It has been a little bit since we dove into the MITRE ATT&CK Tactics. When we left off with Persistence, we talked about how attackers maintain their leverage by opening as many ways in as possible. All use multiple vectors to cover their bases, but it is really hard to stay a step ahead and have impact if they don’t get heightened permissions. History shows that attackers who can either disrupt, discredit, or even hijack the command structure can cause a whole new level of pain. The pinnacle of many adversaries’ tactics is to be able to issue commands as if they were a highly placed commander within their target organization. It not only grants an amplifying effect, but can also hide their activity as they exploit trust. So let’s take a look at ATT&CK’s Privilege Escalation tactic and what it means to the attacker & defender.

The importance of ATT&CK’s Privilege Escalation

Defenders have it rough! They face adversaries who have nothing to lose, copious resources, and plenty of time. Their targets, however, are on exactly the opposite side of that spectrum. The folks in the trenches are desperately and valiantly defending something they value greatly. In traditional warfare, they fight to preserve their lands, avoid persecution, protect their families, or uphold their honor. More often than not, they are suffering from a lack of resources – either through attrition, embargo or blockade, or sabotage. Most importantly, defensive forces rarely choose timing – attackers tend to initiate their invasions when it best suits them, and conversely hurts the targeted forces.

A modern study in asymmetry

The current war in the Ukraine, for instance, shows the impact of this asymmetric equation. Despite poorly trained forces, antique equipment, and crushing international pressure, Russian forces have dictated terms. The initial invasion was timed to best suit their plans. They have brought a near inexhaustible pipeline of new soldiers to bear, drawing from a mandatory draft pool that far exceeds that of Ukraine’s. And they have mitigated their inventory issues despite sanctions through arms deals with Syria, China, and other sympathizers. Almost as important – they are led by a regime with a disregard for humanitarian or diplomatic norms.

The result to this point? Ukrainian forces have been vastly outnumbered and forced to react, valiantly standing to prevent their own collapse. Their military – while well trained and respected – has had to rely on a very sporadic flow of foreign aid to stand a chance. Because they are on the defensive and dependent on so many forces outside of their control, they have been much more sensitive to the norms their attackers disregard. These circumstances cause a significant asymmetry.

Ukraine has outperformed any expectations or predictions, and that is in large part due to the impressive strength of their people and the integrity of the command structure. Imagine if they couldn’t count on that?

Traitors in the midst

The American Revolution saw a similar asymmetry play out between British and Continental Army forces. In fact, without the injection of proficient leadership from abroad and the diplomatic efforts of several founding fathers, it could have gone another way altogether. General Washington’s army absolutely needed the infusion of discipline and rigor that Prussian general Baron Von Steuben brought in 1777. And with a lack of experienced leadership in the field, the addition of personalities like Marquis de Lafayette and later General Rochambeau, Admiral de Grasse and Admiral/General d’Estaine were critical. In hindsight, it is amazing that these outside personalities were so entrusted.

A change of heart could have been disastrous, as it proved with one of America’s own. We can look back at the betrayal by General Benedict Arnold with great contempt now. But as it was happening, it seemed unfathomable that a man so critical in earlier battles and so heroically known could be swayed to serve his enemy.

Benedict Arnold never quite got what he wanted after betraying the Revolutionary cause.

Here is a quick recap: Arnold was a critical leader in the taking of Fort Ticonderoga, the bottling of British forces in Lake Champlain, and most famously turned the tide at the Battle of Saratoga. But the adversary (British intelligence) worked a long time to turn him to their side, leveraging his key vulnerabilities (his British loyalist wife Peggy, indebtedness, and his vanity) and eventually gaining use of his station. Were it not for the timely capture of his British handler, Arnold was prepared to surrender the garrison at West Point, which would have been disastrous to the Americans. They almost succeeded in leveraging their escalated privileges to take over a major control point and cause harm to the cause.

Do we see traitors in cybersecurity too?

