Privilege Escalation Attacks

 Many people may struggle to understand the concept of privilege escalation when it comes to cybersecurity. Because of this, we are going to provide a little bit more illumination on the subject throughout this post. Continue reading to learn what privilege escalation is, how many different kinds of privilege escalation there are, instances of privilege escalation attacks on Windows and Linux, and what the best practices are for preventing it.

Privilege Escalation Attacks

What is meant by the term "privilege escalation"?

In the field of cybersecurity, privilege escalation refers to any hostile effort to exploit a defect in an application or operating system, or a mistake in the configuration of the system, in order to acquire unauthorized access to sensitive information. This is accomplished by taking control of the account of a user who already has the required credentials to see or make changes to sensitive information that is not ordinarily available to the person who is doing the action.

By obtaining these types of rights, a malicious actor is able to perform a series of actions to the operating system or to the server, such as running different commands or facilitating the infiltration of malware within the network. These actions could further lead to the following consequences if they are not stopped in time:

causing damage to corporate operations, exposing critical data or system resources, or even taking total control of the system.

To put it simply, this may be used to its advantage by abusing one's advantages.

The Mechanisms Behind the Escalation of Privilege

In order for a threat actor to carry out an attack that escalates privileges, they must first penetrate the network that is going to be attacked. In most cases, this is accomplished by exploiting weaknesses in the system or by using strategies such as social engineering, for instance. This may also go both ways: either hackers identify a privileged account from the start and carry out an attack that escalates their privileges, or hackers acquire access to a regular account in the early phase and carry out an attack that escalates their privileges. In the second scenario, they are able to perform network surveillance until it is time to make the next move, which is to gain access to a privileged account. A privileged account is an account that has special rights above and beyond those of a standard user, and it has access to crucial data and infrastructure within an organization.

Escalations of Privilege Can Take Many Forms

The concept of privilege escalation may be broken down into two distinct categories: horizontal privilege escalation and vertical privilege escalation. The goal of VPE, or vertical privilege escalation, for an attacker is to take control of a higher-privileged account than the one they currently have. On the other hand, with HPE, also known as horizontal privilege escalation, the hacker will first try to acquire control of an account before attempting to elevate their privileges to the system level. Both kinds of operations are accomplished by taking advantage of weaknesses that are already present in the operating system.

Vertical Privilege Escalation

Vertical privilege escalation is a term used in cybersecurity that refers to an attack that begins at a point of lower privilege and then escalates privileges until it reaches the level of the user or process that it targets. This type of attack is also known as privilege elevation. Vertical privilege escalation is a term that is used in cybersecurity.

This kind of attack takes advantage of the fact that the majority of computer systems and networks are built in such a way that users with lower privilege levels are able to access resources that are restricted to users with higher permission levels. For instance, a system administrator could be able to access resources that are typically set aside for kernel-level users, but they might not know the passwords for such resources. This escalation is accomplished by the attacker first getting access to the root account, and then utilizing the privileges gained from that account to compromise other accounts with a lower degree of access.

When dealing with vertical privilege escalation, you're dealing with the sort of activity known as "accountphage." In practice, the hacker will attempt to trick the victim into giving up control of their account.

A hacker has the capability of stealing important data and passwords, as well as downloading ransomware payloads and installing them inside the system, destroying files, or executing other code instructions. Even after being defeated, the aggressor may go undetected. How? Simply said, they wipe traces such as access logs, so nobody would ever know that they were ever there. This delays the discovery of a data breach, which either makes it more difficult to retrieve the stolen data or gives him more time to gain whatever he wants in connection with that company.


Let's imagine that user A, who is employed by firm XYZ, has been granted permission to view a financial database. Because user A is a finance officer, he has been given permission to carry out a predetermined set of activities on the financial database that have been established by the firm (e.g., read, write, open, but not delete). Someone known only as "Fellow B," who has no connection to XYZ in any manner, would want to get unauthorized access to the financial records of the firm for whatever nefarious purpose they may have. B is able to effectively take control of user A's account and obtain access to the database by using a variety of TTPs. This is a fantastic illustration of the escalation of privilege that occurs vertically.

