Privilege Escalation Explained

Questions and Answers

What is privilege escalation?

Attackers heighten the privileges of the user accounts that they have compromised to achieve a greater objective.

System developers employ the 'most privilege' rule when dealing with users.

False (B)

What are the two classifications of privilege escalation?

Horizontal and vertical privilege escalation.

In horizontal privilege escalation, what does the attacker use to access the accounts of other users?

A normal account.

Name two ways in which horizontal privilege escalation can occur.

Through software bugs and through an administrator account.

What is gained from the initial access in horizontal privilege escalation?

The same privileges.

In Windows, what are commonly used in vertical privilege escalation?

Buffer overflows.

In macOS, what is vertical privilege escalation called?

Jailbreaking.

What can an attacker run through the privileges it acquires in vertical privilege escalation?

Any unauthorized code (e.g., malwares and ransomwares).

What does the attacker avoid when performing vertical privilege escalation?

Alerts.

What are some methods that can be used to gain privileged access?

Credential exploitation, misconfigurations, vulnerabilities and exploits, social engineering, and malware.

Attackers often focus on which accounts due to their elevated privileges?

Admin accounts.

Misconfigurations can bypass _____ requirements.

authentication

What creates vulnerabilities across operating systems, applications, and communication protocols?

Mistakes in system development, design, or configuration.

What are some things malware includes?

Viruses, worms, adware, spyware, and ransomware.

In Windows, what type of access should be rare?

Administrator access.

What two tools can identify the unpatched machines?

Nessus and Nmap.

What tool can be used to bypass Windows privilege management and upgrade the user on the vulnerable machine to an admin?

PowerUp.

What does Windows uses to determine owners of all running processes?

Access tokens.

What can attackers do by exploiting accessibility features?

Create a backdoor through which they can log into the system without authentication.

What is application shimming?

A Windows Application Compatibility framework.

What can custom shims do?

Bypass user account control, inject DLLs into running processes, and interfere with memory addresses.

What does a Windows User Account Control (UAC) act as?

A gate between normal users and admin level users.

What objects are elevated in certain Windows programs?

Component Object Model (COM).

What is DLL (Dynamic-link library)?

A shared library for the Microsoft-based OS.

What is Dylib used for?

Similar functionality to DLLs but in Apple-based OS.

What do DLL injection attacks aim to do?

1. Modify the Windows Registry, 2) create threads and 3) do DLL loading, which require admin privileges.

Reflective DLL injection is easy to detect.

False (B)

What can attackers try to replace in DLL search order hijacking?

Legitimate DLLs with malicious ones.

What does Dylib Hijacking on macOS mirrors?

DLL hijacking on Windows, to inject unauthorized code.

What is something that some systems will accept as passwords for all users?

Certain phrases (such as an insecure default password).

What will the attacker start to do in the exfiltration phase?

Extract sensitive data from an organization.

What will the hackers install to assure them of access to the victim's computers and systems whenever they want?

Malware, such as rootkit viruses.

What is the most feared stage of any cyber-attack?

Assault.

What is done by the attackers in obfuscation?

Cover their tracks.

Flashcards

Privilege Escalation

Heightening privileges of compromised user accounts to achieve a greater objective, such as data theft or system disruption.

Least Privilege Rule

Assigning users the minimum necessary privileges to perform their job functions, limiting potential damage from compromised accounts.

Horizontal Privilege Escalation

Attacker uses a normal account to access other user accounts.

Horizontal Escalation via Bugs

Accessing other user accounts due to coding errors.

Horizontal Escalation via Admin Account

Compromising an administrator account to create other admin-level users.

Vertical Privilege Escalation

An attacker acquires elevated system rights, enabling actions that administrators cannot stop or interfere with.

Vertical Escalation via Web Tools

Exploiting code in the backend of web-based tools to gain higher privileges.

Vertical Escalation via Buffer Overflow

Gaining unauthorized access by exploiting vulnerabilities in the system’s code.

Jailbreaking

Bypassing restrictions on Apple devices, similar to gaining root access on other systems.

Vertical Escalation via Exploits

Exploiting flaws such as EternalBlue, used by WannaCry, to achieve higher-level system access.

Privilege Level Variation

The level of privileges varies from basic to admin-level, allowing revocation or disabling of lower accounts.

Least Privilege Assignment

Directing the assignment of privileges so users only have necessary permissions.

Credential Exploitation

Compromising valid credentials like usernames, passwords, and API keys to gain privileged access to systems.

Targeting Admin Accounts

Attackers focus on high-privilege accounts to move laterally and gain extensive control.

Credential Exploitation Mitigation

Mitigation is difficult and resetting passwords can temporarily block attackers, but failure to identify the root cause may lead to persistent security issues.

Misconfigurations

When configurations can bypass authentication requirements and need mitigation instead of remediation

Vulnerabilities and Exploits

Mistakes in system development, design, or configuration create vulnerabilities in operating systems, applications, and communication protocols.

