Privilege escalation attack is a method is to steal information by first gaining lower-level access to your network. An attacker can gain access to the network using a non-admin user account, and the next step would be to gain administrative privilege. It is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications. Not every system hack will initially provide an unauthorized user with full access to the targeted system. In those circumstances, privilege escalation is required. Successful privilege escalation attacks grant hackers privileges that normal users don't have.
Escalation of Privileges:
- Horizontal Privilege Escalation occurs when a malicious user attempts to access resources and functions that belong to peer users, who have similar access permissions.
- Vertical privilege escalation requires the attacker to grant himself higher privileges. This is typically achieved by performing kernel-level operations that allow the attacker to run unauthorized code. In most privilege escalation attacks, the hacker first logs in with a low-end user account. Then he can search for exploitable flaws in the system that can be used to elevate his privileges.
Elements of the Privilege Escalation Attack
There are two key components of Windows that are behind an elevation of privilege attack access tokens and the SID History. The access token is basically a list of the user’s SID and the SIDs of any groups of which the user may be a member. The SID History is an Active Directory attribute that tracks the changes of an object’s SID as the object moves from one domain to another.
When a user logs into the system, the user’s access token will contain his or her present SID, the SIDs of any groups that he or she may belong to, and any SIDs that were previously associated with the user account through the SID History. Added together, these two elements determine whether the user can access the network and what level of access he or she will have.