A key concern of any network intrusion is privilege escalation. Gaining administrator or root-level access enables attackers to move freely throughout a system after initial intrusion.
“It’s essentially game over,” security researcher and author Alexis Ahmed said.
Ahmed wrote Privilege Escalation Techniques to train red and blue team members on the importance of recognizing privilege escalation vulnerabilities and to teach security teams how to protect against privilege escalation attacks in Windows and Linux systems.
Here, Ahmed discusses the importance of being aware of vulnerabilities that enable attackers to elevate privileges, common weaknesses to be aware of and why security teams shouldn’t always focus heavily on initial access when reviewing attacks after the fact.
Editor’s note: The following interview is edited for conciseness and clarity.
Is privilege escalation part of every attack?
Alexis Ahmed: Absolutely. It’s one of the most important phases of a penetration test. Pen testers are contracted by a company to test its digital infrastructure. Let’s say a pen tester gains access to one system on the network. The next logical step is to elevate privileges because that gives total control of the system you’ve just exploited. It also allows you to access and explore the other systems on the network.
Furthermore, privilege escalation allows you to exfiltrate important data from an OS — such as user account passwords — that can then be used later. If you’re able to extract the user account passwords for the administrator account, then you can pretty much gain access to all the other systems on that network.
Why did you write a book on privilege escalation techniques?
Ahmed: First, privilege escalation has few available resources. I thought it’d be a good idea to publish an all-in-one guide for beginners or anyone getting into pen testing for Windows and Linux.
Second, privilege escalation is an area companies do not focus on enough. Companies are always more interested in [an attacker’s] initial access. Security teams are always worried about what vulnerability is going to get them into trouble and where the next attack is going to come from. Unfortunately, most companies only figure out they’ve been attacked after the fact. And the only reason an attacker was able to traverse through their network was by elevating privileges.
Companies and security teams need to take privilege escalation into consideration, especially when performing pen tests. Companies should tell pen testing firms to get an accurate idea of their security posture from a privilege escalation perspective. With that information, they can identify where the vulnerabilities are and patch them.
Why did you focus on Windows and Linux privilege escalation attacks?
Ahmed: Individuals getting into cybersecurity pen testing, such as red teamers and even blue teamers, benefit from learning about the big techniques to leverage. The systems you’re most likely to encounter during engagements are Windows, with a fair share of Linux, too.
I use Windows 7 in the book; there isn’t a huge difference between that and Windows 10 from an architecture perspective. I opted for Windows 7 because it is more flexible in setting up vulnerable VMs. This allowed me to demonstrate penetration techniques and offered readers an easy way of following along. The same techniques can be applied on Windows 10.
I wouldn’t say one OS version is more prevalent over the other, just that most organizations use Windows — this is why most techniques are for Windows-based systems. Windows is more widely deployed than macOS. It has a lot of privilege escalation techniques compared to other systems. I also included Linux because it’s used as a server OS and shouldn’t be ignored.
Given Windows’ market share domination, what are some common Windows-focused privilege escalation attacks?
Ahmed: If you’re going with Windows, the next variable would be the version and the actual patch level. The most common type of privilege escalation vulnerability revolves around identifying or finding misconfigurations within services — for example, things like unquoted service paths. In my experience, bypassing UAC [User Access Control] is becoming an effective technique for elevating privileges on pretty much every version of Windows, from 7 to 11.
Within a well-secured or a moderately secured network, look for misconfigurations that have been made by the administrator or the users themselves. This can include stored passwords within the OSes, getting passwords from browser cookies and human-based vulnerabilities, such as having some setting turned off that should be on.
Is there anything you couldn’t cover in your book that you recommend readers learn?
Ahmed: I had to leave out a couple of techniques. One was bypassing UAC on Windows, which I intend to cover in the second edition of the book. It’s a lengthy topic that needs an entire chapter dedicated to it.
This specific privilege escalation technique involves leveraging or taking advantage of poorly configured UAC profiles on Windows systems to elevate privileges.
Are there any specific accounts that are considered the holy grail if an attacker can access?
Ahmed: On Windows, it’s typically the administrator account; every Windows OS has one. By default, that account is disabled. It is typically identified with the SID [secure identifier] 500 — that’s what attackers are looking for.
In the case of Linux, it’s the root account. It allows you to do anything on the system as a Windows’ administrator account would.
There are forgotten accounts attackers can target, too. When you talk about user accounts and vulnerabilities associated with them, you might come across user accounts set up for a specific purpose. Say the administrator was trying to install a new program and created another user account with admin privileges to facilitate the operation of that program or third-party solution, and then they forgot to disable it, or they didn’t secure it appropriately. Some of the most common misconfigurations are privileged accounts that have been created for a specific purpose but remain enabled long after use.
Also, the lack of a password security policy can result in individuals reusing the same password for multiple accounts. If pen testers can identify the admin account’s password, they can try that password on multiple other accounts because the probability is high that the password was reused.
What else would you warn companies about when it comes to privilege escalation attacks?
Ahmed: One of the best ways to prevent privilege escalation attacks is to have regular pen tests, at least on a semiannual basis or quarterly basis. A pen test will give you a rundown of the vulnerabilities that affect your organization’s digital infrastructure. Further, if pen testers can elevate their privileges, they document that within the report and provide instructions on how to mitigate or patch these vulnerabilities.