Threat Assessment Factors

The overall threat is shaped by vulnerability severity, system resources at risk, and the availability of exploits.

Malware

Viruses, worms, adware, spyware, and ransomware infiltrate systems for data exfiltration, control, or disruption.

Avoiding Alerts

Techniques used to prevent detection during privilege escalation, often involving disabling or evading security systems.

Privilege Escalation Factors

The level of skill of the hacker and the intended outcome.

Admin Access

Normal employees should generally not have administrative access to systems.

Exploiting Unpatched Systems

Identifying unpatched machines using tools like Nessus and Nmap and exploiting them.

Access Token Manipulation

Windows uses access tokens to determine owners of running processes, enabling privilege manipulation.

Metasploit in Token Manipulation

Metasploit is used to manipulate access tokens and execute commands with elevated privileges.

Exploiting Accessibility Features

Visual impairment features in Windows can be exploited to create backdoors and gain unauthorized access.

Application Shimming

Windows Application Compatibility framework.

Abusing Application Shimming

Running malicious programs with elevated privileges and turning off security software using custom shims.

Bypassing User Account Control

Bypassing the access gate between normal and admin-level users.

DLL (Dynamic-link library)

A shared library for Microsoft-based OS allowing code and data sharing without relinking or recompiling.

Dylib

The Apple-based OS that uses the library Dylib.

DLL Injection

Maliciously running a code using processes and services of the Windows operating system.

Reflective DLL Injection

Loading malicious code without making usual Windows API calls, bypassing DLL load monitoring.

DLL Injection Examples

Programs like Backdoor.Oldrea and BlackEnergy use DLL injection to hide malicious activities.

DLL Search Order Hijacking

By replacing legitimate DLLs with malicious ones and causing programs to load these malicious DLLs.

Dylib Hijacking

Where high-privilege program loads hijacked dylib and elevating program privileges.

Exploitation of Vulnerabilities

Exploiting coding errors to bypass security mechanisms, such as URL manipulation.

Exfiltration

Extracting sensitive data, trade secrets, usernames, and passwords from an organization.

Remain Silent

The hackers could decide to remain silent even after exfiltration.

Ineffective Security Tools

The victim's security tools are ineffective at detecting or stopping the attack from proceeding.

Study Notes

Privilege Escalation Overview

• Attackers increase compromised user account privileges for greater objectives, such as data manipulation or system disruption.
• System developers employ the least privilege rule, granting users only necessary privileges.
• Attackers target low-privilege accounts and upgrade them to access files or alter systems.
• Privilege escalation requires a combination of skills and tools and is classified into horizontal and vertical types.

Horizontal Privilege Escalation

• Attackers use normal accounts to access other user accounts, commonly through software bugs or administrator accounts.
• Attacks are facilitated by stealing login credentials.
• Attackers use the same initial access privileges
• Horizontal privilege escalation involves accessing protected resources with a normal user account.
• It is often achieved through session/cookie theft, cross-site scripting, weak passwords, and keystroke logging.
• Attackers gain remote access, access multiple accounts, and evade security tools.

Vertical Privilege Escalation

• Acquires system rights, often more rewarding but difficult.
• It offers higher chances of remaining undetected on a network, with the capacity to perform administrator-level actions.
• Techniques vary by system, buffer overflows are used in Windows, jailbreaking in macOS, and exploiting backend code in web-based tools.
• Attackers can run unauthorized code, gaining high-level authority.
• It involves kernel-level operations and widely uses buffer overflows.
• "EternalBlue" vulnerability used in WannaCry is based on buffer overflow.
• Vertical escalation relies on hacking tools
• It requires avoiding alerts by disabling security systems, or using legitimate tools.

How Privilege Escalation Works

• Privilege levels range from basic to admin, with capabilities to revoke or disable lower accounts.
• The least privilege rule dictates privilege assignment based on job necessities.
• Methods to gain privileged access include credential exploitation, misconfigurations, vulnerabilities/exploits, social engineering, and malware.

Credential Exploitation

• Access requires valid credentials like usernames, passwords, and API keys.
• Attackers target admin accounts for lateral movement and extensive control.
• Compromised credentials grant unrestricted access.
• Resetting passwords temporarily blocks attackers, but identifying the root cause is crucial to prevent persistent issues.

Misconfigurations

• They bypass authentication and need mitigation over remediation.
• They stem from poor default settings like backdoors, default passwords, and insecure access routes.

Vulnerabilities and Exploits

• Vulnerabilities arise from mistakes in system development, design, or configuration affecting operating systems and applications.
• Most enable horizontal privilege escalation, while some allow vertical escalation when high-privilege accounts are compromised.
• The overall threat depends on the vulnerability's severity, resources at risk, and available exploits.

Social Engineering and Malware

• Malware includes viruses, worms, adware, spyware, and ransomware for system infiltration, control, and disruption.

Avoiding Alerts

• Hackers disable or evade security systems or use legitimate tools to prevent detection.

