Hacker Explains Privilege Escalation: How Hackers Get Elevated Permissions Liam Cleary Solution Architect Protiviti Jeff Melnick Systems Engineer Netwrix Corporation
Agenda Elevation Escalation Prevention
Elevation
Elevation An elevation-of-privilege occurs when an application gains rights or privileges that should not be available to them. Many of the elevation-of-privilege exploits are similar to exploits for other threats.
Escalation
Escalation Privilege escalation is the result of actions that allows an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. Adversaries can enter a system with unprivileged access and must take advantage of a system weakness to obtain local administrator or SYSTEM/root level privileges.
Elevation versus Escalation Vertical Privilege Escalation aka. Privilege Elevation Lower Privilege Account(s) Bypassing User vs. Admin Controls Horizontal Privilege Escalation Normal User Context Switching Limited form of Elevation E.g. Windows Services, Screensavers, Registry, Cross Zone Scripting, Shell Injection and even Jailbreaking E.g. Session ID s reuse in Cookies, Cross-site Scripting, Password Guessing, Session Hijacking and even Keystroke Logging
Elevation/Escalation Approaches Access Token Manipulation Bypass User Account Control Windows Memory Injection File System Permissions Process Injection Web Shell
Elevation: Process Hijacking Client Workstation Interrogate Environment for Running Processes Hacker Issue Commands as Hijacked Process Inject into Selected Process Retrieve Current Running Processes
Elevation: Impersonation Client Workstation Interrogate Environment for User Tokens Hacker Issue Commands as Impersonated User Impersonate Chosen User Token Retrieve Current User Tokens
Demo
Prevention
Prevention Data Execution Protection Least Privilege Patching Encryption Mandatory Access Controls Anti-Virus
About Netwrix Auditor Netwrix Auditor A visibility platform for user behavior analysis and risk mitigation that enables control over changes, configurations, and access in hybrid IT environments. It provides security intelligence to identify security holes, detect anomalies in user behavior and investigate threat patterns in time to prevent real damage.
Security Challenges Resolved by Netwrix Auditor P R O B L E M IT can t assess security posture and determine which assets need the most protection. P R O B L E M Lack of actionable intelligence makes it hard to prevent policy violations and data breaches. S O L U T I O N Proactively identify and mitigate IT security weak spots, and prioritize data protection efforts. S O L U T I O N Gain full control over user permissions. Lock down overexposed data, prevent data breaches and privilege abuse. P R EDICT P R EVENT P R O B L E M Forensics teams can t analyze attacks to understand how they could have been stopped. R ESPOND DETECT P R O B L E M Incidents go unnoticed. Noise and alert fatigue make it hard to discern real threats. S O L U T I O N Trace attacks step by step to learn from them and prevent similar incidents from happening again. S O L U T I O N Quickly identify real security threats with alerts on anomalous activity and details about high-risk user accounts.
Netwrix Auditor Benefits Detect Data Security Threats, both On Premises and in the Cloud Pass Compliance Audits with Less Effort and Expense Increase the Productivity of Security and Operations Teams Bridges the visibility gap by delivering security intelligence about critical changes, configurations and data access in hybrid IT environments and enabling identification of security holes and investigation of anomalous user behavior. Provides the evidence required to prove that your organization s IT security program adheres to GDPR, PCI DSS, HIPAA, SOX, FISMA, NIST, GLBA, CJIS, FERPA, NERC CIP, ISO/IEC 27001, and other standards. Relieves IT departments of manual crawling through weeks of log data to get the information about who changed what, when and where a change was made, or who has access to what and helps automate software inventory tasks.
Netwrix Auditor Demonstration
Next Steps Free Trial: setup in your own test environment netwrix.com/freetrial Virtual Appliance: get Netwrix Auditor up and running in minutes netwrix.com/go/appliance Test Drive: run a virtual POC in a Netwrix-hosted test lab netwrix.com/testdrive Live One-to-One Demo: product tour with Netwrix expert netwrix.com/livedemo Contact Sales to obtain more information netwrix.com/contactsales Upcoming and On-Demand Netwrix Webinars: join upcoming webinars or watch the recorded sessions netwrix.com/webinars netwrix.com/webinars#featured
Questions?
Thank you! Liam Cleary Solution Architect Protiviti Jeff Melnick Systems Engineer Netwrix Corporation www..com