This article outlines the seven proven steps and procedures in the incident response lifecycle, explains how to improve incident response procedures, and reveals a few shortcuts and computer security hacks along the way.
The security incident response lifecycle includes the five phases of incident response, each of which are essential for minimizing breach damage and accelerating time to recovery.
A security incident response plan ensures that everyone knows exactly what to do throughout the incident response process. This article explains how these plans work, what they include, and how to create your own.
As attacks from the inside become more common, more destructive, and more difficult to stop, managing insider threats becomes a top priority.
Continuous security monitoring provides earlier threat detection and response, and improves visibility into current posture and risk management.
All small businesses need to take cybersecurity seriously. This article covers best practices for cybersecurity and tips for small businesses that any company should follow.
Shubham Khichi shares his expert insights into how LLMs are being exploited by adversaries and provides practical tips to secure AI.
In a recent discussion, two seasoned offensive security professionals, Shubham Khichi and Nathaniel Shere, shared their perspectives on the future of AI in penetration testing.
As the threat landscape continues to expand and cyber criminals leverage AI for malicious purposes, cybersecurity professionals must stay ahead of the curve by embracing AI technology.
Our team of IT security experts researched and analyzed the emerging threat landscape to bring forward the top 10 cyber security trends in 2024.
Continuous real-time surveillance will determine how you should map your attack surface and which security systems to implement for risk reduction across the attack surface.
There are 8 vulnerability management best practices including Conduct Asset Discovery And Inventory, Classify Assets And Assign Tasks…
In this article, we’ll discuss the rise of ransomware and it’s impact on small business, and the latest trends and research driving…
Privilege escalation attacks exploit weaknesses and security vulnerabilities with the goal of elevating access to a network, applications, and mission-critical systems.
There are two types of privilege escalation attacks including vertical and horizontal.
In this article, I’m going to discuss privilege escalation in-depth along with how it’s used to exploit different operating systems.
Next, I’ll show you 5 real-world examples of how a threat actor can elevate their permissions or gain access to an account with elevated permissions.
Lastly, I’ll share how your business can prevent these types of attacks from compromising your network.
Get a step ahead of your cybersecurity goals with our comprehensive templates.
Privilege escalation is an attack vector that many businesses face due to loss of focus on permission levels.
As a result, security controls are not sufficient to prevent a privilege escalation.
Privilege escalation attacks occur when a threat actor gains access to an employee’s account, bypasses the proper authorization channel, and successfully grants themselves access to data they are not supposed to have.
When deploying these attacks threat actors are typically attempting to exfiltrate data, disrupt business functions, or create backdoors.
All of these actions can have a major impact on business continuity and should be considered when drafting a business continuity plan.
When encountering a privilege escalation attack, how you respond is critical.
Here are a few questions to consider:
Not every attack will provide threat actors with full access to the targeted system.
In these cases, a privilege escalation is required to achieve the desired outcome. There are two types of privilege escalation attacks including vertical and horizontal.
Vertical privilege escalation occurs when an attacker gains access directly to an account with the intent to perform actions as that person.
This type of attack is easier to pull off since there is no desire to elevate permissions.
The goal here is to access an account to further spread an attack or access data the user has permission to.
Day in and day out I analyze numerous phishing emails that attempt to perform this attack.
Whether it’s a “bank”, “Amazon”, or any other countless number of e-commerce sites, the attack is the same.
Your account will be deactivated due to inactivity. Please click this link and login to keep your account active.
This is, however, one example of many cookie-cutter phishing templates seen in “the wild”.
Horizontal privilege escalation is a bit tricky to pull off as it requires the attacker to gain access to the account credentials as well as elevating the permissions.
This type of attack tends to require a deep understanding of the vulnerabilities that affect certain operating systems or the use of hacking tools.
Phishing campaigns have been used to perform the first part of the attack to gain access to the account.
When it comes to elevating permissions, the attacker has a few options to choose from.
One option is to exploit vulnerabilities in the operating system to gain system or root-level access.
The next option would be to use hacking tools, like Metasploit, to make the job a bit easier.
