The Art of Privilege Escalation - How Hackers Become Admins

Thank you. It's a pleasure to be here and this is one of my favorite topics cuz it's, it's what I'm good at so that makes it easy for me to, you know, to, to go through. But I have a lot to cover. I've got some slides just to provide you a little bit of context, but I want to get quickly into the demo because that's the most interesting part of when you're doing and especially this is a light demo. I'm just hoping that my battery lasts for this because it's the virtual machines right now is sucking the death out of this thing. So I'm hoping it lasts for as long as we possibly can.

But I hope you find this interesting. I wanna take you a bit of insights into the hacking world and how attackers basically look at, you know, when they get one foot in the organizations, how they go run elevating to ultimately getting domain administrator or root accounts and and ultimately causing devastation to organizations. So one of the things that attackers want to go after is high privilege accounts. That's what they target.

And if you look at a lot of the actually major incidents, these data accounts that make the difference because they make a big difference because when an attacker gains access to a privileged account, it allows them to move around the network to discover the sensitive areas of the network and devices and applications and to cause as much devastation as possible. That's why they want these accounts. They might sit in your organizations with a standard account for months.

I've seen attacks where they've actually been in the organization for more than a year, just as a standard user waiting for the moment for an exploit of vulnerability, a you know, misconfigured system in order to jump to a privilege account when they have access to a privilege account, you're at the moment where it's hours before a disaster will help into your organization. So detecting this change is so significant and showing you the techniques will hopefully give you some glimpses of what things you can potentially do to prevent it from happening to your organizations.

And a lot of privilege accounts in the access and domain administrators. Unfortunately, since we're thinking about protecting the perimeter, a lot of those accounts unfortunately in the internal network remain protected with simple passwords. They might have, you know, pass raises, pins secret, you know, keys very seldom does organization protect the internal network and sensitive systems with additional security controls. Their focused at the perimeter focus at multifactor authentication for the VPN access. So the RDP access or the gateway, but one, an attacker begins access.

They're waiting for that moment in order to elevate and sometimes it's the difference between a simple password and devastation. So let me take you through some of the attack techniques and show you what attackers mindsets think about. So one of the, there's two levels of privilege escalation. One is that I've got a user, I've logged in, I've compromised the accountant and what I'm trying to do is take that accountant and add more privileges to the user.

They might just have maybe a local administrator, they might have standard user, they might have a par user account, they might have a specific application account, but I'm trying to add more privileges to that user and bring them up to a higher level. That's one level. Then you get into horizontal privilege escalation and this is where I'm looking for other users in the network where it might be misconfigured or you might have hashes that's left behind that I can abuse and then ultimately become that user as well. That's the most common technique is horizontal privilege escalation.

That's the one we see attackers using the most common the most often and it's something that we should be more, you know, looking into making sure we're detecting those types of activities as early as possible. Then we get into looking at the common attack path. Now the initial entry point that tends to vary between organization, it might be through phishing, social engineering, cross-site scripting. It might through be through a weak password, a compromise endpoint. It might be, you know, somebody's chosen weak password or reusing passwords. The initial entry point tends to vary.

One the against that initial access, they have one foot in the door and they're in your organization. They actually, next techniques are almost like a repeatable blueprint. They repeat and I see every time I get in an incident it's almost like, like they follow the same paths and the same tracks and it's almost so common that we should be actually better detecting it and looking for it. But that entry point tends a already.

But the rest things like controlling, living off the land, using your own tools, getting into creating back doors and persistence, looking for credential harvesting, all of those techniques, they are repeatable and they use mostly the same techniques to do this. So let's get into some of the most common types of accounts they're looking for. They wanna get the domain admin account. The domain admin account is the account that allows them to cause as much devastation as possible.

That's the account that gives them the ability to go and deploy the ransomware or the malware to as many systems as possible. This is where the most danger happens and this is where they're looking to ultimately get to the next type of account is domain service accounts. These tend to be mostly through misconfiguration. Whether you've left the service account as having interactive log on or whether it is a password that a consultant installed the application five years ago and used the same password in all installations.

This is a common area as well and we tend to be afraid who everyone's afraid to change service account passwords because it might break the application and attackers know that. So they will actually target those accounts and they'll allow to actually hide within your network and actually become hidden in those network communications.

