Once the initial foothold is established, the attackers seek for ways to spread through the network. It’s often the case that the initial compromise happens on a computer which is not a matter of importance in regards of the APT’s campaign. Therefore, attackers try to escalate their privileges on this machine so that they can start moving through the target’s infrastructure in order to find and compromise systems on the network that store valuable information.
One of the easiest way the privilege escalation can be performed is by exploiting the issues of the computer’s configuration. This involves leftover files containing administrator credentials, misconfigured services, deliberately weakened security measures, excessive user rights, etc.  Due to ease of this approach it’s a very common way of gaining higher privileges within the compromised system. However, the reliability of this approach relies on luck and therefore the success is less likely.
A more reliable way of escalating privileges is to attack the operating system’s kernel which results in execution of arbitrary code within a higher integrity context allowing the attacker to bypass all security restrictions. In case of a patched system, the success of the privilege escalation via this approach relies on the possession of a Zero-Day exploit . APTs require significant resources in order to obtain such exploits which makes Zero-Days a very valuable asset in their inventory.
In some cases, privileges can be escalated simply by exploiting password related issues, such us weak complexity or password reuse. For example, attackers try to brute force the password of administrative users and launch their malware with higher privileges. Another approach is to intercept user’s credentials and try those on other services across the network. In any case, attacker seeks to escalate the context in which his payload gets executed.
When most common approaches fail attacker’s might try other kind of privilege escalation. However, other tactics might require significantly more resources which results in compromising another victim via the same point of entry techniques as the current one. Nevertheless, the privilege escalation is an important step during the APTs lifecycle and is carried out in one way or another.
Privilege Escalation Techniques
The following example shows how an attacker can perform a quick analysis on the current user and patch level of the target’s computer. Given that the attacker has already achieved remote control of the infected machine he proceeds with enumerating current user’s groups and security updates which are currently installed. In order to do so built-in commands and tools are used to obtain such information as shown in Figure 1.
Figure 1: Reconnaissance for privilege escalation
The absence of BUILTIN\Administrators group in the output of the whoami command indicates that the current user has limited rights on the target system. Therefore, systeminfo command is used to generate a report of installed security updates. Once the report is generated and downloaded, it’s is then pre-processed with a tool Windows-Exploit-Suggester in order to check if there are any unpatched vulnerabilities in the system (see Figure 2).
Figure 2: Patch level assessment with Windows Exploit Suggester
Privilege escalation via CVE-2015-1701
Once potential vulnerabilities are fingerprinted an attacker attempts to exploit them. For example, the exploitation of a vulnerability marked with MS15-051, which is also known as a CVE-2015-1701, can be performed with one of the Metasploit’s modules. Sequence of this exploitation is shown in Figure 3.
Figure 3: Privilege escalation via CVE-2015-1701 using Metasploit
In a fully patched environment an attacker needs to possess an exploit for a Zero-Day vulnerability which allows him to perform privilege escalation. If the attacker has no such an exploit he can still try to escalate his privileges via improper configuration of the target’s operating system. A common misconfiguration example is insecure configuration of services allowing an attacker to elevate his privileges. In this case, service configuration is probed for various known issues. A quick example of such an attack can be performed by utilizing the PowerUp script from the Powersploit’s toolkit. Figure 4 shows how the script is being deployed and executed for discovering configuration issues.
Figure 4: Enumeration of configuration issues
The PowerUp script has identified weak permissions on a service RasMan. This allows an attacker to reconfigure the service with his payload and afterwards restart it in order to execute a desired command with the highest (SYSTEM) privileges. In order to perform such an attack, a command Invoke-ServiceAbuse can be used as shown in Figure 5.
Figure 5: Privilege escalation via insecure configuration of services
As shown in Figure 5, a successful exploitation of a misconfigured service allowed an attacker to execute arbitrary command (in this case regsvr32 …) under NT AUTHORITY\SYSTEM user’s privileges. The supplied command resulted in downloading additional code and executing it. In the end a new command channel (session 16) was created with the highest privileges granting the attacker full control of the compromised machine.
While this section describes only the most common privilege escalation techniques other approaches can be used in case of absence of a Zero-Day vulnerability or proper configuration of the operating system. Techniques such as key-logging, social engineering, etc. usually require more time or are more visible to the victim and therefore create noise which can uncover the compromise. Therefore, attackers often invest their resources into developing or obtaining an exploit of Zero-Day vulnerabilities.
Real World Example: APT28 / Sofacy
In some cases, APT28 was identified to chain initial compromise with a privilege escalation stage. In such a case, the target user clicks a link which leads to a website controlled by the attacker. The HTML/JS launcher page serves a Flash exploit which triggers a Zero-Day vulnerability (CVE-2015-3043) and executes a shellcode. The shellcode downloads and runs an executable payload which exploits a local privilege escalation vulnerability (Win32k CVE-2015-1701) in Windows to steal System token .
However, the group also tries to take advantage of recently publicly disclosed vulnerabilities or exploits, relying on the fact that not everyone installs security updates immediately after their release. In 2015, APT28 deployed a number of zero-day exploits discovered in the leak from security company Hacking Team which proves such a tactic .
1. Boonen, R. (2014).
2. Vasilenko, R. (2015, July 7).
3. Fireeye Labs. (2015, April 18).
4. ESET Research. (2015, July 10).