Red Teaming & Adversary Simulation

Privilege Escalation Testing

  • May 8, 2025
  • 0

Sherlocked Security – Privilege Escalation Testing

Uncover Opportunities for Attackers to Escalate Privileges in Your Network

1. Statement of Work (SOW)

Service Name: Privilege Escalation Testing
Client Type: Enterprises, Government, Financial Institutions, Healthcare
Service Model: Manual Testing of Escalation Vectors for Gaining Unauthorized Privileges
Compliance Coverage: NIST 800-53, SOC 2, ISO 27001, PCI-DSS, HIPAA

Testing Types:

  • Active Directory Privilege Escalation
  • Windows/Linux Privilege Escalation
  • Application-Based Privilege Escalation
  • Escalating from Low-Level to Admin Privileges
  • Exploiting Vulnerabilities for Privilege Escalation
  • Privilege Escalation Using Sudo, Sudo Caching, and Escalation Scripts
  • Privilege Escalation with Kerberos and Token Impersonation

2. Our Approach

[Pre-engagement] → [Privilege Escalation Vector Identification] → [Exploit Privilege Escalation Pathways] → [Test for Vulnerabilities in OS and Applications] → [Analyze Active Directory Misconfigurations] → [Simulate Lateral Movement with Elevated Privileges] → [Detection & Response Evaluation] → [Reporting & Remediation Planning] → [Retesting & Validation]

3. Methodology

[Kickoff & Scope Agreement] → [Privilege Escalation Path Mapping] → [Targeted Testing for Privilege Escalation in OS, Apps, and AD] → [Manual Exploitation of Privilege Escalation Vectors] → [Analysis & Reporting of Findings] → [Remediation Recommendations & Retesting]

4. Deliverables to the Client

  1. Privilege Escalation Report: A comprehensive report outlining all privilege escalation vectors found.
  2. Exploit PoCs: Proof-of-Concept for all successful privilege escalation exploits.
  3. Active Directory Findings: Detailed analysis of any Active Directory misconfigurations leading to privilege escalation.
  4. Operating System Vulnerabilities: A report on any OS vulnerabilities used to escalate privileges.
  5. Application Security Findings: Privilege escalation risks discovered within application configurations.
  6. Detection & Response Insights: Evaluation of detection mechanisms for privilege escalation attempts.
  7. Remediation Recommendations: Actionable steps to close privilege escalation pathways.
  8. Retesting & Validation: Post-fix retesting to ensure issues are addressed.

5. What We Need from You (Client Requirements)

  • Access to internal systems and relevant accounts (low-privilege and admin).
  • A list of high-value assets or systems you want us to focus on.
  • Collaboration with IT security staff to configure test environments.
  • Access to Active Directory (if applicable) or details on internal user roles and permissions.
  • Access to critical systems or apps to identify vulnerabilities or misconfigurations.
  • Permission to simulate privilege escalation on production or staging systems (as applicable).
  • Information on existing security measures in place, such as endpoint security tools, logging, and monitoring solutions.

6. Tools & Technology Stack

  • Custom Tools / Scripts for privilege escalation testing in different environments.
  • Mimikatz for credential dumping and pass-the-hash attacks.
  • BloodHound for Active Directory enumeration and privilege escalation.
  • PowerSploit for Windows-based privilege escalation techniques.
  • PowerShell Empire for remote PowerShell-based privilege escalation.
  • Metasploit Framework for privilege escalation exploits.
  • LinPEAS for Linux-based privilege escalation enumeration.
  • Sudo and Sudo Caching exploits for escalating privileges on Unix-based systems.
  • Cobalt Strike for advanced post-exploitation and lateral movement with elevated privileges.
  • Impacket for SMB-based privilege escalation and exploitation.

