What is Privilege Escalation?

Bart Lenaerts-Bergmans - June 3, 2022

As organizations rely more on remote work capabilities and larger cloud systems, their vulnerability to cyberattacks increases. Privilege escalation attacks are a prevalent and complex threat, and any network can become a target.
Organizations need multiple defense strategies when any asset can become an entry point for intruders. Understanding the privilege escalation process is an important first step toward prevention and defense against extensive network attacks.

What Is Privilege Escalation?

A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system. Attackers exploit human behaviors, design flaws or oversights in operating systems or web applications. This is closely related to lateral movement — tactics by which a cyberattacker moves deeper into a network in search of high-value assets.

The result is an internal or external user with unauthorized system privileges. Depending on the extent of the breach, bad actors can do minor or major damage. This might be a simple unauthorized email or a ransomware attack on vast amounts of data. Left undetected, attacks can result in advanced persistent threats (APTs) to operating systems.

Expert Tip

You might wonder who should know about privilege escalation. The answer is: everyone! Any user with a login, no matter how basic, may become the initial victim. Catastrophic attacks can start with gaining valid credentials of any kind, so any compromised account is a problem for the whole network.

How Privilege Escalation Works

Adversaries usually perform privilege escalation starting with a social engineering technique that relies on manipulation of human behavior. The most basic is phishing — electronic communications that contain harmful links. Once an attacker compromises an individual’s account, the entire network is exposed.

Attackers search for weak spots in organizational defenses that allow initial entry or basic privileges through credential theft. As explained in more detail below, exploiting such vulnerabilities enables further elevated privilege. Effective strategy must therefore combine techniques for prevention, detection and swift action.

Privilege Escalation Techniques

A privilege escalation technique can be executed locally or remotely. Local privilege escalation begins onsite, often by someone inside the organization. Remote escalation can begin from almost anywhere. For a determined attacker, either approach can be effective.

What are the Main Types of Privilege Escalation

Attacks are grouped into two primary types:

With horizontal privilege escalation (or account takeover), an attacker gains privileged access to a standard user account with lower-level privileges. The intruder might steal an employee’s username and password, gaining access to email, files and any web applications or subnetworks to which they belong. Having obtained this foothold, the attacker can move horizontally through the network, expanding their sphere of privileged access among similarly privileged accounts.

Vertical privilege escalation (or privilege elevation) begins similarly, with an attacker using a foothold to try to escalate vertically, gaining access to accounts with higher privilege. For example, they might target accounts with administrator privileges or root access permissions, such as an IT helpdesk worker or a system administrator. A privileged account can be used to invade other accounts.

Differences Between Vertical and Horizontal Privilege Escalation

In short, horizontal privilege escalation involves gaining access to accounts with privileges similar to the original account’s. By contrast, vertical privilege involves gaining access to accounts with more privileges and permissions. An attacker might begin with a standard user account and use it to compromise higher-level accounts with admin privilege.

The more privileges an account has, the more immediate damage a malicious actor can do. An IT helpdesk account can harm standard user accounts and can itself become a point of vertical escalation. Horizontal attacks are nevertheless also dangerous because the risk to a network escalates with the number of compromised accounts. Every point of vulnerability is an opening for attackers to delve deeper into the system, so both horizontal and vertical attacks must be addressed with speed.

More Types of Privilege Escalation Technique

Cyberattackers are constantly developing new ways to break into accounts and compromise systems, but phishing remains predominant. Attackers design these deceptive messages, whether broad and scattershot or carefully targeted, to trick users into sharing credentials, downloading malware or exposing networks to unauthorized use.

Other kinds of social engineering attacks include the following:

  • Cybersquatting or typosquatting: Hijacking a URL or creating a false URL to entice clicks. Attackers might employ a false top-level domain (e.g., Sample.co, .cm or .org instead of .com) or subtly misspell a name (e.g., Sampe.com, Sarnple.com or Samp1e.com).
  • Password exposure: Sometimes users expose their passwords voluntarily, sharing them with friends or coworkers. More often they do so unwittingly. They might keep passwords written down somewhere obvious in their workspaces or have passwords that are easy to guess.
  • Security question exposure: It’s not unusual for users to forget passwords. When they do, they often must answer security questions to create new passwords. Thanks to social media, the answers to security questions are easier than ever to discover. (Beware the viral quizzes or posts asking for the “Top 5 Things No One Knows about You.”)
  • Vishing, or “voice phishing”: Attackers might call an employee and impersonate an authority figure, tricking the employee into providing privileged information or installing malware.

