Privilege escalation is the exploitation of a programming error, vulnerability, design flaw, configuration oversight or access control in an operating system or application to gain unauthorized access to resources that are usually restricted from the application or user.
This results in the application or user having more privileges than intended by the developer or system administrator, allowing attackers to gain access to sensitive data, install malware and launch other cyber attacks.
How does privilege escalation work?
Most computer systems are designed for use with multiple user accounts, each of which has abilities known as privileges. Common privileges include the ability to view, edit or modify files.
Privilege escalation means an attacker gains access to privileges they are not entitled to by exploiting a privilege escalation vulnerability in a target system or application, which lets them override the limitations of the current user account.
Privilege escalation is a common way for malicious users to gain initial access to a system. Attackers start by finding a weak point in an organization's cybersecurity to gain initial penetration to a system.
In many cases, the first point of penetration will not give attackers the level of access or access to the file system they need. They will then attempt privilege escalation to gain more permissions or to obtain access to additional, more sensitive systems.
In some situations, attackers attempting privilege escalation find the doors are wide open. Inadequate information security, failure to follow the principle of least privilege and a lack of defense in depth leaves regular users with more privileges than they need.
In other cases, attackers exploit poor patching cadence, zero-day vulnerabilities or use specific techniques to overcome an operating system's permissions mechanism.
Why is it important to prevent privilege escalation?
While privilege escalation is generally not the end goal of an attacker, it is frequently used in preparation for a more specific cyber attack, allowing intruders to deploy a malicious payload, adjust security settings and open up additional attack vectors in the targeted system.
Whenever you detect or suspect privilege escalation, use digital forensics to find signs of other malicious activities like computer worms, malware, corporate espionage, data breaches, data leaks, man-in-the-middle attacks and stolen personally identifiable information (PII), protected health information (PHI), psychographic data or biometrics.
Even without evidence of further attacks, privilege escalation incidents represent significant cybersecurity risk because it means someone has gained unauthorized access to a privileged account and confidential or sensitive information.
In many industries, these incidents need to be reported internally and to relevant authorities to ensure regulatory compliance.
What are the two types of privilege escalation?
There are two main privilege escalation techniques:
- Vertical privilege escalation (privilege elevation): An attacker attempts to gain higher privileges or access with an existing account they have compromised. For example, an attacker takes over a regular user account on a network and attempts to gain administrative privileges. Typically the administrator or system user on Microsoft Windows, or root on Unix and Linux systems. Once they gain elevated privileges, attackers can steal sensitive data about a specific user, install ransomware, spyware or other types of malware, execute malicious code and damage the security posture of your organization.
- Horizontal privilege escalation: An attacker expands their privileges by taking over a privileged account and misusing the legitimate privileges granted to the user. For local privilege escalation attacks this might mean hijacking an account with administrator privileges or root privileges, for web applications might mean gaining access to a user's bank account or the admin account of a SaaS app.
What are examples of privilege escalation?
Three common privilege escalation techniques are:
- Access token manipulation: Takes advantage of the way Microsoft Windows manages administrator privileges. Normally, Windows uses access tokens to determine the owners of running processes. With token manipulation, the attacker fools the system into believing the running processes belong to a different user than the one that actually started the process. When this happens, the process takes on the security context associated with the attacker's access token. This is a form of privilege elevation or vertical privilege escalation.
- Bypassing user account control: Windows has a structured mechanism for controlling user privileges called user account control (UAC) that serves as a barrier between normal users and administrators, limiting standard user permissions until an administrator authorizes increased privileges. However, if the UAC protection level on a computer is not properly configured, some Windows programs will be allowed to elevate privileges or execute Component Object Model (COM) objects without asking for administrator permission first. For example, the rundll32.exe can load a Dynamic Link Library (DLL) which loads a COM object that has elevated privileges, allowing attackers to bypass UAC and gain access to protected directories.
- Using valid accounts: Attackers gain unauthorized access to an administrator or user with elevated privileges and use it to log in to a sensitive system or create their own logon credentials.
