to new users or users you do not fully trust.
• Run applications with minimum privileges to limit the impact of hackers in the event of a successful attack.
• Encrypt your communication and internal data. This will create an additional barrier for a cybercriminal to obtain your data.