We also assume that the attacker has either access to a domain-joined computer or has access to the network.
1. Escalating to the SYSTEM Account
Escalating privileges to the local system account on the computer is, in many cases, the first thing that an attacker needs to do. The attacker can use a wide range of techniques to perform the escalation, and some of them are summarized here.
Of course, you’ve done half the job for the attacker if the user already has local admin on the computer. I’ve summarized a couple of the methods below so that you can get a picture of how the attackers elevate to SYSTEM.
Mitigation Tips:
Establish a solid first line of defense with AppLocker. Implement solutions like ATP. Educate users with the “think first, click later” mentality (even though some may still do it the other way around sometimes). Implementing Credential Guard.
Bad Permissions on Executables/Scripts Ran by a Privileged Account
This is one of the most common methods that an attacker may use to escalate to SYSTEM. The attacker scans for scheduled tasks or services that are launched by a privileged account on that computer (that is, SYSTEM or even a domain user). The attacker then scans the EXEs/scripts and DLLs related to it to see if its owned user has to write permissions.
The attacker then swaps or modifies the EXEs/Scripts or DLL files to something that gives them a backdoor to the SYSTEM account by using tools like PowerUp.
Mitigation Tip:
Scan and monitor file permissions on the executables, scripts, and DLLs that your services and scheduled tasks use.
Missing Security Patches
Since 2015, over 100 CVEs published for Windows 10 have allowed an attacker to escalate their privileges on a computer. Don’t forget to update the drivers as well! You already know, of course, that patching your systems is important, but it’s always good with a reminder.
2. Pass-The-Hash
Pass-The-Hash (PTH) is a common technique that the attackers use once they have local administrator or SYSTEM privileges. PTH was discovered already in 1997, but it’s a flaw “by design” in the Windows NTLM authentication mechanism.
PTH does not give you the password in clear text, what it does is that it reuses a user’s NTLM hash of the password to authenticate to other systems.
The attacker can use tools like Mimikatz to extract the NTLM hash from memory, which usually requires that a user more privileged than the owned user is logging on to the systems to be effective. But how do the attackers know that an admin will log on to that computer? Well, that’s easy—they cause problems with the machine and wait for support to log on.
Another important thing to point out is that Pass-The-Hash works on the local administrator account! Meaning that the hash of the computer administrator account (SID 500) can be used to own all other computers on the domain.
Mitigation Tips:
Implement Microsoft Tiering Model and separate admin accounts depending on their tier (Desktop Admin, Server Admin, Domain Admin etc). Implement Local Administrator Password Solution for unique passwords on all computers. Read more about PTH mitigation in Microsoft’s “Mitigating Pass-the-Hash and Other Credential Theft” (PDF).
3. The Unprivileged User Isn’t Actually Unprivileged
This is a common scenario as well—the owned user is privileged, but you don’t know it (yet). The attacker can scan the network and Active Directory with a tool called BloodHound to find attack paths that are extremely hard to discover in normal cases.
BloodHound uses a Graph Database called Neo4j to discover hidden relationships between users and computers by using Graph Theory. And, most of the data collection that it does can be done by a normal user. It can even discover local admin and active sessions on remote computers.
It’s not uncommon that an unprivileged user has to Write or Change Password permissions in Active Directory on a user with more privileges, usually by accident or due to sheer laziness.
Mitigation Tip: Scan your environments regularly with BloodHound to discover unintentional relationships.
4. Attacking the Admin
Admins are more exposed than other users, and it’s not uncommon that they are targeted during an attack. The attacker usually has no problem finding passwords and escalating once inside the unprivileged account of an admin.
Mitigation Tips:
Be aware of spear-phishing attempts. Implement a Microsoft Tiering Model. Implement MFA or Smartcard logon for all administrator accounts.
5. Scanning for Vulnerabilities
An attacker will start scanning for vulnerable software on your network if they can’t escalate privilege through the previous methods. This is usually done with tools like Striker or Metasploit, and is an effective way of escalating in environments where patching systems come secondhand or systems are out of support.
Mitigation Tips:
Have a patching routine for all of your systems and not only for the operating system. Decommission or segment outdated systems.
Afterwords
Security can be hard, but it becomes a whole lot easier if you are more aware of it and how it works. You also need to think of the attacks as a chain of exploits, and that everything in your network is connected.
With a few mitigation techniques, you can become quite resistant to attackers, but it’s never guaranteed. Most attackers are running a business, and if they find it too hard or time consuming to target you, they will choose a simpler target.
The goal should be to make the attackers ROI (Return of Investment) as low as possible, and it should be as hard as possible for them to elevate through your network.