How to prevent privilege escalation attacks
Attackers use many privilege escalation techniques to achieve their goals. The good news is if you can quickly detect successful or attempted privilege escalations attacks, you have a good chance of stopping intruders before they can launch their main attack.
To attempt privilege escalation in the first place, attackers usually need to gain access to a less privileged account. This means that regular user accounts are your first line of defense, make sure to invest in strong access control:
- Enforce password policies: One of the simplest ways to improve security is to enforce secure passwords. Don't reuse passwords, as they may be exposed in big data breaches. See our guide on how to create strong passwords and invest in a tool to continuously monitor for leaked credentials.
- Create specialized users and groups with minimum necessary privileges and file access:The principle of least privilege in a security context refers to providing normal users with only the set of privileges they need to do their job and nothing more. Read our guide on access control for more information. While it's convenient to give every user the same level of access to all resources, it provides attackers with a single point of entry into your organization, it's far safer to employ defense in depth across your data security, information security and network security efforts.
- Invest in cybersecurity awareness training: Even if your organization has a robust, enforced password policy social engineering attacks like phishing and spear phishing can lead to cybercriminals gaining access to your sensitive systems. Educate your employees and third-party vendors on common cyber threats and how to avoid them. Enable DMARC to prevent email spoofing and buy potential typosquatting domains.
For application security, it's vital to:
- Avoid common programming errors in applications: Follow best practices to avoid common bugs that are targeted by attackers, e.g. buffer overflows, code injections and unvalidated user input. Read our guide on server hardening and invest in a tool to monitor for unintended data exposures.
- Secure databases and sanitize user input: Databases are attractive targets as many web applications store sensitive data in databases including login credentials, user data and payment methods. One SQL injection can give attackers access to all this information and allow them to launch additional cyber attacks. Poor configuration management can lead to data leaks which is why it's important to encrypt data at rest and in transit.
Not all privilege escalation relies on user accounts, administrator privileges can be obtained be exploiting vulnerabilities in applications operating systems and configuration management, minimize your attack surface by:
- Keeping systems and applications updated: Many attacks exploit known vulnerabilities listed on CVE. By keeping a consistent patching cadence you are minimizing this cybersecurity risk.
- Ensuring correct permissions for files, directories and web servers: Follow the principle of least privilege, check S3 security settings and ensure that only those who need access have access.
- Closing unnecessary ports and removing unused accounts: Default system configurations often include unnecessary services and arbitrary code running on open ports, each one is a potential attack vector. Remove default and unused accounts to avoid attackers and former employees gaining access to sensitive systems.
- Avoiding default login credentials: This might seem obvious but many organizations fail to change the default login credentials on their devices such as printers, routers and IoT devices. No matter how secure your network security is, one router is using the default admin/password login credentials could be enough for an attacker to intrude.
- Removing or restricting file transfer functionality: FTP, TFPT, wget, curl and other file transfer functions are a common way to download and execute malicious code or malicious writable. Consider removing these tools or restricting their use to specific directories, users and applications.
- Monitor your third and fourth-party vendors: Attackers can use your vendors to gain access to your organization. This is why vendor risk management is a fundamental part of preventing privilege escalation attacks. Remember that vendor risk management is a regulatory requirement for FISMA, GLBA, PIPEDA and the NIST Cybersecurity Framework.
- Avoid vendors with poor cybersecurity: Ask for your vendor's SOC 2 report and information security policy.
- Modernize your vendor risk management: Develop a risk assessment methodology, third-party risk management framework and vendor management policy. Consider using an established vendor risk assessment questionnaire template that you use to understand your vendors' security posture.
- Automate vendor risk management: Invest in a tool that can rate your vendors' security posture against 50+ criteria and assign them a security rating. This can greatly reduce your third-party risk and fourth-party risk.
If you want to get an idea of your organization's external security posture, use our free security scanner to see your external attack surface.
How UpGuard can help prevent privilege escalation attacks
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.