A hacker can escalate privileges in a domain in many ways, and learning how they work is half the battle to narrow your attack surface. In this post, we will discuss five ways a non-privileged user (from now on only called 'user') can use to take ownership of your network and how to protect yourself.
We also assume that the attacker could either access a domain-joined computer or access the network.
. Escalating to the SYSTEM Account
Escalating privileges to the local system account on the computer is in many cases the first thing an attacker should do. The attacker can use a wide variety of techniques to perform the escalation, some of which are summarized here.
Of course, you've done half of the attacker's work if the user already has a local administrator on the computer. I have summarized some of the methods below to give you an idea of how the attackers are elevated to SYSTEM.
- Create a solid first line of defense with AppLocker.
- Implement solutions such as ATP.
- Train users with the "think first, click later" mentality (even though some may do it the other way around).
- Implementing Credential Guard.
Bad permissions for executable files / scripts ran through a privileged account
This is one of the most common methods an attacker can use to escalate to SYSTEM. The attacker searches for scheduled tasks or services that are started by a privileged account on that computer (i.e. SYSTEM or even a domain user). The attacker then scans the EXEs / scripts and DLLs related to it to see if its owner needs to write permissions.
The attacker then switches or modifies the EXE / scripts or DLL files to something that gives them a back door to the SYSTEM account using tools such as PowerUp.
Scan and check file permissions for the executable files, scripts and DLLs that use your services and scheduled tasks.
Missing Security Patches
Since In 2015, more than 100 CVEs published for Windows 10 have allowed an attacker to escalate their privileges on a computer. Also, don't forget to update the drivers! You already know that patching your systems is important, but it's always good with a reminder.
Pass-The-Hash (PTH) is a commonly used technique that attackers use once they have local administrator or SYSTEM rights. PTH was first discovered in 1997, but it is a "design" flaw in the Windows NTLM authentication mechanism.
PTH doesn't give you the password in clear text, but it reuses the NTLM hash of a user's password to authenticate to other systems.
The attacker can use tools such as Mimikatz to extract the NTLM hash from memory, which usually requires a user with more privileges than the owner to log into the systems to be effective. But how do the attackers know that an administrator will log on to that computer? Well, it's easy: they cause problems with the machine and are waiting for support to login.
Another important point to note is that Pass-The-Hash works on the local administrator account! This means that the hash of the computer administrator account (SID 500) can be used to own all other computers in the domain.
3. The non-privileged user is not really unbiased
This is also a common scenario – the owner of the user is privileged, but you don't know it (yet). The attacker can scan the network and Active Directory with a tool called BloodHound to find attack paths that are normally extremely difficult to discover.
BloodHound uses a Graph Database called Neo4j to discover hidden relationships between users and computers using Graph Theory. And most of the data collection it does can be done by a normal user. It can even discover local admin and active sessions on remote computers.
It is not uncommon for an unauthorized user to use the or Change Password permissions in Active Directory for a user with more privileges, usually by accident or by sheer laziness.
Mitigation Tip: Scan your environments regularly with BloodHound to discover unintended relationships.
4. Attacking the Administrator
Administrators are more visible than other users and it is not uncommon for them to be targeted during an attack. The attacker usually has no problem finding passwords and escalates once within an administrator's unauthorized account.
- Watch for spear phishing attempts.
- Implement a Microsoft Tiering model.
- Implement MFA or Smartcard login for all administrator accounts.
5. Vulnerability Scanning
An attacker starts scanning for vulnerable software on your network if he cannot escalate privileges using the previous methods. This is usually done with tools such as Striker or Metasploit, and it is an effective way to escalate in environments where patch systems are used or systems are not supported.
- Provide a patch routine for all your systems and not just the operating system.
- Decommissioning or segmenting legacy systems.
Security can be difficult, but it gets a lot easier if you know more about it and how it works. You should also consider the attacks as a series of exploits and that everything in your network is interconnected.
With a few mitigation techniques you can become quite resistant to attackers, but that is never guaranteed. Most attackers run a business, and if they find it too difficult or time consuming to target you, they choose a simpler target.
The goal should be to keep the attackers' ROI (Return of Investment) as low as possible, and it should be as difficult as possible for them to climb through your network.