7. Engagement Lifecycle

1. Discovery Call → 2. Scope Definition & Testing Setup → 3. Privilege Escalation Testing → 4. Vulnerability and Misconfiguration Identification → 5. Exploit Testing & Lateral Movement → 6. Draft Report Delivery → 7. Final Report & Remediation Steps → 8. Retesting & Certification

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Manual Testing of Privilege Escalation Hands-on testing for privilege escalation in Windows, Linux, and applications
Active Directory Misconfiguration Detection Identify AD misconfigurations that can lead to privilege escalation
In-depth OS & Application Testing Detailed exploration of OS and application-level privilege escalation techniques
Tailored Remediation Guidance Actionable, precise guidance to mitigate identified risks and harden systems
Free Retesting Post-fix retesting to ensure vulnerabilities are remediated
Custom Scripts & Tools Tailored scripts and tools to uncover privilege escalation pathways

9. Real-World Case Studies

Privilege Escalation in a Healthcare Organization

Client: Regional Healthcare Network
Scenario: Privilege escalation vulnerabilities were identified in a legacy healthcare management system.
Findings: Misconfigured ACLs and poor password policies allowed low-level users to escalate to admin privileges.
Fix: Access control policies were corrected, password policies enforced, and user access reviewed to prevent further escalations.

Active Directory Privilege Escalation in a Financial Institution

Client: Investment Bank
Scenario: Attackers were able to escalate privileges using weak Active Directory permissions and group misconfigurations.
Findings: The AD environment had several over-permissioned user groups allowing unauthorized escalation.
Fix: AD roles and group policies were redefined, unnecessary permissions were revoked, and tighter monitoring was implemented.

10. SOP – Standard Operating Procedure

  1. Discovery call and scoping discussion
  2. Identify and map privilege escalation pathways
  3. Perform manual testing and exploit privilege escalation vectors
  4. Verify escalation results with controlled exploitation techniques
  5. Document all findings and provide PoCs for successful privilege escalation
  6. Develop remediation recommendations for fixing identified privilege escalation risks
  7. Conduct retesting post-fix to verify effectiveness of remediations
  8. Provide final report with remediation and best practices

12. Privilege Escalation Testing Checklist

1. Privilege Escalation via Active Directory

  • Enumerate Active Directory Users and Groups:

    • Identify user roles and group memberships (T1087).
    • Search for over-permissioned user groups in Active Directory.
    • Check for unnecessary administrative rights granted to users (T1071).
    • Identify users with excessive privileges within Active Directory (T1071).

  • Privilege Escalation via Kerberos:

    • Test for Kerberos ticket extraction and Golden Ticket creation (T1558).
    • Check for Kerberos ticket renewal vulnerabilities (T1558).
    • Exploit Kerberos ticket replay for privilege escalation (T1558).

  • Active Directory Trusts and Delegation:

    • Test for misconfigured Active Directory trusts that can lead to privilege escalation (T1071).
    • Exploit Active Directory delegation misconfigurations (T1071).

  • Group Policy and Active Directory Misconfigurations:

    • Identify Group Policy misconfigurations that can allow privilege escalation (T1071).
    • Exploit Group Policy flaws for privilege escalation (T1071).

  • Examine Privileged Group Memberships:

    • Enumerate privileged group memberships and validate if unnecessary users are in critical groups (e.g., Domain Admins, Enterprise Admins) (T1071).

2. Privilege Escalation via Operating System Vulnerabilities (Windows)

  • Credential Dumping:

    • Use Mimikatz to dump clear-text credentials and password hashes from memory (T1003).
    • Dump password hashes from the Security Account Manager (SAM) (T1003).
    • Extract Kerberos tickets using Mimikatz for privilege escalation (T1003).

  • Misconfigured File and Directory Permissions:

    • Identify unprotected system files or executable files that can be leveraged for privilege escalation (T1071).
    • Identify incorrect file ACLs that allow unauthorized access to sensitive files (T1071).
    • Exploit insecure file permissions (e.g., writable files or directories) to escalate privileges.

  • Service and Scheduled Task Misconfigurations:

    • Check for insecurely configured services that allow non-admin users to escalate privileges (T1071).
    • Test for unquoted service paths that can lead to privilege escalation (T1071).
    • Check for misconfigured scheduled tasks that allow non-privileged users to run arbitrary code with system privileges (T1071).

  • DLL Hijacking and Execution:

    • Test for DLL hijacking vulnerabilities in system and third-party applications (T1071).
    • Exploit DLL loading vulnerabilities in programs with administrative privileges.

  • Exploiting Kernel Vulnerabilities:

    • Test for unpatched Windows kernel vulnerabilities (e.g., MS17-010) that could be exploited for privilege escalation (T1071).
    • Check for local privilege escalation (LPE) vulnerabilities in the kernel.