The other account is a local ministry account and many organizations assume just because it says it's local, that it's local to the machine, but it's only two steps to go from local account to full domain and attackers know that and they will search your environment for local administer accounts because if they gain access, access to one account, one local admin account, I can guarantee it's only a matter of time before they get a full domain account.

So we had to get into that assumption that not it's no longer local, it's yes it can do administrative configurations to that machine, but it has the potential to easily jump from local account to a full domain account and we should treat those with high risk accounts and put the right security controls in place. Emergency break the glass accounts, those are the ones that we tend to go to for doing everything. Attackers love those accounts. They also look for the actual local service accounts, application accounts and then privileged data accounts.

These are the ones where it might be not privileged user in regards to the configurations and changes they can make. But they have access to sensitive data, they have access to information that allows them to then understand about ways to do things like financial fraud or invoice fraud or basically intellectual property theft or data theft. The ability to extract data from the organization and then potentially do ransomware from data ex extortion.

They will, you know, disclose the data publicly and want you to pay ransom to prevent that from happening. The common techniques now when we talk about Windows and Linux, the techniques tend to be very different. They are very different to operating systems and they are configured and and managed differently. So the Windows ex privilege escalation tends to be slightly different from that of Linux. I can only show one demonstration today because of time invitation. So I will focus a bit on the window side, but we can always later have discussions around the Linux side.

So some of the most common techniques is insecure service permissions when services are misconfigured, meaning that the attacker can replace a service and actually then the next time that servicer application reboots that, that basically application becomes the credential of whatever's running under and that's a common method. Encoded service paths is another major issue when you actually have the service path that actually doesn't have quotations around it and it's also misconfigured as well. Attackers can simply replace the actually the path location and change and escalate that way.

Also, weak registry permissions, changing the actually path to the service itself for the application insecure service executables, even weak passwords. Passwords being actually discovered locally in the machine. Overprivileged users, again the local administrator, if the service account manager's accessible, they can actually pull out the the service security account manager and then try to extract hashes from it and then brute force those hashes to get the clear tax password and then pass the high laws to move around basically without knowing the password.

And then insecure GOI apps and what's Vulnerables next place. These are the things, the techniques that we're looking for and they will go through each of those and try to identify in compromised systems and counts each of those areas to potentially find ways to become privileged domain administrators.

On Lennox, it slightly varies a bit. Yes, you have Colonel exploits, which are tend to be also common methods. So they might sit for a long period waiting for a vulnerability to appear to allow them to elevate. In the last couple of years we've had significant, we've had Printer nightmare, which is one that attackers love because it give them the ability to quickly elevate to administrator on systems and then of course we had Log for Shell and other types of vulnerabilities. So we're almost oversee these types of exploits.

Then you've got application vulnerabilities, also common area misconfigurations such as file formations and Linux abusive pseudo. That's one of the areas that attackers really are looking for is when configurations and Linux systems have pseudo misconfigured and they can, you know, it allows you to run an application as a super user, but they will find ways in order to break out of those shells and basically spawn another shell under the high privileges and then also set U I D and set G I D as well and permissions, chrome jobs and per passwords.

So rather than just going through and showing you this, I wanna get into the live demonstration. That's the more interesting part. So let's see if my machine's running and working. So what I've got here is I have basically my Kelly Lennox machine running and I've already at here I've done some BR password things. So I've cracked some passwords, I've run responder and been able to capture passwords. Cracking hashes. One of the most common areas here is also the initial access through things like brute force.

When you allow users to choose their own passwords, you're basically just inviting attackers into your organization. We should not allow users, the more we actually force 'em to use pass phrases, password managers and move passwords into the background, we reduce the risk significantly.

So it's really important to look for ways to reduce human interaction with passwords as much as possible moving into the background because when you have users choosing passwords, you ultimately allow the attackers to simply find ways to do brute force and ultimately find when a HU human chooses a password, I can guarantee that majority of them will be crackable. They will choose things as easy to remember, simple and short. When you get into password best practices, it's always length is the most important part.

