What is Privilege Escalation?

Privilege escalation is a technique that malicious actors use to gain elevated privileges on a system or network. This is typically done by exploiting vulnerabilities, misconfigurations, bugs or weak security controls.

No system or network is immune to privilege escalation attacks. Some attacks using escalated privileges can be as simple as using a stolen password to log in with greater permissions. Others may be more sophisticated, requiring the attacker to bypass several authentication and authorization layers to gain administrative privileges.

Organizations typically use an authorization system to define distinct roles for users based on their specific job responsibilities. Each role describes the actions that users or user groups are authorized to perform on designated resources or data.

For example, an “engineer” role may allow software engineers to push code, trigger pipelines, retrieve application logs and read data from a database. Similarly, a “production engineer” role may allow production engineers to deploy code, start and stop applications, and submit support tickets. Moreover, an administrator role may encompass the privileges of both the above roles and more.

A privilege escalation attack occurs when an unauthorized user manages to elevate their access beyond their assigned role. This can be done by exploiting a vulnerability in the authorization system to elevate to administrator privileges, stealing admin credentials via social engineering or finding a way to inherit permissions from another role.

Privilege escalation attacks can have severe consequences. Once hackers obtain elevated privileges, they can perform a range of unauthorized actions, such as deleting databases, installing malware, stealing sensitive files or disabling crucial services. Moreover, they may leverage their newfound access to launch other attacks, like ransomware or distributed denial-of-service (DDoS) attacks.

There are two types of escalation methods:

• Vertical: An escalation of privilege from a lower tier to a higher one to gain root or administrative access
• Horizontal: A lateral escalation of privilege from one user to another with similar privileges

Vertical privilege escalation is when a cybercriminal manages to obtain higher-level privileges on a system. In simple terms, it refers to the process of moving vertically up the permission ladder, from a lower-level role to a higher-level role.

The goal of most vertical escalation efforts is to gain root or administrative access. These elevated privileges allow the cybercriminal to bypass many security restrictions and controls and virtually take over the entire system.

Most common vertical privilege escalation examples

While new techniques for vertical privilege escalation continue to emerge, the following methods remain consistently prevalent:

1. Exploiting weak authentication

Hackers may exploit a weak or misconfigured authentication system to gain unauthorized access to an account with higher privileges. For example, they may execute a brute-force attack on the login system to extract the credentials of an administrator. This is why cybersecurity is continuously evolving toward strong authentication and advanced authentication security models.

2. Leveraging vulnerabilities and misconfigurations

Malicious actors may exploit known vulnerabilities in unpatched software or applications to elevate their privileges. For example, they may leverage a bug in the database engine to assume a privileged role and truncate essential tables.

Misconfigurations are another common way of elevating privileges. For example, a poorly configured Identity and Access Management (IAM) system may allow anyone to assume the administrator role after performing multi-factor authentication (MFA).

3. Using social engineering

Attackers may use phishing tactics to trick authorized users into revealing their credentials, or performing actions that grant additional privileges to the attacker. For example, they may send an email to an administrator that may contain a malicious attachment. Opening the attachment may execute malicious code, allowing the attacker to access the administrator’s account.

4. Bypassing access control mechanisms

Attackers may discover and exploit flaws in the systems used to manage user access control. For example, they may manipulate input fields or URLs to access restricted resources or functions meant for higher-level roles.

5. Using physical access

Hackers with physical access to a system or network can directly inject code or run malicious scripts to elevate privileges. For example, they may abuse flawed sudo configurations to conduct a Linux privilege escalation attack. Or they may execute a PowerShell script that tweaks registry rules to perform Windows privilege escalation on a Windows machine.

In horizontal privilege escalation, an attacker tries to gain the privileges of another user account at the same level of the role hierarchy. In other words, it allows an attacker to compromise other users with similar privileges.

Horizontal privilege escalation is particularly concerning because it allows attackers to move laterally across an infrastructure, potentially compromising several accounts and resources.

Most common horizontal privilege escalation examples

Some vertical and horizontal privilege escalation techniques can overlap. For example, social engineering, misconfigurations, brute-force attacks and malware can be used to perform both vertical and horizontal privilege escalation.

With that said, here are some techniques that are commonly used specifically for vertical privilege escalation:

1. Session hijacking

Hackers may exploit weaknesses in session management to take over sessions of other authenticated users. For example, a hacker may perform an SQL injection on a web application to retrieve credentials of other signed in users.

2. Cookie tampering

By intercepting and tampering with cookies or session tokens, malicious actors can impersonate other users. For example, they may leverage a flaw in a server’s operating system to steal another user’s token and use it to seamlessly log in to the desired application.

3. Cross-Site Request Forgery (CSRF)

CSRF (Cross-Site Request Forgery) is a cyberattack in which a hacker tricks a user into executing an unwanted action on a website or application. CSRF attacks are an example of the confused deputy problem, where a hacker manipulates an authorized system entity (the deputy) to perform actions on the hacker’s behalf.

4. Shared credentials

In some situations, users or systems may share the same credentials for convenience, or due to poor security hygiene. While this may seem harmless, it presents a significant security risk, as it allows attackers to use the same set of credentials to move laterally across a system or network.

No system or network can be considered completely impervious to privilege escalation. However, the following best practices and preventive measures can make it significantly harder for anyone to elevate privileges:

1. Adhere to the principle of least privilege

Adherence to the principle of least privilege solves several problems that can allow malicious actors to utilize escalated privilege. The principle dictates that nobody has more rights than they need to do their jobs. This limits the potential damage from compromised accounts.

2. Use robust authentication

Implement strong authentication mechanisms, like adaptive MFA or passwordless authentication, to make unauthorized access harder.

3. Regularly update systems

Keep your applications and systems up to date, so that any known vulnerabilities or bugs are resolved quickly. Developing a robust, automated patch management system can also help in this regard.

4. Avoid misconfigurations

Ensure that your applications, systems and networks are properly configured. You can use purpose-built tools to detect any misconfigurations in your infrastructure. For example, the AWS IAM Access Analyzer helps you validate IAM policies.

5. Spread cybersecurity awareness

Educate your employees regarding the risks of privilege escalation and the importance of following security protocols. Promote good password hygiene, which includes setting complicated passwords that are not shared among users or applications.

6. Use segmentation and isolation

Isolate critical systems and sensitive data from public-facing or less secure areas of the network. Moreover, implement network segmentation to reduce the chances of lateral movement.

7. Employ a zero-trust model

Adopt a zero-trust model, in which trust is never assumed, and anyone trying to access a resource is required to prove their identity.

8. Monitor and respond

Use modern tools, like Security Information and Event Management (SIEM) solutions and Intrusion Detection Systems (IDS), to monitor user activity and respond to potential incidents.