Privilege Escalation: Definition, Types, working, and protection

Privilege escalation is a type of network attack used to obtain unauthorized access to systems within the security perimeter, or sensitive systems, of an organization.

Privilege escalation is a common way for attackers to gain unauthorized access to systems within a security perimeter.

Must Read Latest Articles:

Attackers start by finding weak points in an organization’s defenses and gaining access to a system. In many cases that the first point of penetration will not grant attackers the level of access or data they need. They will then attempt privilege escalation to gain more permissions or obtain access to additional, more sensitive systems.

In some cases, attackers attempting privilege escalation find the “doors are wide open” – inadequate security controls or failure to follow the principle of least privilege, with users having more privileges than they actually need. In other cases, attackers exploit software vulnerabilities or use specific techniques to overcome an operating system’s permissions mechanism.

Types of privilege escalation


In general, attackers exploit privilege escalation vulnerabilities in the initial attack phase to override the limitations of their initial user account in a system or application. There are two main types of privilege escalation: horizontal privilege escalation to access the functionality and data of a different user and vertical privilege escalation to obtain elevated privileges, typically of a system administrator or other power user.

  • Horizontal privilege escalation involves gaining access to the rights of another account—human or machine—with similar privileges. This action is referred to as “account takeover”. Typically, this would involve lower-level accounts (i.e. standard user), which may lack proper protection. With each new horizontal account compromised, an attacker broadens their sphere of access with similar privileges.
  • Vertical privilege escalation, also known as a privilege elevation attack, involves an increase of privileges/privileged access beyond what a user, application, or other asset already has. This entails moving from a low-level of privileged access, to a higher amount of privileged access. Achieving vertical privilege escalation could require the attacker to perform a number of intermediary steps. (i.e. execute a buffer overflow attack, etc.). To bypass or override privilege controls, or exploit flaws in software, firmware, the kernel, or obtain privileged credentials for other applications or the operating system itself. In 2020, elevation of privilege vulnerabilities comprised 44% of all Microsoft vulnerabilities, according to the Microsoft Vulnerabilities Report 2021.

How does Privilege Escalation Work?

Every local, interactive session or remote access session represents some form of privileged access. This encompasses everything from guest privileges allowing local logon only. To administrator or root privileges for a remote session and potentially complete system control. Therefore, every account that can interact with a system has some privileges assigned.

A standard user rarely possesses rights to a database, sensitive files, or anything of value. So, how does a threat actor navigate an environment and gain administrator or root privileges to exploit them as an attack vector? There are five primary methods:

  1. Credential exploitation
  2. Vulnerabilities and exploits
  3. Misconfigurations
  4. Malware
  5. Social engineering

Threat actors start infiltration by gaining a foothold within the environment. An attacker could gain this beachhead by leveraging missing security patches, social engineering, or any other methods. Once the initial infiltration has been successful, threat actors will typically perform surveillance. And wait for the right opportunity to continue their mission.

Threat actors will customarily pursue the path of least resistance. If time permits, they will clean up their activities to remain undetected. Whether this involves masking their source IP address or deleting logs based on the credentials they are using. Any evidence about their presence reflects an indicator of compromise (IoC). Once an organization identifies an intrusion, they may monitor the intruder’s intentions, and/or potentially pause or terminate the access session.

Typically, the second step in the cyberattack chain involves privilege escalation to accounts with administrative, root, or higher privileged rights than the account initially compromised. Of course, it’s possible the initial compromise involved an administrative or root account. If this is the case, a threat actor is further along in their malicious plans and may already own an environment.

Why it is so dangerous

Privilege escalation is often one part of a multi-stage attack. Allowing intruders to deploy a malicious payload or execute malicious code in the targeted system. This means that whenever you detect or suspect privilege escalation. You also need to look for signs of other malicious activity. But even without evidence of further attacks, any privilege escalation incident is an information security issue in itself. Because someone could have gained unauthorized access to personal, confidential, or otherwise sensitive data. In many cases, this will have to be reported internally or to the relevant authorities to ensure compliance.

Worse still, it can be hard to distinguish between routine and malicious activity to detect privilege escalation incidents. This is especially true for rogue users who might have legitimate access. Yet perform malicious actions that compromise a system or application security. However, if you can quickly detect successfully or attempted privilege escalation, you have a good chance of stopping the intruders. Before they can establish a foothold to launch their main attack.

How to protect your systems from privilege escalation

Attackers can use many privilege escalation techniques to achieve their goals. But to attempt privilege escalation in the first place. They usually need to gain access to a less privileged user account. This means that regular user accounts are your first line of defense. Follow these best-practice tips to ensure strong access controls:

  • Enforce secure password policies for all users: This is the simplest way to improve security (after all, the majority of data breaches start with weak or compromised credentials), though also the hardest to apply in practice. Passwords need to be strong enough to resist guessing. And brute force attacks, but your access management choices shouldn’t impact user convenience and productivity.
  • Create specialized users and groups with minimum necessary privileges and file access: Apply the principle of least privilege to mitigate the risk posed by any compromised user accounts, both for regular users and administrator accounts. While it’s convenient to give administrators godlike administrative privileges for all system resources. A single account can then provide attackers with a single point of access to the system or local network.
  • Educate users to detect social engineering attacks: People love to be helpful, so getting escalated privileges can be as simple as politely asking for login credentials while convincingly posing as IT helpdesk or a distant colleague in distress. Educating all users to be wary of social engineering attempts and phishing emails is vital for cybersecurity.

Applications can provide an entry point for any attack, so it’s vital to keep them secure:

  • Avoid common programming errors in your applications: Follow secure development practices to avoid common programming errors that are most often targeted by attackers, such as buffer overflows, code injection, and unvalidated user input.
  • Secure your databases and sanitize user inputs: Database systems make especially attractive targets, as many modern web applications and frameworks store all their data in databases – including configuration settings, login credentials, and user data. With just one successful attack, for example by SQL injection. Attackers can gain access to all this information and use it for further attacks.

Not all privilege escalation attacks directly target user accounts. Administrator privileges can also be obtained by exploiting application and operating system bugs and configuration flaws. With careful systems management, you can minimize your attack surface:

  • Deploy security patches as soon as possible: Most attacks exploit well-known vulnerabilities, so by keeping your systems and applications patched and updated, you are severely limiting the attackers’ options.
  • Ensure correct permissions for all files and directories: As with user accounts, follow the principle of least privilege – if something doesn’t need to be writable or executable, keep it read-only, even if it means a little more work for administrators.
  • Close unnecessary ports and remove unused user accounts: Default system configurations often include unnecessary services running on open ports, and each one is a potential vulnerability. You should also remove or rename default and unused user accounts to avoid giving attackers (or rouge former employees) an easy start.
  • Remove or tightly restrict all file transfer functionality: Attackers usually need a way to download their exploit scripts, web shells, and other malicious code, so take a close look at all system tools and utilities that enable file transfers, such as FTP, TFPT, wget, curl and others. Remove the tools you don’t need. And lock down the ones that remain, restricting their use to specific directories, users, and applications.
  • Change default credentials on all devices, including routers and printers: Changing the default login credentials is a crucial step that is often overlooked, especially for less obvious systems, such as printers, routers, and IoT devices. No matter how well you secure your operating systems and applications, just one router with a web interface and a default password of admin is enough to provide attackers with a foothold.
Spread the love

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *