Privilege Escalation: How Hackers Get Elevated Permissions

Hacker Explains

Liam ClearySolution ArchitectProtiviti

Jeff MelnickSystems EngineerNetwrix Corporation

EscalationElevation

Agenda

Prevention

Elevation

Elevation

An elevation-of-privilege occurs when an application gains rights or privileges that should not be available to them.

Many of the elevation-of-privilege exploits are similar to exploits for other threats.

Escalation

Escalation

Privilege escalation is the result of actions that allows an adversary to obtain a higher level of permissions on a system or network.

Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation.

Adversaries can enter a system with unprivileged access and must take advantage of a system weakness to obtain local administrator or SYSTEM/root level privileges.

Elevation versus Escalation

Vertical Privilege Escalation

• aka. Privilege Elevation

• Lower Privilege Account(s)

• Bypassing User vs. Admin Controls

• E.g. Windows Services, Screensavers, Registry, Cross Zone Scripting, Shell Injection and even Jailbreaking

Horizontal Privilege Escalation

• Normal User

• Context Switching

• Limited form of Elevation

• E.g. Session ID’s reuse in Cookies, Cross-site Scripting, Password Guessing, Session Hijacking and even Keystroke Logging

Elevation/Escalation Approaches

Windows Memory Injection

Process Injection

Access Token Manipulation Bypass User Account Control

File System Permissions Web Shell

Elevation: Process Hijacking

Client Workstation Hacker

Retrieve CurrentRunning Processes

Inject into Selected Process

Interrogate Environmentfor Running Processes

Issue Commands as Hijacked Process

Elevation: Impersonation

Client Workstation Hacker

Retrieve CurrentUser Tokens

Impersonate ChosenUser Token

Interrogate Environmentfor User Tokens

Issue Commands as Impersonated User

Demo

Prevention

Prevention

Patching

Mandatory Access Controls

Data Execution Protection Least Privilege

Encryption Anti-Virus

About Netwrix Auditor

A visibility platform for user behavior analysis and risk mitigation

that enables control over changes, configurations, and access in hybrid IT environments.

It provides security intelligence to identify security holes, detect anomalies in user behavior

and investigate threat patterns in time to prevent real damage.

Netwrix Auditor

Security Challenges Resolved by Netwrix Auditor

IT can’t assess security posture

and determine which assets

need the most protection.

Proactively identify and

mitigate IT security weak

spots, and prioritize data

protection efforts.

Lack of actionable intelligence

makes it hard to prevent policy

violations and data breaches.

Gain full control over user

permissions. Lock down

overexposed data, prevent data

breaches and privilege abuse.

Incidents go unnoticed. Noise

and alert fatigue make it hard to

discern real threats.

Quickly identify real security

threats with alerts on

anomalous activity and details

about high-risk user accounts.

Forensics teams can’t analyze

attacks to understand how they

could have been stopped.

Trace attacks step by step to

learn from them and prevent

similar incidents from

happening again.

PREDICT

RESPOND DETECT

PREVENT

P R O B L E M

S O L U T I O N

P R O B L E M

S O L U T I O N

P R O B L E M

S O L U T I O N

P R O B L E M

S O L U T I O N

Netwrix Auditor Benefits

Detect Data Security

Threats, both On Premises

and in the Cloud

Bridges the visibility gap by delivering

security intelligence about critical changes,

configurations and data access in hybrid IT

environments and enabling identification

of security holes and investigation of

anomalous user behavior.

Pass Compliance Audits

with Less Effort

and Expense

Provides the evidence required to prove

that your organization’s IT security

program adheres to GDPR, PCI DSS,

HIPAA, SOX, FISMA, NIST, GLBA, CJIS,

FERPA, NERC CIP, ISO/IEC 27001, and

other standards.

Relieves IT departments of manual

crawling through weeks of log data to get

the information about who changed

what, when and where a change was

made, or who has access to what and

helps automate software inventory tasks.

Increase the

Productivity of Security

and Operations Teams

Demonstration

Netwrix Auditor

Next Steps

Free Trial: setup in your own test environment

netwrix.com/freetrial

Virtual Appliance: get Netwrix Auditor up and running in minutes

netwrix.com/go/appliance

Test Drive: run a virtual POC in a Netwrix-hosted test lab

netwrix.com/testdrive

Live One-to-One Demo: product tour with Netwrix expert

netwrix.com/livedemo

Contact Sales to obtain more information

netwrix.com/contactsales

Upcoming and On-Demand Netwrix Webinars: join upcoming webinars or watch the recorded sessions

netwrix.com/webinars

netwrix.com/webinars#featured

Questions?

Thank you!

www. .comLiam ClearySolution ArchitectProtiviti

Jeff MelnickSystems EngineerNetwrix Corporation