ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

Network Privilege Escalation

Risk Factors

The likelihood of privilege escalation increases after a device has been compromised earlier in the attack chain and when there are poor security controls for remote access services on the network. Time and skills are required to exploit weaknesses in services that run over remote control protocols such as Secure Shell (SSH), Remote Desktop Protocol (RDP), or Windows Management Instrumentation (WMI). If an attacker achieves privilege escalation, this means that the attacker is close to taking action on their ultimate objective, such as exfiltrating or compromising the integrity of important data.

The system might change the risk score for this detection.

Kill Chain

Lateral Movement

Risk Score

65

Detection diagram
Next in Lateral Movement: New Active Directory Web Service (ADWS) Activity

Attack Background

After a client or workstation with limited privileges is compromised by an attacker through malware or an exploit, the attacker can search for critical assets to compromise from inside the network. Because critical assets are likely protected with strict permissions to prevent unauthorized access, the attacker must find a way to escalate the privileges of the compromised device, which they now control.

An attacker can escalate the privileges of a device through a lack of security controls on remote access services. Evidence of privilege escalation can point to the lateral movement phase of a potentially large attack campaign.

Mitigation Options

Disable remote access services that are not required

Implement strong authentication methods for remote access services

Regularly apply software updates

Implement network segmentation and firewall policies to limit how devices can communicate and enforce security zones

Implement devices that manage access through a separate security zone, such as jump servers or bastion hosts, which limit the scope of remote access and provide strong authentication and auditing

Review access controls to ensure that only the necessary users can connect to remote access services

Review authentication methods and enforce policies for secure credential creation and multi-factor authentication

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right