Intruder Tactics: Privilege Escalation

What is privilege escalation?

Privilege escalation is just a formal way of describing when an attacker gains more permissions on a computer they have broken into, which then gives them the ability steal more information or do more damage. To understand why this is important, consider this analogy: a criminal breaks into a bank branch office at night, disabling the alarm and slipping in through a window without being detected – if that break-in represents initial access, then the next step of breaking into the vault is privilege escalation. While not all computer intrusions require privilege escalation to achieve the attacker’s goals, most of the most serious and damaging intrusions do need to escalate privileges in order to move the attack from a single employee workstation to critical servers, sensitive systems, and widespread deployment across all the employee workstations.

How does an intruder escalate privileges?

There are several completely different scenarios that can all be called “privilege escalation” but we’ll focus on the most common scenarios that you are likely to encounter. First, it is important to understand that there’s a difference between being a “local administrator” on an individual computer versus being a “Domain Administrator” (or worse, an all-powerful “Enterprise Administrator” over multiple domains).

• Scenario 1: The intruder guesses an employee’s remote desktop password and logs in as them, or the intruder tricks an employee into running something on their computer that gives the intruder the ability to run things on the computer as if they were the employee, and the employee is NOT a local administrator. In this scenario, the intruder will likely try to exploit a vulnerability in an installed program (such as a DLL search order hijacking or DLL injection attack against a program that runs with higher privileges) to run commands as the local administrator account or the built-in “SYSTEM” account. This is what is known as a Local Privilege Escalation or LPE. If the attacker can achieve this, they can then use a program like mimikatz or another similar technique to steal hashes or passwords out of memory.
• Scenario 2: The intruder gets access to a system as the local administrator. The easiest situation for the intruder and the worst situation for the defenders is when every employee account is part of the local “Administrators” group on the workstation. Some small companies have that set up so that employees can install whatever software they want without bothering the IT staff, or because some poorly-designed software claims that it needs to run as local administrator. This is a very dangerous way to operate, much like giving every bank teller, custodian and other employees the combination to the bank’s safe for convenience, and hoping that none of them ever are co-opted by a bank robber. In this case, the attacker can easily gain access to steal passwords out of memory, add new accounts to the system (to give themselves an easy backdoor later), change remote desktop security settings, and disable anti-virus and endpoint security monitoring software.

In either scenario, once the attacker has local computer administrator or SYSTEM level privileges, it’s just a matter of time before a Domain Administrator account logs in to the computer. Oftentimes, intruders will purposefully cause some minor system glitch to occur that will annoy the employee using the workstation and cause them to ask IT support for help. The IT support personnel will most likely log into the computer remotely using a Domain Administrator account, which puts a hash, token, or password into memory. Please note that Windows 10 supports mitigations to protect against these types of attacks, such as Credential Guard, which should be enabled. Using Group Policy to restrict SeDebugPrivilege is another best practice to help defend against these types of attacks.

Attackers often use tools such as Bloodhound to find the shortest path to a user account that has Domain Administrator privileges, especially if there are Service Accounts (non-user accounts with fixed, non-expiring passwords) that have higher privileges in the domain. A good technique for defenders is to detect the telltale signs of Bloodhound being run on the domain by monitoring LDAP queries and other signals to alert defenders. Surprisingly, attackers often download Bloodhound into files and folders named “Bloodhound”--that’s another easy thing to monitor if defenders have visibility into file events on endpoints.

The most dangerous situation is once the intruder gets access to a Domain Administrator account. They might add another Domain Administrator or promote an existing user to Domain Administrator in order to maintain control, or they might just continue to use an existing account for which they have stolen the plaintext password. It’s important to monitor security events to investigate whenever a new account is added to the Domain Administrators group.

In conclusion, privilege escalation is a commonly-used attacker technique that is very important to monitor for and investigate whenever it happens. Of course, there are legitimate use cases for escalation of privileges–administrators use this technique all the time. But when a user account that doesn’t normally have any reason to become an administrator starts launching programs with administrator level access, defenders must be on guard and respond quickly to investigate. If they don’t, it’s like letting the bank robber take as much time as they like with the vault open–you can bet they won’t waste that opportunity!