Adversaries may also use techniques that rely on technological help. Brute force attacks and credential dumping are most common, but many others exist:

  • Brute force attacks: These involve systematic automated guessing of passwords and can be especially effective in systems with insufficient password requirements.
  • Credential dumping: In these attacks, attackers gain illegal access to a network and steal multiple credentials all at once.
  • Shoulder surfing: This involves stealing an individual’s credentials through an insecure network or by hacking into an individual’s devices.
  • Dictionary attacks: In this type of attack, bad actors combine common words into possible passwords based on a network’s password length and requirements.
  • Password spraying: This type of attack utilizes automated attempts to gain access to many accounts at once using a few common passwords (e.g., “password,” “qwerty,” “123456” and the like).
  • Credential stuffing: Here, attackers try to use credentials from one system on a different system. This works because so many people reuse passwords across multiple networks.
  • Pass the hash or rainbow table attacks: This attack type involves algorithms that “hash” or scramble passwords.
  • Password changes and resets: Sophisticated attackers can find ways to exploit the process of setting new passwords. They can even request new passwords themselves if they know answers to security questions.

Both Windows servers and Linux operating systems are vulnerable to attacks. Windows privilege escalation often employs token manipulation, user account control bypass or DLL (dynamic link library) hijacking. Common Linux system privilege escalation attacks include enumeration, kernel exploit and using Sudo access to gain root privileges. The access provided by stolen credentials is so powerful, attackers are highly motivated to find new ways to escalate Linux privileges.

Privilege Escalation Prevention Strategies

Prevention requires constant, proactive vigilance. Any business with a network can fall victim, since every user presents some degree of vulnerability. This means your prevention strategy must be comprehensive and inclusive, enlisting every user in the system to help secure their shared cyberspace. Where prevention fails, detection measures must also be in place, along with ready plans of action that can be executed quickly to prevent the worst consequences.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

How to Detect a Privilege Escalation Attack

Detection of privilege elevation generally relies on pattern recognition, searching for outliers and identifying abnormal events. Unfortunately, detecting privilege escalation can be extremely difficult because it is so unpredictable. If a threat actor successfully enters the network at any point, they can maintain ongoing access. Once they have gained credentials of any kind, the system sees them as legitimate users. 

The average time to detect an attack is difficult to estimate because privilege escalation attacks may take weeks or even months. The time between when an intruder initially steals a credential and when they achieve their goal is called “dwell time.” With a long dwell time, intruders can gather information, obtain credentials and further escalate privileges. By the time attackers are ready to achieve their goal, they have usually covered their tracks (e.g., deleting logs, masking IP addresses and so on). 

Luckily for their targets, cybercriminals do sometimes make mistakes, rendering themselves traceable or even falling into traps. But very few — not even half of one percent, according to a report from Third Way — are ever arrested. Organizations must be prepared not only to detect but to neutralize threats, and acting with all possible speed is paramount. 

Examples of Privilege Escalation Attacks

Privilege escalation attacks commonly involve infecting a network or application with malware, a broad category that includes the following:

  • Worms: Self-contained programs that replicate themselves and spread copies to other computers.
  • Rootkits: Collections of software designed to give actors control of a network or application. Once activated, they set up a backdoor to deliver additional malware and may remain for years because they are hard to detect.
  • Trojans: Malware disguised as legitimate software, designed to trick users through social engineering techniques such as phishing or bait websites.
  • Fileless malware: Unlike traditional malware, this does not require an attacker to install malicious code on a target’s system, making it hard to detect.
  • Spyware: Surveillance software that collects information about users’ web activity without their knowledge or consent. (Adware is a type of spyware that watches a user’s online activity to determine which ads to show them.)
  • Keyloggers: Spyware that monitors user activity, typically installed through phishing. Once installed, keyloggers can steal passwords, user IDs, banking details and other information.
  • Scareware: Programs (usually pop-up warnings) that trick users into believing their computer is infected, persuading them to install fake antivirus software that is actually malware.
  • Ransomware: When an adversary encrypts a victim’s data and offers a decryption key in exchange for a payment. Attackers can launch these attacks through social engineering techniques or by using unpatched vulnerabilities and policy misconfigurations.

Learn More

In November 2021, the privilege escalation vulnerability Polkit was discovered in a Linux module. CrowdStrike’s Falcon Platform hunted Polkit to detect and prevent future attacks. Learn More

Importance of Preventing Privilege Escalation

Privilege escalation can be a step in virtually any cyberattack. Preventing it where it begins must be a top priority.

How Preventing Privilege Escalation Affects Application Security

Employees routinely need permission to access hundreds of applications, so organizations need secure identity management tools that reduce the need for multiple authentications. Single sign-on (SSO) services, such as Active Directory Federation Service (ADFS), allow people to use a single set of credentials across multiple internal and external systems. This saves time and stress, improving both efficiency and user experience by allowing seamless movement between applications.

The downside is that attackers with a single set of credentials can also move seamlessly around a network. And the consequences of privilege escalation can be grave for users, customers and businesses — and even cloud security. First and foremost, attacks can be expensive, but beyond that, losing control of confidential information or critical systems can also affect a firm’s integrity and reputation.

