Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Company
Platform
Modern NDR
Resources
Company
DETECTION OVERVIEW
Risk Factors
The likelihood of privilege escalation increases after a device has been compromised earlier in the attack chain and when there are poor security controls for remote access services on the network. Time and skills are required to exploit weaknesses in services that run over remote control protocols such as Secure Shell (SSH), Remote Desktop Protocol (RDP), or Windows Management Instrumentation (WMI). If an attacker achieves privilege escalation, this means that the attacker is close to taking action on their ultimate objective, such as exfiltrating or compromising the integrity of important data.
The system might change the risk score for this detection.
Category
After a client or workstation with limited privileges is compromised by an attacker through malware or an exploit, the attacker can search for critical assets to compromise from inside the network. Because critical assets are likely protected with strict permissions to prevent unauthorized access, the attacker must find a way to escalate the privileges of the compromised device, which they now control.
An attacker can escalate the privileges of a device through a lack of security controls on remote access services. Evidence of privilege escalation can point to the lateral movement phase of a potentially large attack campaign.
Disable remote access services that are not required
Implement strong authentication methods for remote access services
Regularly apply software updates
Implement network segmentation and firewall policies to limit how devices can communicate and enforce security zones
Implement devices that manage access through a separate security zone, such as jump servers or bastion hosts, which limit the scope of remote access and provide strong authentication and auditing
Review access controls to ensure that only the necessary users can connect to remote access services
Review authentication methods and enforce policies for secure credential creation and multi-factor authentication
WMI is a Microsoft-specific implementation of the Web-Based Enterprise Management (WBEM) standard. WMI allows you to gather information about and control various components of a Windows system.
Learn how attackers use the Impacket tool to move laterally in encrypted east-west traffic. Discover how ExtraHop RevealX provides the crucial visibility to detect these hidden threats.
Network analysis and visibility solutions remain underrepresented in enterprises. Find out why in this preview of a new Wave report.
ExtraHop® Named a Leader in First-Ever Gartner® Magic Quadrant™ for Network Detection and Response
Visit this resource for more information.
This analysis exposes the critical link between an organization's lack of internal visibility and the escalating cost of compromise, demanding an urgent re-evaluation of how core business assets are protected.
Learn why you need to be wary of the claims certain network detection and response providers make about their coverage against the MITRE ATT&CK framework.
Learn how NDR from RevealX helps security teams detect and investigate more adversary TTPs in the MITRE ATT&CK framework than rule-based tools.
