User Tools

Site Tools


en:threats:fruit:escalation
 
 

Privilege escalation

Unauthorised privilege escalation happens when an adversary obtains a higher level of access (administrative privileges), in order to gain control of the network system.

Some of it can be mitigated, but BIOS and UEFI firmware, for example, are low-level software that starts before the operating system. Vulnerabilities in drivers can be and have been abused to achieve privilege escalation. From the kernel, an attacker can move to firmware and hardware interfaces, allowing them to compromise the target host beyond detection capabilities of normal threat protection, which operates at OS level. Malware and backdoors planted in such low level components are invisible to most security solutions and cannot be removed by reinstalling the OS.

Resources

Mitigation

Windows

  • Review IT systems and ensure UAC protection is set to the highest level
  • Keep user management up to date
  • Assign administrative rights in line with the least-privilege principle
  • Disallow loading of remote DLLs
  • Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions
  • Use auditing tools to detect DLL search order hijacking vulnerabilities
  • Identify and block software executed through search order hijacking, using whitelisting tools

Linux

  • Keep it updated and patched
  • Restrict or remove programs that enable file transfers, such as FTP, SCP, or curl, or restrict them to specific users or IPs, to prevent transfer of an exploit onto a target device.
  • Remove or restrict access to compilers not in use to prevent exploits from executing.
  • Limit which folders are writeable or executable.
  • Do not give sudo rights to compilers, interpreters or editors, including vi, more, less, nmap, perl, ruby, python, and gdb. Do not give sudo rights to any program that enables running a shell. Severely limit sudo access using the least-privilege principle.

en/threats/fruit/escalation.txt · Last modified: 2020/01/19 16:27 by Digital Dot