Privilege escalation is often a top aim for cybercriminals as they traverse the attack chain to exploit your IT crown jewels. It lets them achieve critical steps in the attack chain, like maintaining persistence and moving laterally within an environment. Once they’ve initially compromised a host, they will seek to acquire higher privileges to gain access to valuable assets and create other mischief or damage.
This blog post explains why privilege escalation is a significant challenge for today’s businesses. We also present five common techniques, along with brief examples of each. And we offer a real-world example to underscore how bad actors use privilege escalation as a key intermediary step to carry out attacks.
Understanding privilege escalation
In cybersecurity, privilege escalation is the process by which an attacker gains access or permissions on a system that is at a higher level of privilege than what they had at the time of the initial compromise.
Attackers look to escalate privileges in one of two ways. They either do this horizontally or vertically.
This approach involves an attacker moving laterally within a network by compromising accounts at the same privilege level. As they move across the network, they can discover more targets and find more valuable data or systems.
Here’s an example of how a horizontal privilege escalation attack might unfold:
- An attacker uses stolen credentials to access a host with regular privileges within a company’s network.
- The attacker identifies a file server within the network that has sensitive data. Multiple users can access it, but they can only read and write files.
- The attacker takes advantage of this shared access. They modify files within the shared file system, injecting malicious code or replacing critical configuration files.
This activity may go unnoticed for a time because legitimate users regularly modify files on the shared file server. As other users interact with the compromised files, the attacker can increase the number of compromised accounts and hosts, collect sensitive data and prepare to launch a more widescale attack.
In this approach, attackers exploit identity vulnerabilities within a system or application to escalate their privileges from a basic user account to a privileged user. They might use social engineering tactics like phishing at first to trick users into handing over their login credentials.
Here is how a vertical privilege escalation attack might play out:
- An attacker uses a compromised user account to gain access to a targeted system.
- They identify a known vulnerability in an application or service that is running on the system.
- The attacker creates and deploys an exploit to take advantage of this vulnerability. In this case, they take advantage of a flaw in the code that allows a user to escalate privileges without being authorized.
- The attacker can now change their privileges to a higher level, like system admin.
Now that they have a lot of control over the system, the attacker can carry out a range of malicious actions. For example, they might change system configurations or steal data.
Why it is important to prevent privilege escalation attacks
The examples above make it clear that privilege escalation-enabled attacks can have a significant impact on businesses. To underscore the risk further, here are several other reasons these attacks are a cause for concern:
- Unauthorized access to and exposure of sensitive data
- Compromised user accounts and user identities
- Manipulated systems and configurations
- Disrupted business operations
- Data tampering and manipulation, such as with ransomware
- Legal and regulatory repercussions
- Reputational damage
5 Common privilege escalation attack techniques and examples
Now that you understand the two main categories of privilege escalation and why you must be vigilant in defending against these techniques, let’s look at five tactics that bad actors might use in such an attack.
1. Credential exploitation
With this approach, a bad actor takes advantage of a weak password or steals the credentials of a known IT administrator. This allows them to perform malicious actions under the guise of being a privileged user right at the point of the initial compromise.
- Credential stuffing. Attackers add pairs of compromised usernames and passwords of likely privileged users to botnets that automate the process of trying to use those stolen credentials.
- Password spraying. A bad actor attempts to gain unauthorized access to privileged user accounts by systematically trying commonly used passwords against a list of usernames.
2. Kernel exploits
Kernel exploits target vulnerabilities in a computer that are at the core of its operating system. An attacker might discover a kernel vulnerability that allows them to execute code in kernel mode that could allow them to gain higher privileges—and control over the entire system.
3. Exploitation of vulnerable software
Attackers can exploit vulnerabilities in software to gain unauthorized access. For example, a malicious insider with low-level access privileges could take advantage of an unpatched buffer overflow vulnerability on a hypervisor used to run virtual machines to gain root privileges without authentication.
4. Abuse of weak service configurations
Weak configurations in services can be exploited in a privilege escalation attack, as well. For example, when a database service is misconfigured, attackers might be able to execute arbitrary code. If they do this, they could upload malicious software to gain elevated privileges to that database.
5. Use of Mimikatz
Mimikatz is a widely used tool that automates the retrieval of credentials from endpoints that are running Windows. As such, it is a highly effective tool for escalating privileges within a compromised system. Here’s how:
- Credential dumping. It can extract plaintext passwords, hashes and Kerberos tickets from memory—even if those systems are protected by the Windows Local Security Authority.
