Signs of Privilege Escalation
External attackers and insider threats will take advantage of accounts which have been granted more permissions than necessary in order to move laterally in the network towards their end goals. Accounts with access permissions to high privilege services can occur frequently without the knowledge of IT admins allowing malicious actors access to valuable resources.
1. Unusual Account on Host
- Compromised Privileged Account: A privileged account accessing services from an unobserved host can indicate compromise.
- Account Borrowing: Privileged employees using another user's machine for routine tasks may raise suspicion.
2. Unusual Host
- Unexpected Access: An account accessing a service from an atypical host with varying privilege scores may signal an attack.
- New Host Assignment: An employee with consistent work patterns suddenly using a different host can be a red flag.
3. Unusual Service
- Out-of-Pattern Service Access: Accounts accessing abnormal services from specific hosts may indicate compromise.
- Role Changes: Employees with new projects involving unusual privileged services might pose a risk.
Investigating Signs of Privilege Escalation
To delve deeper into these signs, follow these investigative steps:
- Server Log Analysis: Scrutinize Kerberos or Active Directory server logs for detailed insights into account activity.
- Verification: Inquire about the legitimacy of account usage on specific hosts with the host's owner.
- Shared Resource Check: Ensure that authentication attempts are not from shared resources, potentially indicating a pivot point for attackers.
Business Impact of Privilege Escalation
Privilege escalation attacks can have severe consequences for businesses:
- Lateral Movement Risks: Unauthorized access to privileged accounts, hosts, or services poses a significant risk of data acquisition and exfiltration.
- Breaches and Unusual Patterns: Unexplained usage patterns of privileged entities often precede major breaches, including those orchestrated by rogue insiders.
- Insight into Business Impact: Analyzing the accounts, hosts, and services involved provides valuable perspectives on potential business impact.
How can organizations verify privilege anomalies?
- Examine server logs for detailed host and account activity, focusing on privilege mismatches.
- Inquire whether the host owner should use the specified account to access listed services.
- Verify that the authentication attempt host is not a shared resource, as it could be exploited as a pivot point.
An account, host, and service engaging in abnormal behavior warrant attention. Whether it's an attacker controlling entities or an insider using abnormal combinations, the potential risks demand thorough investigation.