I think that we have all heard of insider threats, and it is tempting to draw the equivalence. But unlike traditional warfare, cyberspace has a much greater separation of the user from their identity. It is a double-edged sword. Pros: it means we aren’t too bogged down by such vulnerable ties. Cons: it is trivial for a well-equipped adversary to leverage an identity or even create one of their own to serve their purposes. Imagine if the British could just pretend to be Arnold and order the troops to vacate? Imagine if Russians could credibly convince Ukrainian forces to abandon their posts by impersonating President Zelensky or one of their generals? They don’t even have to assume the identity, they can merely intercept communications or forge an order. Those have direct parallels in an IT environment.

A big difference here is that in IT environments, systems allows for new identities to be created quite easily. Additionally, those same systems need ways to allow for those identities to gain elevated access or execute more sensitive commands from time to time. To top it off, people aren’t the only identities of consequence – services, assets, and more can have an identity and associated privileges. All of these things are much more prevalent in IT than on a traditional battlefield, and these areas are ripe for abuse. So let’s take a look at how adversaries may do so!

Privilege Escalation: dirty deeds done dirt cheap

The MITRE ATT&CK Privilege Escalation (TA0004) tactic is comprised of 14 techniques and 97 sub-techniques. Almost as expansive as Persistence! All of them seek to gain higher level permissions. So we’re going to group them logically based on the area each focuses in on.

Lots of ways to fake it till you make it!

If some of them are looking eerily familiar, good! It goes to show that some techniques can be used in multiple places to achieve different goals (Tactics). It also hints at the fact that sometimes multiple Tactics can be achieved in a single stroke. We’ll see how that works below šŸ™‚

Privilege Escalation via Impersonation

We’ve seen how advantageous having an insider can be. Whether they are willing accomplices or not, almost doesn’t matter. The sheer amount of dumps available on the dark web is a testament to the power of Valid Accounts (T1078). Using these is doubly concerning – the user or service is real and has a need to operate, which means they are really hard to detect and hard to lock down if detected. Another path to looking legitimate isn’t to hijack the identity but the communications from that identity – and this is where Access Token Manipulation (T1134) comes into play. By stealing tokens associated with a legitimate process, they can pass of their malicious activities as benign. Like a real admin user launched it.

Adversaries may have some valid accounts, but what if those identities didn’t have the access they needed to do the job? Through Account Manipulation (T1098) they elevate privileges, alter permissions, or assigned roles. They can even attempt Domain Policy Modification (T1484) to entitle their accounts with more access. These are both tricky with proper logging in place. But who does proper logging?

Privilege Escalation via OS process trickery

As we have mentioned before, operating systems are complex beasts! In that complexity are many opportunities to exploit gaps or issues. An attacker may want to wedge themselves a legitimate OS process for executing a program and Hijack Execution Flow (T1574) to escalate privileges, like ShimRAT does to bypass Windows User Access Controls. With 13 sub-techniques, this Technique covers a lot of interesting ground!

Somewhat related, an attacker may decide it is easier to just take their aggression out via a Process Injection (T1055). The legitimate code was going to run anyway, so they inject their malformed libraries into a process already working at a higher level and let their payloads tag along! Here the OS is still intact, the adversary is simply embedding their code into something normally okay.

Really cool example of APT Blind Eagle’s obfuscated Powershell Script that bypassed UAC (H/T Threatmon.io)

Maybe the adversary prefers to Abuse Elevation Control Mechanisms (T1548) that allow escalation on a case-by-case basis? In Linux or macOS, this is where the Setuid and Setgid bits come in super handy – the adversary can set these flags using chmod to allow their malicious executable to run at the levels of the owning group. In Windows, UAC is again a popular spot to target. the Linux/macOS sudo command, APIs, and cloud role manipulation are also important vectors to be on the lookout for.