- Pass-the-hash attacks. It can use stolen hashed passwords to authenticate and elevate privileges without needing the actual underlying plaintext password from the hash.
- Golden ticket attack. It can create forged golden tickets (Kerberos tickets) that grant access to a Windows domain, avoiding the normal authentication processes.
Example of threat actors that use privilege escalation attack methods
A cybercriminal group known as Scattered Spider is the focus of our real-world example. The group is known to target large companies and their IT help desks with extortion and other malicious activities.
In November 2023, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) about Scattered Spider. The CSA explained that the group has been focusing its attacks on sectors and subsectors of the commercial facilities industry. It also noted that it expertly uses social engineering and an array of techniques to obtain credentials, install remote access tools and bypass multifactor authentication (MFA).
The FBI and CISA reported that Scattered Spider threat actors have posed as company IT and/or help desk staff. They use phone calls or SMS messages to obtain credentials from employees and gain access to networks. Or they direct employees to run commercial remote access tools to enable initial access.
Other actions by Scattered Spider include:
- Posing as IT staff to convince employees to share one-time passwords (OTPs)
- Conducting MFA fatigue attacks that drive employees to press the “Accept” button to stop being annoyed by requests.
- Monetizing access to victim networks, including extortion enabled by data theft
The FBI observed that Scattered Spider threat actors use legitimate and publicly available tools once they gain access to networks, including Mimikatz. Methods they use to achieve persistence and privilege escalation include:
- Registering their own MFA tokens after they compromise a user’s account
- Adding a federated identity provider to a victim’s single sign-on tenant and activating automatic account linking so that they can sign into any account
- Using endpoint detection and response (EDR) tools installed on the victim networks to take advantage of remote-shell capabilities and execute commands that enable privilege escalation
- Deploy remote monitoring and management (RMM) tools to maintain persistence
To learn more about Scattered Spider’s attack methods, read the full CSA notice.
Tips to prevent privilege escalation techniques and attacks
The following strategies and best practices can help you reduce the risk of privilege escalation. Note that this is not a comprehensive list. There are many other ways to shore up your company’s defenses.
- Use MFA. While it’s not a surefire defense, MFA makes password cracking much harder for attackers. Even if an attacker figures out a user’s password, they won’t have access to the secondary authentication method, in most cases. MFA bypass attacks are a concern. But targeted security awareness training for users can help reduce the success of those attempts.
- Implement privileged access management (PAM). PAM is a security solution that focuses on the authorization, monitoring and management of privileged accounts. By using PAM, you make sure only authorized individuals can access privileged accounts linked to your critical systems, data and resources.
- Follow the principle of least privilege (PoLP). Make sure that your users, applications and systems only have access to the resources they need for their specific roles. This is the idea behind the PoLP concept, and it can greatly reduce the potential impact of a compromise.
- Update and patch systems regularly. Always keep your operating systems and apps up to date with the latest security patches. When you take a proactive approach to addressing known vulnerabilities, you can strengthen your security posture.
- Check your settings. Make sure that you have properly set the right system configurations, permissions and access controls. To make sure nothing slips through the cracks, you should also conduct regular access reviews.
- Encrypt sensitive data. When you encrypt sensitive data that is at rest and in motion, it helps to fortify your security. If an attacker gains unauthorized access to your network, systems or apps, they won’t be able to view the data without the proper decryption keys.
- Monitor user activities. Keep an eye out for suspicious activities like sudden changes in user behavior patterns or unusual system administrator activities.
When you combine these and other preventive measures, you can reduce the risk of privilege escalation. You will also enhance your overall security posture.
How Proofpoint can help
Attackers start escalating privileges after they’ve compromised a user identity. Proofpoint can help you protect your identities by providing you with a host of robust security controls to help you stop attacks before they become breaches. If threat actors do get past your initial defenses, Proofpoint can help you catch and stop them. And it can help you understand what went wrong so you can make sure it doesn’t happen again.
Proofpoint Identity Threat Defense platform features two primary components to help you continuously remediate vulnerable identities and better detect and respond to active threats. This platform includes:
- Proofpoint Spotlight can help your business discover vulnerable identities and remove them before attackers find them.
- Proofpoint Shadow can help you stop attackers before they cause damage by detecting and responding to active attempts at lateral movement and privilege escalation.
Learn more about Proofpoint Identity Threat Defense here.
Subscribe to the Proofpoint Blog