Privilege Escalation

Generally, administrator accounts have more stringent password requirements and their passwords are more closely guarded. They can be difficult to obtain. Therefore, attackers may have to settle for access to the network using a non-admin user account with limited capabilities. In this case, the attacker must then escalate that account’s privileges. This is called Privilege Escalation.

Privilege escalation occurs when an attacker escalates his/her privileges to obtain a higher level of access, like administrative privileges, in order to gain control of the network system.

Covering tracks

After gaining access to a system, attackers usually try to remove evidence of their activities to prevent detection. When all information of interests has been removed from the target, the intruder installs backdoors to obtain access in the future. Additionally, to prevent detection attackers may:

Disable logging and auditing tools.

Erase any error messages or security events that may have been logged.

Hide files used to launch an attack.

A hacker may want to hide files on a system to prevent their detection. These files may then be used to launch an attack on the system. Two examples of hiding files in Windows can be:

Using the attrib command. To hide a file with the attrib command type: attrib + h [file/directory]

Using NTFS alternate data streaming. The NTFS file system uses several attributes to store content and information about a file in its Master File Table (MFT). The data content is stored in Data Streams ($Data in the MFT). More than one data stream can be stored and associated with the same file. Streams aren’t limited in size and can therefore be used to hide files and applications.

An ADS can be created by simply typing:
type c:\myMalware.exe > c:\windows\system32\calc.exe:myMalware.exe

This creates an ADS inside calc.exe with a program called myMalware.exe. A user navigating through the file system would not be able to see anything different with calc.exe file. Its size and name would remain the same. Double clicking on the file would open the Calculator as normal. However, the ADS can be run by typing:
start c:\windows\system32\calc.exe:myMalware.exe

Erase evidence

Windows auditing records certain events in a log file that is stored in the Windows Event Viewer. Events can include logging in to the system, an application. Administrators can choose the level of logging implemented on a system.

A hacker often wants to determine the level of logging implemented to see whether they need to clear events that indicate their presence on the system. First thing intruders will do after gaining Administrator privileges is to disable auditing – Windows Resource Kit’s auditpol.exe tool can disable auditing using the command line. At the end of their stay, intruders will just turn on auditing again.

Intruders could also wipe out the logs in the Event Viewer – this process will clear logs of all records but will leave on record stating that the event log has been cleared. An event log that contains one or few events could be suspicious because it can indicate that other events have been cleared.

It’s still necessary to clear the event log after disabling auditing, because using the AuditPol tool places an entry in the event log indicating that auditing has been disabled. Several tools exist to clear the event log, or a hacker can do so manually in the Windows Event Viewer [1].

Maintaining Access

Once attackers have gained admin access, they want to maintain it for future exploitation enabling them to launch future attacks. They usually want to do two things:

Keep the administrators unaware of their presence.

Prevent administrators from kicking them off the system.

Sometimes attackers can harden the system to prevent access to other malicious hackers. An attacker may fix the original exploit that they employed to gain access, in order to keep the system to him/herself (‘ownership’).

Attackers may want to execute applications such as backdoors or keystroke loggers and rootkits.