Technology is an essential enabler to organizational growth by bringing many benefits and challenges, such as privilege escalation. However, while the right tech stack enables enhanced efficiency, a poorly configured one might more often turn out to be a disaster. Security remains one of the most common challenges organizations deal with. With the growth in technology adoption among legacy business models, there is an increasing pattern of sophisticated hacking attacks that target vulnerable points to bring down systems almost entirely.
What is Privilege Escalation?
A Privilege Escalation Attack is a technique in which a threat actor gains unauthorized access through a susceptible point and then elevates access permissions to carry out a full-blown attack. Such threat actors can be external hackers or insiders who exploit vulnerabilities such as inadequate or broken access controls or system bugs to compromise a user account. Privilege escalation attacks typically aim to gain a powerful level of permission and control the entire system.
Privilege Escalation Types
The types of Privilege Escalation attacks can be broadly categorized into:
Horizontal Privilege Escalation
Attacks where the threat actor seeks to increase its sphere of access to an entire system by overtaking access rights of other users with similar administrative privileges. In the case of horizontal privilege escalation, the actor takes advantage of lower-level or unprivileged user accounts with weak security policies.
Vertical Privilege Escalation
Also known as Privilege Elevation refers to an attack where the attacker elevates access privileges beyond defined account permissions. Such attack vectors typically start with the goal of gaining accounts with unlimited administrator privileges, such as System Administrator on Windows or root access on Linux/Unix machines.
This article delves into common vulnerabilities that lead to Privilege Escalation Attacks techniques and how to keep systems protected from potential escalation attacks.
How Does Privilege Escalation Work?
Privilege escalation represents the layer of the cyberattack chain where the attacker takes advantage of a compromised system to access data that the user account isn’t permitted for. While there can be numerous susceptible points within a system, some common entry points for privilege escalation attack vendors include Web Application Servers and Application Programming Interfaces.
To gain initial access, attackers authenticate themselves to the system by bypassing user account control or obtaining credentials. Beyond this, attackers try to find various loopholes in account authorization to gain a level of access to more sensitive data.
Common Privilege Escalation Techniques
Though Linux is unarguably considered more secure than other operating systems, there are various ways attack vectors exploit vulnerabilities to gain elevated access to system resources. Some common Linux escalation techniques include:
This technique helps attackers to obtain Configuration Information – a crucial step to identifying potential privilege escalation vulnerability and entry points. With enumeration, hackers can gather and exploit critical system information, including:
- IPtables and Routing tables
- Unmounted File Systems and additional drives
- Usernames & passwords (user enumeration)
- Audit configurations
- Service settings
- DNS and SNMP details
With access to these configuration data, attackers can use automated tools and lateral movement to gain a further level of access to the system. Mitigating Enumeration Attacks involves pre-emptive countermeasures through pentest, identifying systems vulnerabilities, and fixing them before they are exploited.
While the Linux Kernel is popular within the developer community due to its list of features and being open-source, it is also prone to a number of vulnerabilities. One commonly known vulnerability is due to legacy kernel versions being excluded from security patches. As a result, some hackers could simply download, compile and run an exploit to perform a privilege escalation method. These exploits may only require little modification in configuration or work out of the box for most cases.
To mitigate Kernel exploits, it is important to follow Linux security reports and always install the latest security patches and updates.
SUDO Right Exploitation
The Substitute User Do (SUDO) program lets a user run Linux commands using the permissions and privileges of another user. Unfortunately, this means that an external actor can exploit a user’s SUDO access to gain account administrator root privileges.
Mitigating SUDO Rights Exploitation involves limiting SUDO right permissions to programs that run a shell or to the program compiler, editor, or interpreter. When giving SUDO rights, it is important to limit access using the principle of least privilege.
It is a common belief that Windows systems are comparatively more vulnerable than Linux systems. However, organizations can ensure that their systems are secure from Privilege Escalation attacks with the right mitigation approach. Some commonly known Privilege Escalation techniques used by vectors to target Windows systems include:
Access Token Manipulation
Windows systems require owners of processes to authenticate themselves through access tokens. If a task requires special permissions, the system checks the tokens to see if the process has sufficient permissions to perform the task. Unfortunately, this allows attackers to perform access token manipulation in several common ways, including duplicating access tokens, creating new processes with duplicated tokens, and creating tokens using username-password combinations.
Token manipulation attacks can be mitigated by ensuring tighter security controls for administrative accounts. This is done in conjunction with following the least-privilege principle that grants a minimum level of permission rights to avoid access misuse.
Bypass User Account Control
The User Account Control (UAC) system dissociates administrators from regular users. By limiting all machines to standard user permissions, the UAC helps to prevent malware from compromising the OS. With a compromised UAC, attackers can escalate privileges to execute administrative functions for a full-blown system attack.
The only mitigation for Bypassing User Control Attack involves setting up appropriate security context measures to ensure that UAC protection is at maximum.
Microsoft Windows, GNU Linux, and UNIX have known vulnerabilities that allow attackers to gain administrator privileges using arbitrary code.
