Blue Goat Cyber

How Does Privilege Escalation Occur?

How Does Privilege Escalation Occur?

Privilege escalation is often the difference between a major and a minor security incident. A hacker able to get elevated access to a system after their initial compromise will almost certainly be able to access more sensitive information. Luckily, defenders have many different ways of stopping this before it happens. To effectively understand how to stop privilege escalation, blue teams should first know how it happens. Aside from traditional computer networks, this can also be relevant in IoT and medical devices. Attackers can often find extremely sensitive information in these systems if they are not properly secured.

How Can Hackers Escalate Privilege?

Privilege escalation can happen in many different ways depending on the operating system in place and the way that it is set up. Modern Operating Systems (OS) do a good job of locking down users when everything is properly configured. The problem tends to be administrators misconfiguring machines or leaving other avenues for attackers to elevate their privileges. Hackers can use specialized tools to tear through system configurations and find the fastest ways to elevate their privileges.

OS misconfigurations are one of the most common ways for hackers to elevate their privileges. This can be a wide range of things depending on the OS in use and the way that it is set up. There are many different courses dedicated to this concept alone. At a high-level overview, hackers will look for a way to control a process running at a higher level or to create a process running at a higher level. A great example of this is the ‘sudo’ command in Linux, which allows users to run a command as the root user. While this is necessary for many different day-to-day functions, it can also be used as a quick way to escalate privilege if it is not properly configured.

Another common privilege escalation technique is through services installed on the system. While this can technically fall under the same category as a system misconfiguration, there can be some important differences. The end goal here will usually be for a hacker to identify services run by a high-privilege user that they can control and inherit the permissions of that user. This will let them effectively impersonate the user with higher privileges and take action on their behalf. The prized account for hackers to target is the built-in ‘root’ account on Linux and the ‘Administrator’ or ‘NT AUTHORITY\SYSTEM’ accounts on Windows.

A very easy win for many attackers is simply finding or guessing a set of credentials for a higher-privileged user. Credential looting is typically going to be more specific to computer networks as opposed to IoT or medical devices, but it can happen anywhere. The basic process is just to comb through a system as a low-privilege user looking for credentials anywhere that they can find them. If this is possible, they can use these credentials through the network and see if anything sticks. The same concept applies to password guessing, though it is often far less successful.

How Can Defenders Stop Privilege Escalation?

With all the different paths that attackers can take, it may seem difficult to stop privilege escalation attacks. Defenders will need to cover a wide range of potential problems to make sure that their systems are secure. A good approach is to think like an attacker and use the same tools and techniques that they use. There are many different tools available that will perform automated enumeration of a system to identify paths for privilege escalation, such as PEASS-ng,, and PowerUp.ps1. These can all be leveraged by defenders to get a similar view to what an attacker may have.

While these tools are a great starting point, they do not cover everything that can happen. Administrators should carefully review configurations on any systems and keep them as locked down as possible. Policies should be in place about leaving passwords in easy-to-find locations for attackers and keeping everything encrypted at any reasonable point. It is also important that any passwords are sufficiently strong to prevent simple password guessing or brute-forcing attacks from being successful.

When in doubt, it can be worth consulting a security consultant like those at Blue Goat Cyber. A cybersecurity professional can review your systems and networks and identify the paths that a hacker may take to compromise your network. They can also guide you through the remediation process and make sure that everything is locked down. To find out more, reach out to schedule a discovery session.

Blog Search

Social Media