I can't emphasize that the length of the password is more important than anything else. Then you get into some complexity and uniqueness. But length is important because when you get into cracking the password, when we create short passwords, it means the brute force and the capabilities is quite significant. So this is just a simple explanation of the brute force portion.

Now, when attacker gains that initial access, they're gonna be looking for ways to elevate privileges. So I'm just simulating that I've already got a initial access to a system. Now one of the things they'll start looking for is before they make any changes, they will basically, they will do an asset inventory off this system. They will actually do an inventory. They will actually go and look for the applied patches, what applications are installed in this machine, how the machine is configured.

They will go through and do a probably better inventory in this machine than you have ever done yourself. They will actually go through and they'll spend the time to understand every little aspect of configuration that it's ever done in this machine.

Over time, they will go through all the event logs, they will understand about your behavior, your changes, when you apply patches, when you don't, when you reboot the machine, when the application crash, they will try to understand as much as possible about this machine. So what they go through, one of the first things they'll like to do is they like to do a software inventory. And one of the things they'll find, sometimes they'll find applications running. They might find something that this employee has installed a remote mouse so they can do remote access to this machine.

So simply by saying these types of applications, the attacker can go and start using tools like Searchlight. So they can say, okay, I know there's some applications in this machine, so let's do a searchlight, let me increase that size a bit for you so you can see it better. So they'll do a search point for remote mouse and they'll see no one ex exploits some vulnerabilities for this application. And what they're really looking for, now I've got initial access, but I'm really looking for local privileged elevation.

I wanna take the user that I've got and I want to try and get the full system administrative rights on that machine. And you can already see here that there's a different couple, there's one here, there's a gooey version, 3.008 logo, privilege escalation. And the attacker can simply just go and take a look and see, well what does this, what does it need me to do? How? How do I do privilege escalation using this particular exploit?

So, oh, mouse X. Okay, so what it's now telling you, here's the person who actually created, documented the vulnerability and it will tell you the steps to reproduce it. And simply the hacker nine is they know that that software's running, they will check the version and then they'll simply go and say, well if I go to settings, change image transfer folder, save as, and then I will point it to the command prompt and that will take the user that I've got and bring me to administrator on that machine. So quite simple. So let's go and repeat it.

We can go and check right click, go to preferences, and I can see here the info, I can see basically the information, I can check the version number, it matches, go to settings, change, image transfer, go here, full demand admin or full local administrator on the system. So that's what attackers are looking for, they're looking for those types of path and they will actually do it very, very programmatically. The next thing they'll do, they might go and look for tools that can help them. Maybe they're not quite sure, maybe they want to do automation.

So another way of doing automation is simply I can take and download some automation tools. And there's tools such as Win peas. Win Peas is known as Windows Privilege escalation, awesome script. And there's other tools as well, which is known as things like Windows Exploit Suggester or Windows Exploit, suggester Next Generation, which you can take things like system information and actually run it through those scripts and it will tell you all the possible ways to elevate privileges on the system. So right now it's going through and it's checking every single area.

Now in real life the attackers won't run this, but they will do it manually. They will do each step because of course they don't wanna be detected running. This should create alarms. I would hope that if somebody ran this in your apartment, you'd have alarm bells going off. So if you want to test your security team and you want to test the response times and you have, you have permission as well. Don't run this without permission. You might wanna run it and then see what alarms go off.

And if alarms go off, maybe your security's working, but attackers know that they will check to see if it's gonna ring alarm bells. So therefore they'll go through this in a manual process. But what you can see here is everything that's highlighted in red is a potential way of elevating escalating privileges here on the system. So you can simply go up and you can find lots of possible ways, you'll see even non vulnerabilities it I can go up, you can see also local ports.

So maybe I have to do reverse port forwarding to try and see some of those applications will definitely show me some uncoated service paths. So you can see here, there's paths, potential all access. I can change uncoated in spaces detectives, so I can potentially basically abuse this path for Windows meal. So this is something detectives will go through and they'll look for all of the best methods. One of the goals of course is to stay stealthy. They don't wanna be detected.

So they'll always look for the path of least kinda alarms or you know, creating as least ripples in the water as possible. But these are some of the tools that they'll use in order to find ways to elevate. Now sometimes the users make it too easy for them. They will simply, and one of the things I love, I know this track is called security by design. I'm not a big fan of that term, okay, we need to get to, we need to get away from security by design because security by design doesn't necessarily mean it's being used.