Privilege Escalation via Boot and Schedule (revisited)

Lastly, bad actors love to Create or Modify System Process (T1543), leverage Boot or Logon Autostart Execution (T1547) or modify Boot or Logon Initialization Scripts (T1037) to make sure that their malicious code executes at high privilege but also persists through reboots or faults. Some of these TTPs happen before protection is in place, while others take advantage of system-level privileges to avoid detection. These same principles explain the use of a Scheduled Task/Job (T1053), which sometimes achieves the same results. Adversaries need to weigh detection risk vs. effort here, and will often combine 2 or more techniques to ensure access long-term.

Privilege Escalation via other means

While obtaining persistence, a threat actor often escalates privileges. Event Triggered Execution (T1546) is a handy way to invoke long-term access, and if done properly can ensure that access is at Admin or system-level privileges.

With most workloads and applications now running in some sort of abstraction, a new attack surface arises! Both container and virtual machine environments must consider the possibility of Escape to Host (T1611) as a vector. Adversaries may create images that map to host resources and allow unforeseen access. They may even abuse hypervisor, Kubernetes or Docker processes and APIs to cause damage to the underlying layers. This relates closely with Exploitation for Privilege Escalation (T1068), which tackles **any** vulnerability in software (host, app, and everything in between) to execute controlled code. Many Metasploit scripts, for instance, achieve privilege escalation by finding known vulns and capitalizing on them.

Metasploit and other frameworks make identifying and exploiting vulnerable software easy!

How can we mitigate or prevent Privilege Escalation?

As attackers gain access to higher authorization and privileges, they are empowered to do more. Not only do they have more access and deeper impact, but they also have access to commands that can obfuscate their presence, or cover their tracks! Had Benedict Arnold not been implicated in correspondence carried by his British handler, he likely would have doomed the Revolution. One can surmise that the Ukrainian government is continually monitoring for similar activity, and protecting the integrity of their command & control networks to avoid this same outcome.

West Point (now the US Military Academy) controlled the Hudson River – its fall would have allowed British forces to divide the colonies in two.

So what now?

So how can defenders in the cyber battlefield mitigate or eliminate this threat?

  • Log and audit, folks! We all can do a better job monitoring the OS logs for our devices and infrastructure. Yes, they are chatty. Take advantage of things like Microsoft’s Sysinterals and SwiftOnSecurity’s Sysmon template, or Auditd if you’re using Linux. This step will allow you to see when something fishy is going on.
  • Ensure that many of the OS mechanisms in place are disabled or properly hardened. The Center for Internet Security’s benchmarks & hardening guides spend a lot of time ensuring that any work-around is harder to take advantage of.
  • Use privilege account management features and privileged access management (PAM) tools. Sounds simple, but that additional process overhead can prevent a lot of pain.
  • Monitor and restrict file and registry access. Many of the TTPs we discussed above take advantage of injecting into scripts, libraries, or executables, or accessing them for cover. Use signed code whenever possible! Limit software installs and downloads as much as possible and retrain users to understand why.
  • Ratchet down on user, group and local admin privileges. The lower the adversary must start, the harder it will be for them to climb the ladder. Don’t forget service accounts too! And local accounts are the bane of any security program’s existence.
  • Sandbox and isolate properly, especially for containers and VMs. Some supply chain security is a huge help here – validate upstream repositories and vendors are clean before going to production.
  • Patch your code!

Conclusion

Privilege Escalation is nasty stuff, folks! And the more we prevent it, the more we interrupt adversary plans for causing damage, moving laterally, stealing information, or operating long term in our environments. The Continental Army learned the game of espionage quickly, but their efforts in counter-espionage were what saved their revolution from a disastrous end. The Ukrainians have also learned that quickly, and in a few years we may see it was vital to their survival. That same vigilance is necessary in cyberspace. Success can mean the entire game – for both sides. Don’t make it easy on the adversary to win! Make their loss embarrassing!

The British never made Benedict and Peggy rich, but at least he got a plaque for his treachery.

I hope that this post was helpful in understanding the role privileges play in cyberspace. Much of what an attacker wants to accomplish hinges on the Privilege Escalation tactic being successful. In subsequent posts, we’ll take a look at the possibilities that unlocking privileges can grant. As always, let me know if this is helpful, and have a great week folks!