Horizontal Privilege Escalation

Horizontal privilege escalation is when one user gains the access rights of another user who has the same access level as the person that initiated the cyberattack. This occurs when a user successfully escalates their privileges horizontally. When compared to vertical privilege escalations, horizontal ones are somewhat more difficult to accomplish since they need a comprehensive knowledge of the inner workings of operating systems.

In VPE, you won't need to elevate rights (that is, obtain the credentials necessary to access another informational class) because the account you're about to take over already has all of the credentials that are required to access that particularly sensitive area. This is because VPE allows you to take over any account in the environment. You will need to take control of those rights in HPE while simultaneously elevating them at the same time. There's definitely some "Mission Impossible" right there, but if a hacker has the necessary tools, it's not impossible at all. In the majority of situations involving HEP, the attacker would use phishing or spearphishing to infect the victim's workstation and hacking tools like Metasploit to get access to the SYSTEM level (root). And here is when all the excitement starts.

Threats of Escalation of Privilege

Because it gives attackers access to everything in an organization's information technology infrastructure, privilege escalation is one of the most hazardous forms of assaults that may occur in the context of cybersecurity.

It makes it possible for unauthorized parties to access your sensitive data.

It is possible that a malevolent hacker has gained access to sensitive and secret data that they shouldn't have access to if privileges have been escalated, which is a serious danger linked with the practice of privilege escalation.

It has the potential to open the door to further cyberattacks.

Even if a privilege escalation attack does not pose a direct threat to the security of your organization's infrastructure, it may serve as a gateway to additional cyberattacks, allowing threat actors to plant a malicious payload in the system that is being targeted. This is true even if the privilege escalation attack itself does pose a direct threat. Therefore, whenever a privilege escalation is discovered, you should look further into the problem to determine whether or not it goes deeper into the organization's system by searching for indicators of malicious activity. This should be done in order to determine whether or not the issue affects more users.

Examples of Attacks on Higher Privilege Levels

I have already provided an explanation of how privilege escalation often works. Now, let's look at an example of a more applicable aspect of this subject. Let's take a look at some instances of attacks that escalate privileges by using different operating systems. I'm going to give you some instances of attacks that escalate privileges in Windows in the next lines, and I'm also going to give you some examples of attacks that do the same thing in Linux. These instances come with a set of suggested preventative strategies.

Increasing One's Own Privileges in Windows

Escalating one's Windows privileges may be accomplished in a variety of different ways. Let's take a look at three different kinds of Windows privilege escalation threats and the countermeasures you may take against them.


The apparent "beauty" of this kind of privilege escalation attack comes in the fact that it is rather straightforward. A hacker doesn't really need to know how to use a computer in order to pull it off. The threat actor may circumvent the standard endpoint authentication process and get system-level capabilities by using the 'enable sticky keys capability.' Here's the catch: Although it seems absurd, the theory is really valid. From this location, he is able to establish a (false) administrator account, install a hidden backdoor, and do many more malicious acts.

As a countermeasure against the Windows Sticky Key Attack, you should stop the launch of sticky keys. In the Windows registry, go to the key HKEY CURRENT USERControl PanelAccessibilityStickyKeysFlags and modify the value so that it reads "510" instead of "510." This will apply encryption security to the partition that contains Windows on your computer.


Credential dumping is a fantastic method for retrieving hashed credentials from important system places. [Credentials] are often stored in encrypted form. When compared to the sticky-key attack, the credential dumping technique is somewhat more difficult since it calls for the use of certain instruments, a certain amount of time, and, of course, the nose of a bloodhound. So, how exactly does this process work? In any case, the saved login credentials for Windows workstations are stored in a variety of different places. Basically, if you are familiar with the locations to which you should seek, it is not difficult to get information such as administrative login passwords, master passwords for local passphrase vaults, and so on.