According to a 2021 study by IBM, the average cyberattack in the U.S. cost companies $9.05 million USD (roughly double the global average of $4.24 million USD). In 2017 Target agreed to pay $18.5 million USD following a high-profile cybersecurity breach. Attackers had exploited weaknesses in Target’s system by using credentials stolen from a third-party vendor. After gaining access to a customer service database, they installed malware to capture contact information, credit card numbers and other private data.

Privilege escalation can also affect small organizations with insufficient budgets and cybersecurity measures. Educational institutions are frequent targets. Illinois’s Lincoln College was forced to close in 2022 after a ransomware attack that halted critical operations when the college was already struggling. No one is immune to victimization by cyberattacks, not even national governments, so everyone must be on guard.

How to Protect Your Systems from Privilege Escalation

Cyberattacks are a global phenomenon. According to the World Economic Forum, “These risks cannot be addressed by organizations acting alone. Policy interventions are required that encourage collaboration and accountability on the part of both businesses and governments.”

Nevertheless, everyone has a role to play in the cybersecurity ecosystem. A successful prevention strategy requires understanding common escalation techniques and having appropriate controls in place to thwart them.

Controls to Put in Place to Prevent Privilege Escalation Attacks

Mitigating the risks of credential theft requires layers of safeguards. Technical controls, such as encryption, firewalls, monitoring, antivirus and antimalware programs, address vulnerabilities in hardware and software. They also include security information and event management solutions to collect and analyze security events, plus intrusion detection and prevention systems that monitor and respond to suspicious events.

Administrative controls, such as policies, procedures, training and best practices, focus on people and address social engineering techniques. Physical controls deter or prevent unauthorized physical access to sensitive material. These range from surveillance cameras and security guards to biometric IDs. Even a locked door can help guard against credential theft.

Techniques to Use to Protect against Privilege Escalation

Because so many breaches begin with phishing, social and cultural prevention techniques are essential. Network members are often the first point of attack and therefore also the first line of defense. Fear, however, is ineffective motivation. Organizations must instead empower employees with training, reminders and a sense of shared responsibility.

Good individual IT hygiene includes the following elements:

  • Creating strong passwords and protecting them from theft
  • Connecting to the network through secure Wi-Fi
  • Being on alert for unsolicited emails or texts with suspicious links
  • Alerting IT about suspicious activity or accidental breaches.

Systemwide hygiene is also crucial. Many institutions continue to rely on traditional security measures that today’s sophisticated attackers easily bypass. Solutions include the following:

  • Strong password and credential management practices
  • Proper cookie handling
  • Monitoring systems in real time and keeping up with the latest threat intelligence
  • Proactive and ongoing hunting for vulnerabilities and threats
  • Implementing robust identity protection programs for the full life cycle of accounts
  • Following the principle of least privilege and separating privilege into multiple components
  • Using a Zero Trust model of security, treating every device as untrusted until authenticated
  • Segmenting networks and applications to limit lateral movement
  • Privileged access management controls, with close monitoring of privileged sessions
  • Developing ransomware-proof offline backups for salvaging data

Organizational vigilance must go further to minimize exposure — predicting, investigating, proactively hunting and quickly responding to threats:

  • Eliminating outdated or unpatched systems and promptly installing patches
  • Using multifactor authentication and appropriate remote desktop protocols
  • Protecting against common types of malware
  • Monitoring the dark web for evidence of breaches
  • Ongoing penetration testing
  • Avoiding alert fatigue from security solutions that deliver too many false positives or alerts with no way to prioritize them
  • Conducting automated email URL filtering and attachment sandboxing.

Tools and Software to Protect Your Systems from Privilege Escalation

Protecting systems from privilege escalation requires tools and software with capabilities such as these:

  • Identity protection for all users
  • Real-time visibility of all active users with endpoint detection and response (EDR) for malicious admin activity
  • Threat hunting, preferably 24-7, with the ability to track, validate and prioritize alerts
  • Threat intelligence about attackers and their tactics, strategies and objectives
  • Advanced malware search capabilities with actionable indicators of compromise
  • Next-generation antivirus protections

Key features of these tools should include easy setup and configuration, scalability and inexpensive cloud storage.

Because so many privilege escalation attacks are cloud-based, organizations need a cloud-native and cloud-scale system to stay ahead of cybercriminals. In addition to artificial intelligence and high-speed, smart-filtering technology, expert human analysts can proactively monitor environments and alert users to unusual activity. Internal security teams may need this supplementary assistance to fully protect their organizations from threats posed by privilege escalation attacks.

Stop Breaches and Drive Business

No organization wants to fall victim to privilege escalation, but most need help to stay ahead of today’s — and tomorrow’s — sophisticated adversaries. CrowdStrike has the experience, expertise and tools you need to strengthen organizational defenses and help keep your networks safe from would-be exploiters.

Learn more about how CrowdStrike can help you win the race against cyberattacks so you can focus on what you do best.

GET TO KNOW THE AUTHOR

Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.