Browser has security by design, but unfortunately doesn't have security by default. As I go and click on basically passwords by default, I can go and basically look at all the passwords that this user says and motor browsers love cookies and passwords. So simply I can I go and check and see maybe there's VPN connections, maybe there's access to SharePoint, maybe there's other credentials they've used. And now I can become more credentials and access more things in the organization.

So yes, security design is great, but we gotta get to security by default. We gotta get using it, turning it on and making it possible to protect and secure the systems. That's where we need to go to the next area is let's say, okay, I can check and see what, what access do I have in this system? And as I mentioned, one of the most dangerous areas is if you give users local administrator rights.

So, and we can see here that this organization has truly configured this rights. They've given the user local minister rights as accountant, they need to run a database and they can't do it without actually having administrator rights. So the organization said, in order to do a job, we'll give you local administrator rights, which many of you do. I don't know how many of your executive teams and how many of your developers have local admin rights. But we tend to say, well okay, it's local, could do no damage. But as a local administrator, what can they do?

They can change the configuration of this system and attackers know that. So one of the things they'll go and is they will basically go and run some automation scripts. They'll run this script here. This script will disable the security for about 30 minutes. So what I can now do is I've got 30 minutes to do malicious stuff, it will turn off all of the monitoring, all of the security, all defender, everything. And now I've got about a 30 minute window to do malicious activity. So now I know I've got 30 minutes, which I probably don't need that about the time cuz I'm really good.

I only need four. So I can now go and create backdoors. I can then create the persistence by doing sticky keys. I'll show you how sticky keys works once after I can create other users and I can also download malicious files and scripts and tools that allow me to carry out more malicious stuff, enable credentials. And then one of the things they'll do is they'll change the configuration, they'll run a clean script and then they'll go on vacation or they'll go and spend their cryptocurrency and nice luxury stuff like cars and stuff or whatever.

But they will go away and they'll come back maybe two weeks later and the hope that somebody has logged onto this machine with higher level credentials, because if they do neither, they've captured their credentials. And sometimes what they'll do is they'll cause some problems in this machine, maybe force the disk to run outta space or delete some files that the application won't run. And then who does the person call? This accountant's going, ah, the application's not starting. They call the help desk worker and the help desk worker comes in and logs on and they fix the problem.

And what is the help desk worker running under the main admin unfortunately for many organizations. So it's only a matter of time before they can now go and rerun this script as many times as possible after the hydro TrackX and literally eventually at some point after running this quite a few times, wherever it might be, they will find themselves with a luxury off. We have two minutes left, two minutes, okay, I'll do fast. I demand administer administrator.

So now basically they've been able to go from initial access to enumeration, to local administrator to full domain administrator and then it's only a matter of time, the next step that they'll do is to log onto your domain controller and your business is gone. Your business is too full stop because at that point they've now got all your data, all the access to your infrastructure and now they can deploy ransomware to as many systems as possible. So that's a quick walkthrough into privilege escalation in the art specifically for Windows. But what things can you do to reduce the risk?

Good education knowledge, me sharing you the techniques is one of the things. Getting into purple teaming, running some of those tools to find out do you have actually areas that attackers can elevate privileges, practicing the principle zero trust and least privilege, meaning that you're not using privileges all over the place, you're rotating credentials. So even if I was able to get that help desk worker's password in hash, that password be rotated after usage, reducing my wind of opportunity to a very narrow time that I can abuse it.

Another method using multifactor authentication internally using privilege access management to rotate and manage credentials and record sessions and activities, application control to prevent me from running bad stuff that should not be running in network and then good pathogen security practices at that point. I outta breath, it's all about reducing risk. It's all about making sure that we're helping organizations be successful and it's all about stopping attackers from getting the privileges, which allows them to cause bad things to organizations.

If you're interested more, I have a full white paper that has all the details plus more and I hope you download it and if you've got questions, if we have time, I don't know, but I hope this has been educational. Interesting. Exciting and doing a live demo was always stressful and I hope it has worked as you've seen. So thank you. Woo. Great. T-Mobile.