  • WMI and COM Object Hijacking:

    • Test for Windows Management Instrumentation (WMI) vulnerabilities that could be used for privilege escalation (T1071).
    • Exploit Component Object Model (COM) object vulnerabilities to escalate privileges.

  • Bypassing UAC (User Account Control):

    • Test for User Account Control bypasses that allow non-admin users to execute arbitrary code as an admin (T1071).
    • Bypass UAC using techniques like DLL hijacking or exploiting system applications.

3. Privilege Escalation via Linux/Unix Systems

  • Sudo and Sudo Caching Misconfigurations:

    • Test for misconfigured sudo permissions that allow normal users to run commands as root (T1071).
    • Exploit sudo caching to escalate privileges (T1071).
    • Test for wildcard sudoers entries (e.g., ALL=(ALL)), which give broad access to escalate privileges.

  • Setuid and Setgid Binary Exploitation:

    • Identify setuid or setgid binaries that allow non-privileged users to execute commands with root privileges (T1071).
    • Test for insecure setuid binaries that can be exploited for privilege escalation.

  • Misconfigured File Permissions:

    • Check for writable system files, such as /etc/passwd or /etc/shadow, that could be exploited to escalate privileges (T1071).
    • Test for world-writable directories where attackers can place malicious files to escalate privileges.

  • Exploiting Kernel Vulnerabilities:

    • Test for Linux kernel vulnerabilities that allow privilege escalation (e.g., CVE-2017-1000367) (T1071).
    • Use exploit mitigations bypass (e.g., disabling ASLR, Stack Canaries) to escalate privileges on Linux.

  • Abusing Crontab and Sudoers File:

    • Exploit misconfigured crontab entries that allow escalation to root (T1071).
    • Manipulate cron jobs to escalate privileges if system users have misconfigured cron permissions (T1071).

4. Privilege Escalation via Application Misconfigurations

  • Web Application Misconfigurations:

    • Identify misconfigured application privileges that allow non-admin users to gain access to admin functions.
    • Test for weak session management and privilege escalation through session token manipulation.
    • Exploit insecure file upload functionality in web applications that allows uploading malicious scripts with elevated privileges.

  • Database Privilege Escalation:

    • Test for misconfigured database accounts that can escalate privileges (e.g., SQL injection leading to higher-level privileges).
    • Exploit misconfigured database roles and grant higher privileges to unauthorized users.

  • Misconfigured API Security:

    • Identify misconfigured API endpoints that expose admin privileges or data that could be leveraged for privilege escalation.
    • Exploit broken authentication or misconfigured API access controls for privilege escalation.

5. Post-Exploitation Privilege Escalation Techniques

  • Pass-the-Hash and Pass-the-Ticket:

    • Use Pass-the-Hash techniques to authenticate as an elevated user without needing the actual password (T1075).
    • Use Pass-the-Ticket (Kerberos TGT/GT) for privilege escalation in Active Directory environments (T1558).

  • Impersonation and Token Hijacking:

    • Use token impersonation or token theft to escalate privileges from a normal user to an elevated privilege user (T1134).
    • Exploit token duplication or token impersonation for privilege escalation.

  • Persistence via Scheduled Tasks/Services:

    • Create persistent accounts with elevated privileges to maintain access post-privilege escalation.
    • Modify system services or scheduled tasks to execute elevated code persistently.

  • Lateral Movement with Elevated Privileges:

    • Simulate lateral movement across internal systems using escalated privileges.
    • Test if elevated privileges allow access to other internal systems, servers, or applications with minimal security controls.

6. Detection and Remediation

  • Detection of Privilege Escalation Attempts:

    • Evaluate SIEM and IDS/IPS for detection of privilege escalation activities.
    • Check if unusual account behavior (e.g., admin login attempts from non-admin accounts) triggers alerts.
    • Review event logs and PowerShell logs for evidence of privilege escalation attempts.

  • Remediation of Privilege Escalation Risks:

    • Ensure least-privilege access control policies are enforced across OS and application environments.
    • Update system ACLs and permissions to restrict unnecessary privilege escalation opportunities.
    • Disable unnecessary admin accounts and review all privileged user roles regularly.
    • Patch and update systems to close vulnerabilities that may be exploited for privilege escalation.
    • Implement multi-factor authentication (MFA) for critical systems to reduce the impact of privilege escalation.
Purple Team Workshops
Physical Access Red Team