PRIVILEGE ESCALATION

PRIVILEGE ESCALATION

PRIVILEGE ESCALATION

WHAT

The level of initial access acquired by cyber threat actors is often limited. To ensure successful exploitation and compromise, malicious actors often attempt to increase the privilege level being used prior to conducting internal attacks.

WHY

Many of the methods threat actors use to gain initial entry aim to obtain basic user access. For this reason, attackers may begin internal activities with basic user access and seek to escalate their privilege level. Maintaining proper authentication and authorization standards would limit user access to sensitive data, networks segments, and controls. Without control of privileged, administrative, or Root/SYSTEM accounts, adversarial attacks may not succeed.

HOW

After the initial foothold has been established, APT39 typically utilizes freely available tools, such as Mimikatz and Ncrack, in addition to legitimate tools, such as Windows Credential Editor and ProcDump, for privilege escalation. APT39 often uses these tools in conjunction with system-level privileges to gain access to enterprise-level accounts such as a Domain Administrator account.

RVA Attack Analysis

Valid Accounts: The assessment teams were able to escalate their level of privileged access during many of the RVA assessments conducted in 2020. The use of legitimate accounts made up the largest portion (37.5 percent) of the successful tactics used. Use of valid accounts can be achieved through various means including hard coded credentials, default credentials, or guessed passwords from operating system hash dumps.

Exploitation for Privilege Escalation: The assessment teams used exploitation techniques on 21.9 percent of their successful attempts at privilege escalation. This form of escalation takes advantage of system or software vulnerabilities that specifically lead to an increased level of user privilege. An example of this type of attack would be to trick a vulnerable application into creating an account for the attacker and granting them elevated privileges.

Token Impersonation: The teams used copies of existing security tokens for 15.6 percent of successful RVA escalation techniques. Using tokens from existing system-level processes, and then attaching these tokens to malicious processes, allows a threat actor to run their code with increased privileges; potentially providing more access and control than administrator accounts (e.g., Domain Administrator).

Impact

Successful privilege escalation grants unauthorized, privileged access to sensitive data, systems, or processes. Even with internal access, attackers with limited privileges may be restricted from carrying out actions with critically severe results. However, having Domain Administrator access, for example, could allow a threat actor to impair mission critical functions that could potentially lead to the loss of equipment or resources.

Mitigation/Remediation

Update software applications regularly.
Exercise least privilege when creating and managing accounts.
Limit users’ permissions to create tokens.
Prevent write access to logon scripts and prevent modification of associated registry keys.
Utilize sandboxes and application micro segmentation where applicable to limit adversarial movement and exposure.
Prevent applications from storing credential data and change default username and password where applicable.
Periodically review user and application privilege level and search for newly created accounts to identify unauthorized grants of elevated privilege.
Perform password file searches on all shares and local drives.
Configure applications with security best practice standards (e.g., disable xp_cmdshell on MS SQL Databases).
Utilize a strong password policy to prevent password hashes from being easily guessed.