Privilege Escalation

Vertical privilege escalation

This occurs when an attacker with limited access rights, such as a regular user, exploits vulnerabilities to gain higher-level privileges, such as administrative or root access. This is the most common form of privilege escalation and can lead to significant security risks.

‍

‍

Horizontal privilege escalation

‍In this case, an attacker moves laterally within a system, gaining access to resources or accounts of other users who have similar access rights. While horizontal escalation doesn't involve escalating to higher privileges, it allows attackers to exploit other accounts or data.

‍

‍

How do attackers proceed to escalate privileges?

1. Initial Access Acquisition

Attackers begin by gaining entry into a system with basic user privileges. They achieve this through methods such as phishing, where deceptive communications trick users into revealing credentials; exploiting vulnerabilities in software or systems that have not been properly secured; or using default credentials that were never changed after installation. The primary goal at this stage is to establish a foothold within the system, creating a platform from which they can launch further attacks.

2. System Enumeration and Reconnaissance

Once inside the system, attackers engage in system enumeration and reconnaissance to gather detailed information about the environment. They collect data on the system architecture, operating system versions, installed applications, running services, and existing user accounts. This information gathering is facilitated by tools such as command-line utilities, system scripts, and network scanning tools, which help map out the system's structure and identify potential targets for exploitation.

3. Identifying Vulnerabilities

With comprehensive knowledge of the system, attackers proceed to identify vulnerabilities that can be exploited to escalate their privileges. They look for software vulnerabilities, such as unpatched bugs or flaws that have known exploits. Configuration weaknesses are also sought out, including misconfigured services, insecure file permissions that allow unauthorized access, or default settings that have not been properly secured. Additionally, they assess credential issues like weak passwords that are easy to guess or crack, reused credentials across multiple systems, or exposed authentication tokens that can be intercepted.

4. Exploitation Techniques

To take advantage of the identified vulnerabilities, attackers employ various exploitation techniques. When exploiting software vulnerabilities, they may perform buffer overflows by injecting code into a program through overrunning a buffer's boundary, or conduct code injection by inserting malicious code into trusted applications. Abusing misconfigurations is another tactic; attackers might exploit insecure file permissions to access or modify files due to improper permission settings, or leverage SUID/SGID abuse on Unix/Linux systems by exploiting files that execute with higher privileges.

Credential theft is a critical method used to gain unauthorized access. Attackers might engage in password hash dumping, extracting password hashes from system memory or files to crack them offline. Keylogging is another technique, where they record keystrokes to capture passwords and other sensitive information. To bypass security controls, attackers may manipulate tokens, using stolen tokens to impersonate higher-privileged users. On Windows systems, they might perform DLL hijacking by replacing legitimate Dynamic Link Library (DLL) files with malicious ones to execute code with elevated privileges. Exploiting weaknesses in User Account Control (UAC) allows them to perform administrative tasks without prompting the user, effectively bypassing a key security feature.

5. Gaining Elevated Privileges

Armed with these techniques, attackers aim to gain elevated privileges within the system. They execute exploits by running specialized scripts or tools designed to take advantage of the identified vulnerabilities. Deploying privilege escalation payloads involves introducing malware specifically crafted to escalate privileges upon execution. Service exploitation is another avenue, where attackers target services that are running with higher privileges, manipulating them to execute arbitrary code that grants them increased access rights.

6. Post-Exploitation Activities

After successfully escalating their privileges, attackers engage in post-exploitation activities to solidify their control and prepare for further operations. To maintain access, they may create backdoors by installing persistent methods that allow them to re-enter the system even after reboots or security updates. Adding new user accounts with administrative privileges ensures they have ongoing access without relying on the initial exploit.

Covering their tracks is essential to avoid detection. Attackers manipulate logs by deleting or altering event records to hide evidence of their activities. They may also modify file timestamps to prevent forensic analysts from identifying anomalies during investigations. With elevated privileges, attackers can perform lateral movement within the network. Network propagation involves using their access to infiltrate other systems connected to the network, expanding their reach and potential impact. They leverage obtained credentials to infiltrate additional resources, a process known as credential reuse, which allows them to compromise more accounts and systems without triggering immediate suspicion.

‍