Detecting a Privilege Escalation Incident
One common trait of successful attackers is to keep their activities undetected. Such sophisticated stealth privilege escalation methods are particularly complex to detect as these malicious activities omit traces by deleting event logs, masking IP addresses, and masquerading as normal users. To deal with this, it is important to consider all entry data points susceptible to attacks. When tracking a privilege escalation incident, here are a few factors to consider:
- The initial point of compromise
- The vector used to implement the initial threat
- Permissions and elevated privileges the threat actor managed to obtain
- Accounts the attacker aimed to obtain and the purpose
- Damage caused by the compromise and escalation
Detecting a Privilege Escalation Incident in Windows
Windows systems identify the owners of system processes using access tokens. For privilege escalation detection, it is possible to set audit events to create and manipulate tokens. In the event a hacker gains access to the token mechanism and tries to obtain someone else’s token rights, the system generates Audit Token Right Adjusted Event Notification(4703).
More details can be found on Microsoft’s official documentation that demonstrates how 4703 events can be used to detect escalation attacks.
Detecting a Privilege Escalation Incident in Linux
In today’s technology landscape, most web servers use a Linux distribution. However, hackers exploit the Copy-on-Write (CoW) mechanism in older Linux versions to turn read-only mappings into writable formats. With the help of the Dirty Copy-on-Write privilege escalation exploit, hackers can gain root access to the system. Such attacks can be detected and avoided by keeping an upgraded Linux Kernel while following Linux security best practices. On the other hand, modern Linux systems use an upgraded Kernel with updated security features and are considered substantially less susceptible to Dirty CoW attacks.
Privilege Escalation Guide
Learn how to detect and prevent Privilege Escalation and secure your web assets.
Protecting Applications from Privilege Escalation
Threat actors use a combination of different types of privilege escalation to carry out a full-blown attack. This requires organizations to embrace multiple strategies and tools for holistic security equally. Since gaining access to a regular user account is the first step in privilege escalation, identity & account management controls go a long way in keeping attacks at bay.
Web Application Servers are preferred attack surface entry points – since, once infiltrated, a privilege escalation attack can remotely gain administrative access to sensitive information stored centrally. This breach in the application security makes it easy to infiltrate the system using connections to critical components such as other connected web applications, user management interfaces, and databases.
Application Programming Interfaces (APIs)
APIs offer ideal penetration points for major data breaches when they are exposed, hacked, or broken. This means organizations should focus on securing the API through audits, vulnerability scanning, and other advanced cybersecurity techniques to keep systems safe from API attack vectors.
Following are some common best practices and tools to deal with privilege escalation attacks.
Best Practices to Protect Systems from Privilege Escalation
As cyberthreats improve in sophistication, organizations must ensure they adopt the right methodologies to stay ahead of the attackers. Below are the best practices to prevent privilege escalation attacks.
Developers and security teams must ensure that users and user account groups have clearly defined roles. Teams should only allow minimum privileges for each role, and file transfer and access to resources should be restricted for each role. This limits the potential of organization-wide escalation even if an account is compromised. Additionally, access for each account should only be limited to the resources they should manage/access.
Not only users, but this policy should also apply to administrators and root account users, as no superuser should have permission to access and modify an entire system. The rule of least privilege principle also applies to the deletion of user accounts and should be enforced when a user stops accessing the system.
Regular Vulnerability Scans
It is important to secure an application by finding system vulnerabilities before attackers take advantage of them. Vulnerability scanning tools, such as the Crashtest Security Suite, automate the identification and confirmation of system vulnerabilities. Effective vulnerability scans can help identify misconfigurations, weak passwords, and unpatched software that makes the system insecure. Vulnerability scans also reveal weaknesses in Web Server Security, such as known exploits, injection attack entry points (possible malicious code), and exposed administrator interfaces. With effective vulnerability scanning, organizations can update, patch or deploy additional security layers to keep threat vectors at bay.
Rotate Default Credentials
Strong, unique passwords must be enforced for every account. Most accounts come with default passwords that are used before a user-defined password is set. Attackers exploit initial passwords to gain access to user accounts and then escalate attacks. Such default accounts should be removed completely or their passwords rotated as they are a choice of common entry points for hackers to gain administrative access to web servers. Besides this, default login credentials for any hardware system should be changed as soon as the user starts accessing it.
Constantly Monitor User Behavior
Threat actors typically target user accounts to gain entry into the system. Once they have obtained a user’s credentials, they can log in to the system and go undetected. To check for any compromised identities, it is imperative to monitor the system’s users’ behavior constantly. To help with this, deploying User and Entity Behavior Analytics (UEBA)solutions help automatically monitor user activity over time. These tools model legitimate user behavior by creating user profiles based on various parameters and help to identify suspicious account activity efficiently. In addition, with UEBA tools, security teams can gain visibility into aggregate traffic rates, enabling the detection and prevention of DDoS attacks through the API.
