An attack vector is a technique by which a threat actor, hacker, or attacker gains access to a system, application, or resource to perform malicious activity. This can include everything from installing malware, altering files or data, or even some form of persistent reconnaissance. Privileged escalation attack vectors arguably represent the worst of all cyber threats because the attacker can become the administrator and owner of all the information technology resources within your company. And with this power, all your data, assets, applications, and resources potentially can fall under some form of foreign control. Now that we understand the techniques for privileged attacks, let’s explore the most common methods privileges and credentials are compromised and hence, stolen and leveraged for escalation. Password Hacking: A threat actor can crack or steal a password using several techniques. These attacks can lead to administrator privileges if the account has been granted these rights. This represents another reason to limit the number of administrator accounts in an environment and enforce least privilege. If the account is an administrator, the threat actor can easily circumvent other security controls, achieve lateral movement, and opportunistically attempt to crack other privileged account passwords. As a point of reference, password hacking is different from password exposure, such as shared passwords and the insecure documentation of passwords. Password hacking involves attackers attempting to crack or determine a password using a variety of programmatic techniques and automation using specialized tools. Password Guessing: One of the most popular techniques for password hacking is simply guessing the password. A random guess is rarely successful unless it is a common password or based on a dictionary word. Flat-out guessing is somewhat of an art but knowing information about the target identity enhances the likelihood of a successful guess. Relevant information can be gathered via social media, direct interaction, deceptive conversation, or even data gleaned and merged or aggregated from prior breaches. Password guessing attacks also tend to leave evidence in event logs and result in auto-locking of an account after “n” attempts. In addition, if the account holder reuses passwords between resources, then the risks of password guessing, and lateral movement dramatically increase. Imagine a person who uses only one or two base passwords everywhere—for all their digital presence and privileged accounts. Unfortunately, this happens all the time! Shoulder Surfing enables a threat actor to gain knowledge of credentials through observation. This includes observing passwords, pins, and swipe patterns as they are entered, as well as passwords scribbled on a sticky note. The shoulder surfing concept is simple, yet ancient. A threat actor watches physically, or with the aid of an electronic device like a camera, for passwords and later reuses them for an attack. Therefore, we should all be mindful of shielding the entry of our ATM PIN. Dictionary Attacks are an automated technique (unlike password hacking or guessing) utilizing a list of passwords against a valid account to reveal the password. The list itself is a dictionary of words. Basic password crackers use these lists of common single words like “baseball” to crack a password, hack an account, and reveal the complete credential used for authentication. If the threat actor knows the resource they are trying to compromise, like password length and complexity requirements, they can customize the dictionary to more efficiently target the resource. Therefore, more advanced programs often use a dictionary on top of mixing in numbers or common symbols at the beginning or end of the attempt to mimic a real-world password with complexity requirements. An effective dictionary attack tool lets a threat actor do the following:
A weakness of dictionary attacks is they rely on real words and derivations supplied by the user of the default dictionary. If the real password is fictitious, uses multiple languages, or uses more than one word or phrase, it will thwart a dictionary attack. The most common methods to mitigate the threats of a dictionary attack are account lockout attempts and password complexity policies. Lock-out protections mean after “n” times of wrong attempts, a user’s account is automatically locked in a period of time, manually unlocked by an authority (i.e., the help desk), or via an automated password reset solution. However, in many environments, especially for nonhuman accounts, account lockout attempts can hamper business runtime. Therefore, many disable this security setting. Consequently, if logon failures are not being monitored in event logs, a dictionary attack is an effective attack vector for a threat actor. This is especially true if privileged accounts do not have this setting enabled as a mitigation strategy. And remember, a dictionary attack can include the most common words altered using simple password complexity tricks like changing “a” to “@” or “o” to “0”. Therefore, complexity alone is not the best solution. Rainbow Table Attacks are a subset of dictionary attacks. If the attacker knows the password-hashing algorithm used to encrypt passwords for a resource, rainbow tables can allow them to reverse engineer those hashes into the actual passwords. The hacker has dictionary hashes to map back to the original password. Modern breaches have exposed vast troves of password hashes, but without a basis in the encryption algorithm, rainbow tables and similar techniques are nearly useless without some form of seed information. Brute Force Password Attacks are the least efficient method for trying to hack a password, so are