What is privilege escalation?

Account hijacking is one of the most common ways that hackers gain unauthorized access to target systems. According to the IBM X-Force Threat Intelligence Index, 30% of cyberattacks use stolen accounts to break into a system. Attackers usually target low-level accounts because they’re easier to hijack than well-protected admin accounts.

After an attacker gains initial entry, they can exploit vulnerabilities in the system and use techniques such as social engineering to elevate their permissions. Armed with higher privileges, attackers can more easily perform malicious activities such as stealing sensitive data, installing ransomware or disrupting systems. 

Hackers conducting privilege escalation attacks begin by gaining access to a lower-level user or guest account. When inside the system, they exploit vulnerabilities and gaps in cybersecurity defenses to escalate their privileges.

Threat actors start with lower-level accounts because they’re easier to hijack. There are more low-level accounts than privileged user accounts, meaning the overall attack surface is larger. Low-level accounts also tend to have fewer security controls. Hackers take over these low-level accounts through techniques such as credential theft and phishing.

Low-level accounts give hackers a foot in the door, but once they’re in, they cannot do much. Organizations intentionally limit the permissions of these accounts so they cannot access sensitive data or interact with critical assets.

So attackers go looking for ways to gain privileged access from inside the system.

Broadly speaking, they have two ways to do this: They can either raise the privileges of the account they stole or hijack the account of a more privileged user, such as a system administrator. With privileged access, attackers can interface with applications, databases and other resources that might contain sensitive information.

Hackers can remain hidden in the system for long periods of time as they perform reconnaissance and search for opportunities to escalate their privileges. During this time, they might install backdoors that enable them to reenter the network if they are detected.

As hackers explore the network, they can move horizontally or vertically.

Also known as lateral movement, horizontal privilege escalation is when an attacker accesses an account with a similar level of permissions. Although they don’t gain new permissions, moving horizontally enables hackers to expand their reach to gather more intelligence and do more damage.

For example, a hacker might seize control of multiple user accounts in a banking web application. These accounts might not raise the attacker’s permissions in the system, but they do enable the attacker to access multiple users’ bank accounts. 

Also known as privilege elevation, vertical privilege escalation is moving from lower privileges to higher privileges, often by shifting from a basic user account to an account with administrative privileges. 

Hackers can also execute vertical privilege escalation by exploiting system bugs and misconfigurations to raise the privileges of the account they already have.

For many attackers, the goal of vertical privilege escalation is to gain root privileges. A root account has virtually unlimited access to all programs, files and resources on a system. Hackers can use these privileges to change system settings, execute commands, install malware and take complete control over network assets.

Typical privilege escalation attack vectors include:

• Compromised credentials
• Vulnerability exploitation
• Misconfigurations
• Malware
• Social engineering
• Operating system exploits

The use of stolen or compromised credentials is one of the most common privilege escalation techniques. It is also the simplest method for gaining unauthorized account access.

Hackers can obtain credentials through phishing, data breaches or brute-force attacks in which they try to guess the usernames and passwords of legitimate accounts.

Hackers often leverage software vulnerabilities, such as unpatched defects or coding errors, to escalate account privileges.

One common technique is a buffer overflow attack. Here, the attacker sends more data to a block of memory than a program can handle. The program responds by overwriting adjacent memory blocks, which can alter how the program functions. Hackers can take advantage of this to inject malicious code into the program.

For privilege escalation purposes, attackers can use buffer overflow attacks to open remote shells that grant them as much privilege as the application under attack.

Misconfigurations of permissions, services or operating system settings can give hackers many opportunities to bypass security measures.

For example, an incorrectly configured identity and access management (IAM) solution might give users more permissions than their accounts require. A sensitive database that is accidentally exposed to the public web would let hackers right in. 

Hackers can use their initial system access to drop malicious payloads that install backdoors, log keystrokes and spy on other users. Hackers then use the capabilities of the malware to harvest credentials and access administrative accounts.

Hackers use social engineering to manipulate people into sharing information that they shouldn’t share, downloading malware or visiting malicious websites.

Social engineering is a common technique in privilege escalation attacks. Attackers often gain initial access by using social engineering to steal low-level account credentials. When inside the network, hackers use social engineering to trick other users into sharing their credentials or granting access to sensitive assets.

For example, an attacker might use a hijacked employee account to send phishing emails to other employees. Because the phishing email comes from a legitimate email account, targets are more likely to fall for it.

Privilege escalation attackers often exploit the vulnerabilities of specific operating systems. Microsoft Windows and Linux are popular targets because of their widespread use and intricate permission structures.

Attackers often study the open source code of Linux to search for ways to carry out privilege escalation attacks.

One common target is the Linux program Sudo, which administrators use to temporarily grant administrative rights to basic users. If an attacker hacks into a basic user account with Sudo access, they also gain those rights. They can then exploit their elevated security privileges to execute malicious commands.

Another technique is to use enumeration to access Linux usernames. Attackers first gain access to the shell of the Linux system, usually through a misconfigured FTP server. They then issue commands that list, or “enumerate,” all users in the system. With a list of usernames, the attackers can use brute force or other methods to take control of each account. 

Because Windows is widely used by businesses, it is a popular target for privilege escalation.

One common approach is to bypass the Windows user account control (UAC). The UAC determines whether a user has access to standard or administrative privileges. If the UAC does not have a high level of protection, attackers can issue certain commands to bypass it. The attackers can then access root privileges.

Dynamic link library (DLL) hijacking is another Windows attack vector. A DLL is a file that contains code used by multiple system resources at the same time.

Attackers first place an infected file within the same directory as the legitimate DLL. When a program searches for the real DLL, it calls up the attacker’s file instead. The infected file then executes malicious code that helps the attack escalate their privileges.

A zero trust posture that assumes every user is a potential cyberthreat can help mitigate the risk of privilege escalation. Other common security controls for preventing and detecting privilege escalation include:

• Strong passwords
• Patch management
• Principle of least privilege
• Multifactor authentication (MFA)
• Endpoint protection
• User behavior analysis