Detecting malicious elevation of privileges

Good security is often achieved through the use of several different layers of protection. One layer of protection is blocking or detecting when a lower level user (non-administrator) is trying to elevate their privileges. On Windows there are many different ways to do this, and we’ll cover the most common and show you ways to detect this type of activity.

One of the most common ways an attacker moves from an end-user account to admin access is by changing or obtaining the Administrator password. On Windows, dumping the SAM (Security Account Manager) database is a powerful attack, because you not only obtain the administrator password-hash but you also obtain all users’ password-hashes on the system. If the attacker is successful against a domain controller all password-hashes on the entire domain could be at risk.

Keyloggers are another way hackers seek to elevate their privileges. A hacker may run a program on a system and then tempt or trick an administrator into logging into that system. The keylogger will grab all keystrokes including the admin’s password. Another way to gain password-hashes is through the use of a memory dump. Memory dumps can be created by purposely crashing programs and overflowing buffers.

Overflowing programs or exploiting system weaknesses can also let attackers move up to admin access. Most of the time the attackers will compile special exploit code that will then work to exploit a flaw or weakness in the OS or it’s many running applications.

To combat these common attacks, File Integrity Monitoring is a powerful tool that can be used to alert you if a hacker is attempting to raise their privileges. Because many of these attack vectors rely on changing or adding files or registry keys on the system, Halo’s FIM can detect these new or changing entities.


Locations you want to add to a FIM policy would include:

The startup directory

The startup directory can be used to launch applications with system level privileges. System level is required when doing a SAM dump. Keyloggers can also be launched and/or installed from here.

System directories and files

If a system file is changed as part of an exploit you will need to know about it. Also hackers routinely hide extra files in system directories, knowing they will probably be overlooked.

Security settings inside the registry

Some security settings can be changed to allow easier access. A good example of this is the key allowing system memory dumps. Two other examples are allowing anonymous enumeration of SAM over the network and the run key, like the startup directory, used to run programs at startup.

Temporary files may hold user and application information

Page files and temporary files may hold information that would help an attacker gain administrative access. This could be application settings and logins, hashed passwords or even plain text unencrypted passwords. Make sure the registry keys for these types of settings are set securely. A good example of this is the registry key telling Windows to erase the pagefile during a clean shutdown.

CloudPassage Halo provides FIM templates that cover all of these areas and more. You can learn how to apply a policy to a server group here.

With our “Core Registry Keys” and our “Core System Files” policies, you should be able to cover almost all the areas discussed here. You may need to add to the policies, or build your own to cover areas specific to your environment. This could apply to something like applications, purpose-build servers for a specific task, or other configurations beyond a generic server build.

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts