Anyone who has had any experience on the offensive side of security has had fun with privilege escalation. There’s something exciting about exploiting a system to the point of getting root-level access. Since I have spent most of my time on the defensive side of the fence, the magic of escalating privileges rested in Exploiting for Privilege Escalation or stealing an administrator’s credentials.
The various techniques under Privilege Escalation taught me some of the magician’s tricks. Some of the techniques are incredibly technical and require system-level calls in order to abuse properly. Two examples of this are Hooking and Process Injection. While these are used by malware, mitigating them can be difficult. Many of the techniques in this tactic are designs of the underlying operating system being abused, so you can’t flat out block them.
Instead, ATT&CK makes recommendations which should be taken under consideration at all times. The following statement is made in multiple techniques across the framework: “Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.” This means using defense in depth to prevent an infection, such as perimeter defenses or application whitelisting on the endpoints.
One great method for preventing privilege escalation beyond the recommendations of ATT&CK is to use hardening benchmarks on the endpoints. The benchmarks from CIS and DISA provide excellent step-by-step guidance on how to harden a system against attacks which have been seen in the wild. Many of the techniques in Privilege Escalation are known attacks which can be defended against by following these benchmarks.
What can be surprising to most is a default installation of most operating systems will only enable half or less of the security tests available in a standard hardening guide. If you aren’t actively enabling security settings on devices, you can be exposing configuration vulnerabilities which can be leveraged by attackers.
Another avenue to explore with this technique is audit logging.
When an attacker abuses some of these techniques, they will leave behind breadcrumbs that can expose what they are up to. The caveat here is that the logs generated can blend into the background noise of a traditional enterprise environment. Some logging systems have rules available to hunt out these types of threats. Even if yours does, it is a good idea to have analysts continually combing through anomalous events, so they have an understanding of what is normal and what requires an extra look.
There is also a mapping of CIS controls to the ATT&CK framework available. This can be helpful if you’re already adopting the CIS Controls and are starting down the path of adopting ATT&CK.
Read more about the MITRE ATT&CK Framework here:
- The MITRE ATT&CK Framework: Initial Access
- The MITRE ATT&CK Framework: Execution
- The MITRE ATT&CK Framework: Persistence
- The MITRE ATT&CK Framework: Privilege Escalation
- The MITRE ATT&CK Framework: Defense Evasion
- The MITRE ATT&CK Framework: Credential Access
- The MITRE ATT&CK Framework: Discovery
- The MITRE ATT&CK Framework: Lateral Movement
- The MITRE ATT&CK Framework: Collection