The hacker will need to discover a method to "unhash" those credentials before he can proceed. To put it another way, credential dumping is the equivalent of going through every trash can in your city in the hope of finding a piece of paper that has the key code to the warehouse containing your dream PC or anything like that.

Increase the complexity of passwords, enable PPL (Protect Process Light) for LSA, check the backups of domain controllers, restrictor disable NTLM, and add a user to the Protected Users list in your Access Directory. These are some of the measures you can take to protect against a credential dumping attack.


According to the information provided by Red Team Notes in their essay, an adversary may carry out three different sorts of privilege escalation tactics via the use of token manipulation: This type of token theft entails establishing a new access token for the aim of mimicking a valid token, generating a process through token creation, in which the threat actor produces a token and utilizes it to execute a process on the victim's system against their will, and token theft. This process will function under a legitimate security context, one that is connected with a legitimate user. Additionally, the make-and-bake approach will be used, in which the threat actor will activate a new logon session as soon as the legitimate user logs out (usually using the LogonUser command in a CMD window). After that, the function will send a copy of the session's token to the potential threat actor. Last but not least, this recently received token may now be connected to a thread.

Measures to Prevent Manipulation of Access Tokens Include Banning Individual Users or User Groups from Creating Tokens. Apply the concept of least privilege and closely monitor administrative accounts.


The Hot-tater attack is a very complex kind of attack that makes use of flaws in both the NTML relay and the local NBNS Spoofer in order to get access to sensitive information. The objective is to get NT AUTHORITYSYSTEM rights on the computer belonging to the victim. Interrogating the NBNS spoofer, requesting a phony WPAD proxy server, and MITMing the NTLM protocol are the three phases of the 'Hot-tatting' procedure, which refers to the act of gaining unauthorized access to a target. As a consequence of this, the malicious actor is successful in convincing the victim's system to authenticate itself via the NTML protocol. The specifics of the authentication procedure are provided to the attacker, who by this point would have already obtained access at the system level.

Enable SMB Signing as a Preventative Measure Against Hot-Tater Attacks (however, not yet proven).

Linux Privilege Escalation

Hackers often utilize a technique known as "enumeration" when discussing the process of elevating their privileges under Linux. They will be better able to identify vulnerabilities that will allow an attack that escalates privileges to continue its progression as a result of this. In order to accomplish this goal, a number of different automated technologies are used. Threat actors gain more information about the system by port scanning, conducting Google searches, or engaging in direct interaction. Alternatively, they may look for available Perl or Phython, which are essentially two high-level programming languages that will allow them to deploy exploit code into the system.

Exploitation of the Linux kernel and of SUDO rights are the two methods that are linked with the process of elevating privileges in Linux.


If the Linux kernel has vulnerabilities that a hacker is able to exploit in order to get access to the Linux root file system, then a kernel exploit attack is a possibility.

A timely installation of Linux updates and patches is recommended as a kernel exploit mitigation measure, as recommended by MITRE ATT&CK in this particular scenario. In order to prevent an exploit from being installed, files that allow file transfer activities, such as FTP, SCP, or curl, should either have their permissions limited or deleted, or they should merely be associated with a small number of users or IP addresses.


What exactly is SUDO? It is shorthand for a Linux software that, when installed, will provide various users with the capacity to execute programs by making use of privileged privileges that are the property of a third party who will provide them with permission to do so. In this scenario, the outcome would be the potential for commands to be executed with root access.

SUDO Right Exploitation Mitigation Measure: According to MITRE ATT&CK, compilers, interpreters, or editors should never be granted rights that allow access to a programming language compiler. Additionally, different programs that facilitate a shell running action should not have these kinds of special rights.


Credential privilege escalation may lead to data breaches, which can then create major difficulties in both the system and the network applications. Privileged Access Management (PAM) security mechanisms, which are designed to prevent both internal and external threats, offer a significant advantage when it comes to the protection of end-to-end data and access. This is despite the fact that protecting a system against cyberattacks and ever-increasing privilege escalation efforts becomes exceedingly challenging.

You may like these posts

Post a Comment