Now that you have a better understanding of what a privilege escalation attack is, I’m going to show you 5 real-world examples including:
When attempting a privilege escalation attack on Windows, I like to start with a “sticky key” attack.
This attack is fairly easy to perform and does not require any sort of advanced skillset to pull it off.
To perform this attack you will need physical access to the machine and the ability to boot to a repair disk.
Once booted, you will have to change the system file associated with the sticky key function (tapping the shift key 5 times).
From a command prompt, you will make a copy of the <sethc.exe> file located at %systemroot%\system32.
Next, all you have to do is copy the <cmd.exe> to %systemroot%\system32 with the file name <sethc.exe>.
After the command prompt’s executable has been saved to the correct location, reboot.
Once at the logon screen, tap the shift key 5 times to activate “sticky keys” and you should be presented with a command prompt with system level access.
From this level of access, an attacker can create a backdoor in to the system by creating a local administrator account.
Another common method of privilege escalation in windows is through the use of the Sysinternals tool suite.
After an attacker gains a backdoor into the system using the “Sticky Keys” method, they can further escalate their privileges to system access.
This attack method requires the use of the Psexec command as well as local administrative rights to the machine.
After logging in with the backdoor account, which in my case is “fakeadmin”, I simply use the psexec.exe tool to escalate my permissions to system access.
This is done by using the command “psexec.exe –s cmd”.
Working against weak processes is another method that I use for privilege escalation.
One tool that I have seen used in penetration testing is Process Injector.
This tool has the capability to enumerate all running processes on a system as well as the account running the process.
In order to pull this attack off, you will need access to an account with higher permission levels.
After you identify the process you want to inject into, for example, cmd.exe, run a command like pinjector.exe –p <PID of the account you want to mimick permissions from> cmd.exe <port>.
A basic privilege escalation attack that is common in Linux is conducted through enumerating the user accounts on the machine.
This attack requires the attacker to access the shell of the system. This is commonly done through misconfigured ftp servers.
Once the attacker has gained access to the shell, the command “cat /etc/passwd | cut –d: -f1” will list all users on the machine.
Metasploit is a well-known tool to most hackers and contains a library of known exploits.
In the case of Android devices, Metasploit can be used against rooted Android devices.
Once an Android device is rooted a SU binary becomes available which allows commands to be ran as root.
The example below shows how this exploit can be ran to run “show options” and “show advanced” as root.
Unfortunately, users are the weakest link in the security chain. With just a single click, they could compromise a system or network.
To mitigate this risk, businesses implement security awareness programs along with a methodology for validating the effectiveness of the training.
In most cases, phishing simulation software, like KnowBe4, GoPhish, or Phishme can adequately train users to identify phishing email attempts.
Privilege escalation, like other cyber attacks, takes advantage of system and process vulnerabilities.
In order to prevent these attacks, consider implementing proper processes for patch management, new software development/implementation, and user account modification requests as well as an automated tool to monitor for such changes.
Implementing these process will give you the proper safeguards in place to prevent or deter and attacker from attempting privilege escalation.
Finally, an intrusion detection system (IDS) and/or intrusion prevention system (IPS) provide an additional layer of security to derail attempts at escalating privileges.
New exploits are being created daily and it is our responsibility to ensure we protect ourselves from the attack.
A proper patch management process will help ensure all systems and applications are current with the latest patches.
During the quest for new and improved software, we must not forget to include security in the process.
Oftentimes, security is set aside to meet the business or client needs.
Software code reviews or vendor management processes will help keep security in the loop and strengthen your development practices.
During the attack, the attacker may try to elevate their permissions with a phone call or service ticket request to the helpdesk.
Without a proper process in place to validate the user’s request, this may go unnoticed until an access level review is conducted.
In the event, you find yourself faced with this type of attack, it is important to isolate the incident first.
If you have detected the account that was compromised, change the password and disable the account.
Check the system and disable any abnormal accounts and reset all user account passwords that have been associated with that machine.
Article by
Web application penetration tests are performed primarily to maintain secure software code development throughout its lifecycle.