It is considered one of the most effective methods to prevent privilege escalation attacks as it creates the first line of defense against hackers looking to enter the system. Therefore, ensuring each user creates a unique and difficult password to guess is important. Additionally, organizations can implement Single Sign On (SSO) and Multi-Factor Authentication (MFA) mechanisms to boost the effectiveness of a strong password policy. Tools such as policy enforcers and password auditors can also scan and identify weak passwords in a production environment. Request for better ones. Certain enterprise password management tools also help enforce and create strong, secure passwords that comply with security policies.
Limit file access and block unused ports
All network ports should stay closed and should only be opened when needed for applications and services. Certain services come with configurations that require some ports open for communication through the API. It is important only to keep them open when in use and only accessible to applications with the required permissions. As a best practice, such services should be identified and blocked. In addition to this, all files within a shared system should be read-only by default. However, write access can be enabled at any given time a user or group needs to edit a file.
Tools to Prevent Privilege Escalation Attacks
Preventing Privilege Escalation is easier when you use tools that cover different aspects of security enforcement in response to different threat vectors. In a typical system, the prevention of attacks involves a combination of different tools, covering aspects such as:
Vulnerability Scanners are tools that enable the automatic identification and creation of an IT asset inventory to check whether networks, machines, and applications are susceptible to attacks. Vulnerability scanning is a common practice in distributed applications and web servers that helps to identify web server security vulnerabilities, such as:
Vulnerability scanners provide information on system weaknesses, risks brought by each weakness, and mitigation recommendations. For example, an external vulnerability scan helps identify entry points through which a hacker can access the system. These include weaknesses within the system’s peripheral defenses, such as firewalls, APIs, and open ports. On the other hand, Internal vulnerability scans help identify threats from within the system, including privilege escalation by an attacker who has infiltrated the system.
Some popular vulnerability scanners include:
- Crashtest Security Suite
Privileged Access Management Solutions
Privileged Access Management (PAM) tools help improve security by protecting certain users with special permissions and access capabilities. Privileged Account holders pose an extra risk to the system since they have access to sensitive data that may compromise the entire application in case of permission misuse. Users with elevated permissions, such as System Admin and Root users, usually interact with parts of the system that are off-limits to standard users. These users’ credentials are managed by a sophisticated solution that includes password auto-generation, auto-rotation, an approval workflow, and a vault. These tools form an integral part of the Privilege Escalation Attack Prevention system since hackers often target privileged account holders because they are easy to target single-point-of-failures.
Some popular Privileged Account Management tools include:
- AWS Secrets Manager
- Hashicorp Vault
- Google Secrets Manager
- Ping Identity
Password Security Tools
Password Security tools help organizations, software teams, and application users create, store and update strong, secure passwords. In addition, these tools enforce strong password policies and best practices, enabling organizations to tackle major password protection threats. These tools are pretty much the first line of defense against privilege escalation attacks by keeping accounts safe. Some of the threats that can be detected and identified by password security tools include:
- Password sniffing attempts such as keylogging
- Automated password theft using brute-force attacks
- Credentials accessed and retrieved during an API phishing or man-in-the-middle attack
- Login spoofing attempts by suspicious parties
- Shoulder surfing attacks
Password Security tools also enable the automation of password management tasks such as:
- Regular resetting/updating of passwords
- Multi-factor authentication (MFA) for all user accounts
- Ensuring Secure credential storage and the enforcement of secure data policies
- Scanning and enforcing the use of strong and unique
Some popular Password Security Tools include 1Password, Bitwarden, Dashlane, NordPass, Password Auditor, and Password Manager Pro.
User and Entity Behavior Analytics (UEBA) Solutions
UEBA tools use traffic analytics to build standard user and entity behavior models over time. Where entities include networks, host machines, data repositories, and network traffic. UEBA tools gather data from system logs and use complex data analysis techniques to establish a baseline behavioral pattern. The tools then continuously monitor users and entities, comparing them with the baseline behavior and bolstering API security.
Typical UEBA tools consist of three main components:
- Data Analytics – Gathers data and analyzes it over time to model users’ and entities’ usual behavior.
- Data Integration – Compare input data from various sources with existing security systems
- Visualization/Presentation – Present analytical insights to system administrators/analysts, typically as an error warning to investigate unusual behavior.
Some popular UEBA solutions include IBM Security QRadar, Rapid7 InsightIDR, ActivTrak, CyberArk Idaptive, Teramind, Citrix Analytics, Exabeam, and inDefend.
Though not a standalone cyberattack strategy, a Privilege Escalation Attack can potentially devastate an organization’s security. With elevated access to the system, hackers capitalize on additional exposed accounts and systems, bringing down an entire business overnight.
With the pragmatic use of various best practices and tools, organizations can prepare and prevent privilege escalation attacks. Crashtest Security Suite is an automated vulnerability scanning solution that tests for susceptible entry points of Web Applications and Application Programming Interfaces (APIs). The platform integrates seamlessly with development toolsets to enable vulnerability scanning as a part of the development process.
Crashtest Security has released a privilege escalation vulnerability scanner in a beta version. Now, we have made it an optional scanner (while in beta). This means that you will need to go to your scan target preferences and then select them on the Scanner page. Just like in this screenshot below.
But if you don’t have an account and a scan target already set up, you can create one completely for free.