Anyone who has had any experience on the offensive side of security has had fun with privilege escalation. There’s something exciting about exploiting a system to the point of getting root-level access. Since I have spent most of my time on the defensive side of the fence, the magic of escalating privileges rested in Exploiting for Privilege Escalation or stealing an administrator’s credentials.

The various techniques under Privilege Escalation taught me some of the magician’s tricks. Some of the techniques are incredibly technical and require system-level calls in order to abuse properly. Two examples of this are Hooking and Process Injection. While these are used by malware, mitigating them can be difficult. Many of the techniques in this tactic are designs of the underlying operating system being abused, so you can’t flat out block them.

Instead, ATT&CK makes recommendations which should be taken under consideration at all times. The following statement is made in multiple techniques across the framework: “Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.” This means using defense in depth to prevent an infection, such as perimeter defenses or application whitelisting on the endpoints.

One great method for preventing privilege escalation beyond the recommendations of ATT&CK is to use hardening benchmarks on the endpoints. The benchmarks from CIS and DISA provide excellent step-by-step guidance on how to harden a system against attacks which have been seen in the wild. Many of the techniques in Privilege Escalation are known attacks which can be defended against by following these benchmarks.

What can be surprising to most is a default installation of most operating systems will only enable half or less of the security tests available in a standard hardening guide. If you aren’t (Read more...)