generally used as a last resort. Brute force password attacks utilize a programmatic method to try all the possible combinations for a password. This method is efficient for passwords that are short in string (character) length and complexity but can become infeasible—even for the fastest modern systems—with a password of eight characters or more. If a password only has alphabetical characters, all in capitals or all in lowercase (not mixed), it will take 8,031,810,176 guesses. You have a better chance of winning the lottery! This estimation also assumes the threat attacker knows the length of the password and complexity requirements. Other factors include numbers, case sensitivity, and special characters in the localized language. While a brute force attack with the proper parameters will eventually find the password, the time and computing power required may render the brute force test itself a moot point by the time it is done. And the time it takes to perform the attacks is not only based on the speed required to generate all the possible password permutations, but also the challenge and response time of a failure on the target system. The response lag time is what really matters when trying to brute force a password. Pass-the-Hash (PtH) is a hacking technique allowing an attacker to authenticate to a resource by using the underlying NT LAN Manager (NTLM) hash of a user’s password, in lieu of using the account’s actual human-readable password. After a threat actor obtains a valid username and hash for the password using a variety of techniques, like scraping a system’s active memory, they can use the credentials to authenticate to a remote server or service using LM or NTLM authentication. PtH attacks exploit an implementation weakness in the authentication protocol, where the password hash remains static for every session until the password itself is changed. You can perform a PtH against almost any server or service accepting LM or NTLM authentication, regardless of whether the resource is using Windows, Unix, Linux, or another operating system. Unfortunately, modern malware can contain techniques to scrape memory for hashes, making any active running user, application, service, or process a potential target. Once you obtain the hash, command and control or other automation allows for additional lateral movement (horizontal) or data exfiltration. Modern systems can defend against pass-the-hash attacks in a variety of ways. However, changing the password frequently (after every interactive session) is a good defense to keep the hash different between the sessions. Password management solutions with frequently rotating passwords or customize the security token are good defenses against this technique. Security Questions: Financial institutions and merchants use security questions to verify a user against their account. The concept is to ask them questions challenging them to respond to private and personal information only the end user should know. Many organizations require a user to answer this question when they set up a new account. These question-answer pairs serve as a form of two-factor authentication to verify a user’s identification in the case of a forgotten password. The end user is prompted to respond to security questions when logging on from a new resource, when they select “forgot password”, or even when they change their password to improve the confidence of their identity. Some common security questions include:
However, the security questions themselves present potentially far-reaching risks. Think about these scenarios:
The relationship is clear. The more places and people that know the answers to your security questions, the more likely they can be answered by someone else. In addition, if the information is public, then it is not a legitimate security question at all. When a resource request you complete and use security questions, my recommendation is to use the most obscure questions no one besides yourself may know the answers to. Moreover, be careful to never share information online similar to another site that uses the same security questions. Credential Stuffing: Credential stuffing is a type of automated hacking technique using stolen credentials comprised of lists of usernames (or email addresses) and the corresponding passwords to gain unauthorized access to a system or resource. The technique generally involves automation to submit login requests against an application and to capture successful login attempts for future exploitation. Credential stuffing attacks do not attempt to brute force or guess any passwords. In these attacks, the threat actor automates authentication based on previously discovered credentials. The result can be millions of attempts to determine where a user potentially reused their credentials on another website or application. Credential stuffing attacks prey on password reuse and are only effective because so many users reuse the same credential combinations across multiple sites. Password Spraying: Password spraying is a credential-based attack that tries to access a multitude of accounts by using a few common passwords. This is conceptually the opposite of a brute force password attack. During a password-spray attack, the threat actor attempts a single, commonly used password (such as “12345678” or “Passw0rd”) against many accounts before moving on to attempt a second password. Essentially, the threat actor tries every user account in their list with the same password before resetting the list and trying the next password. This technique minimizes the risk of the threat actor being caught, avoids account lockouts, and evades hacking detection on a single account due to the time between attempts. Password Changes and Resets: How often do you change your passwords? Every 30 or 90 days when prompted to at work? How about at home? How often do you rotate passwords for your banking, e-commerce, streaming, or social media accounts? Probably not often, if ever, and surprisingly, that might be okay! Without a password manager, keeping all of one’s passwords unique and complex is a daunting task—even for the most seasoned security professional. Unfortunately, there is a common risk in resetting (not to be confused with changing) passwords that makes them targets for threat actors. Resetting a password is the act of a forced password change by someone else—not a change initiated by the password user. Risks associated with password resets include:
Anytime a password is reset, there is an implicit acknowledgment that the old password is at risk and needs to be changed. Perhaps it was forgotten, expired, or triggered a lockout due to numerous failed attempts. The reset, transmission, and storage of the new password are a risk until the password is changed again by the end user. When an identity has been compromised, a threat actor may request a password reset. The attacker then creates their own credentials for the account. Anytime a user requests a password reset, the following best practices should be implemented:
While changing passwords frequently remains a security best practice for privileged accounts, resetting passwords and transmitting them through unsecure mediums is not. For the individual, a simple password reset can be the difference between a threat actor trying to own your account and a legitimate reason. Access Token manipulation provides adversaries with a vehicle to modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. The Microsoft Windows operating system uses access tokens to determine the runtime ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to a user other than the one who started the process. If this occurs, the process also takes on the security attributes associated with the new token. The Windows API allows for a threat actor to copy access tokens from existing processes. This is called token stealing. Applying stolen tokens to an existing process or used to spawn a new process and are analogous to theft or impersonation in the real world. Fortunately, a threat actor needs to be an administrator to steal a token. However, threat actors commonly use token theft to elevate the processes of their profile from the administrator to operating as SYSTEM. In addition, a stolen token can be used for lateral movement to authenticate to a remote system if the account for that token can authenticate as a valid user on the remote system. As an example, any standard user can use the “RunAs” command via the user interface or command line, and the Windows API functions, to create an impersonation token. Actual administrator access to an account is not a requirement. Therefore, this provides a method for a privileged attack if a threat actor has local access to a host. UAC (User Account Control) bypass techniques provide a vehicle for threat actors to bypass UAC security controls to elevate running process privileges on a system. Windows UAC functionality allows a program to elevate its privileges to perform a task after prompting the user to accept the changes to its runtime permissions. The user has a choice to select these options based on a UAC prompt:
Depending on the UAC protection level set on the computer (only high is immune), certain Windows applications can elevate privileges or execute some operating system functions, like COM, without prompting the user. A threat actor could bypass UAC controls if the protection level is set lower than “high” for application compatibility or for usability. Malicious software may also be injected into a trusted process to gain elevated privileges—without prompting a user—making this privileged attack vector a prime choice for exploitation. Identity Enumeration attacks, including those exploiting sudo, occur when a threat actor can apply techniques like brute-force to either guess or confirm valid users are available for authentication to a resource. User enumeration is often associated with web-based applications, although it can also be found in any application requiring a traditional user and credential-based authentication. Two of the most common areas where user enumeration occurs are:
Essentially, the threat actor is looking for the server's response based on the validity of submitted credentials to determine if the account they tried is valid. This is a common response mechanism for many applications. When the user enters a valid username and invalid password, the server returns a response saying the password is incorrect. If the threat actor enters an invalid username, regardless of the password, typical applications respond with no account found. Consequently, a threat actor can determine if their hacking attempt is using a valid account and incorrect password, or if the account they are trying will never authenticate. Based on automation and brute force checks, they can enumerate valid accounts for a resource and attempt future privileged attacks based on common passwords, reused passwords, or others gleaned from previous attacks. Finally, if the threat actor can determine the naming pattern for a company (i.e., first initial last name), then building a list for enumeration and future attacks becomes much easier. Malware is any piece of computer software (including firmware, microcode, etc.) written with the intent of damaging devices, stealing data, and, generally, causing a resource to behave in ways not in accordance with its intended design. There are eight different types and sources for malware, any of which can be used for privilege escalation attacks:
|