Performing Privilege Escalation

• Technique depends on attacker skill and desired outcome.
• Administrator access should be rare in Windows.
• Normal employees should not maintain admin access, which introduces attack vectors.
• Remote users with admin access need careful monitoring to prevent misuse.

Performing Privilege Escalation: Exploiting Unpatched Systems

• Identifying unpatched systems involves using Nessus and Nmap.
• Hackers search Kali Linux or Searchsploit database for exploits.
• Tools like PowerUp bypass Windows privilege to upgrade users to admin.
• Legitimate Windows tools check patch status using "wmic qfe get" or "get-hotfix" commands.

Performing Privilege Escalation: Access Token Manipulation

• Access tokens dictate owners of running processes.
• Admin users log in as normal users, but processes execute with admin privileges via "run as administrator".
• Metasploit is used for access token manipulation.
• Full level admin access is obtained by fooling the system into thinking processes were started by an admin.
• Exploited stolen admin credentials are leveraged in access token manipulation.

Performing Privilege Escalation: Exploiting Accessibility Features

• Windows accessibility features are exploited to create backdoors, enabling login without authentication.
• A command prompt with administrator privileges is obtained by manipulating accessibility features.
• Further tasks can be achieved via the command prompt and can even install backdoors.

Performing Privilege Escalation: Application Shimming

• Application shimming is a Windows compatibility framework.
• Most applications that used to run on Windows XP can today run on Windows 10 due to this framework.
• It creates a buffer between legacy programs and the OS, referencing a shim database via API. -Shims are designed to run in user mode to avoid direct communication with OS.

Performing Privilege Escalation: Application Shimming (2/2)

• Attackers create custom shims to bypass User Account Control, inject DLLs, and interfere with memory. -Malicious programs can run using elevated privileges and can switch off security software.

Performing Privilege Escalation: Bypassing User Account Control

• Windows User Account Control (UAC) acts as a gate between normal and admin-level users. -The UAC gives permissions to programs and elevates them to run with admin-level privileges. Windows programs are allowed to elevate privileges even without prompting the user via Component Object Model (COM) objects.
• Attackers can inject malicious processes into trusted processes gaining admin privileges.

Performing Privilege Escalation: DLL Injection

• DLLs are shared libraries for Microsoft's OS, sharing code and data without re-linking.
• Dylib is used for similar functionality in macOS.
• DLL injection runs malicious code with legitimate processes and services. Attackers' actions are masked by legitimate processes.
• DLL injection attacks modify Windows Registry, create threads, and load DLLs, requiring admin privileges.

Performing Privilege Escalation: Reflective DLL Injection

• It loads malicious code without Windows API calls, bypassing DLL load monitoring.
• Malicious code is disguised as form as raw data.
• This method is difficult to detect even on machines with adequate security
• Backdoor.Oldrea injects itself in explore.exe, BlackEnergy injects as DLL in svchost.exe, and Duqu spreads across processes to avoid detection.

Performing Privilege Escalation: DLL Search Order Hijacking

• It replaces legitimate DLLs with malicious ones, identified through program storage locations.
• Malicious DLLs are placed high in the search path. -When Windows searches for a DLL, the malicious file is found, not the intended one even from the remote locations.
• The manifest or local direction files are modified to cause programs to load different DLLs other than the intended ones.

Performing Privilege Escalation: Dylib Hijacking on macOS

• Dylib Hijacking is like DLL Hijacking on Windows, injecting unauthorized code. OS X's dynamic library search mechanism are exploited by placing malicious dylibs in prioritized search locations. -With its high privileges the program inadvertently loads hacked dylib, auto-elevating its own privileges when hacked.

Performing Privilege Escalation: Exploration of vulnerabilities

• A horizontal privilege escalation method through programming errors.
• Some systems accept phrases as passwords for all users.
• Attackers change access levels via URLs in web-based systems.
• Windows flaw: Attackers created Kerberos tickets with domain admin rights using user permissions (MS14-068).

Concluding the Mission

Exfiltration

• Attackers extract sensitive data, including credentials, secrets, and personal information
• Large amounts of data are stolen
• The data is then put up for sale of the stolen data.
• Attackers may erase or alter the files.
• Ashley Madison (2015), Yahoo (2013/2016), and LinkedIn (2016) are examples of hacks which exfiltrated data.

Sustainment

• Hackers remain silent post-exfiltration or install malware like rootkits for ongoing access. The victim's security tools become ineffective.
• The attacker has multiple access points.

Assault

• The most impactful phase involves damaging data/software or disabling hardware.
• Example = Stuxnet which targeted Iranian nuclear facility.
• The nuclear station was hit by the first recorded digital weapon which was transmitted via USB thumb drive.

Obfuscation

• Attackers conceal their tracks using confusion techniques to deter investigation.
• Targets outdated servers in smaller establishments for lateral movement.
• Unsecured Wi-Fi and dynamic code obfuscation avoid detection from signature-based antivirus and firewalls.