Privilege escalation is when an attacker exploits weaknesses in your environment or infrastructure to gain higher access and control within a system or network.
Most organizations take multiple measures to tighten security, including defining different privilege levels for different user accounts. For example, you wouldn’t give ordinary users access to your most confidential, business-critical files. These security measures frustrate attackers who access your system through lower-privileged user accounts—so they try to gain more privileges in order to achieve malicious goals such as exfiltrating or encrypting your data.
There are two primary types of privilege escalation, both with the goal of gaining expanded access: horizontal and vertical. Let’s take a closer look.
Horizontal privilege escalation
Horizontal privilege escalation is when an attacker expands their access by compromising another user's account and leveraging that user’s existing permissions (“account takeover”). Each new account broadens the attacker’s sphere of access within the organization—sometimes known as lateral movement—as they seek out valuable assets (like data or account information), but it does not necessarily let them perform more actions.
Goal: Access other user accounts, which may have a greater privilege level and access to sensitive information
Complexity: Usually fairly simple
Vertical privilege escalation
With vertical privilege escalation, an attacker exploits vulnerabilities within a compromised account to elevate their own privileges (e.g., gaining administrator access). This always involves moving from a lower access level to a higher, more privileged access level.
Goal: Increasing the privileges of a single compromised account
Complexity: Requires more sophisticated techniques
Vertical privilege escalation may be used by advanced persistent threat (APT) groups that have more time and resources to invest in attacking an organization. When discussing privilege escalation, generally vertical privilege escalation is the type we’re talking about.
Principle of Least Privilege (POLP)
The principle of least privilege (PoLP) is a cybersecurity concept in which users, processes, and devices are granted the minimum access and permissions necessary to perform their tasks
Read more
Why is privilege escalation a major cloud cybersecurity threat?
If an attacker manages to escalate privileges, it could have very serious repercussions for the organization, its employees, and its customers and end users.
The attacker may gain access to connected systems, expanding their reach to accomplish a variety of goals, like
Using elevated privileges to deploy additional malware undetected,
Manipulating settings and permissions to enable further harm,
Gaining access to restricted applications and sensitive data, or
Impersonating trusted senders to send unauthorized messages with malware or shady links.
In a worst-case scenario, attackers can seize complete control of systems or networks.
Attackers are growing smarter and more sophisticated. Today, they will often attempt to cover their tracks to evade detection as long as possible through strategies like masking their source IP address, deleting logs based on the credentials they are using, and attempting to modify any other potential indicators of compromise (IoC).
These strategies give attackers more time to perform lateral movement, discovering other valuable assets they can later target within the organization’s environment.
Introducing Azure Least Privilege: Enforce least privilege access for Azure environments
Wiz extends its CIEM capabilities to enable least privilege access for Azure environments.
Read more
The top 5 vectors for privilege escalation
Most bad actors use one or more of the following techniques to begin a privilege escalation attack, and they are often used in combination.
| Top vectors | Techniques |
|---|---|
| 1. Social engineering | - Phishing attacks: Sending deceptive messages to manipulate individuals into disclosing confidential information - Impersonation: Posing as a trusted individual or organization (such as your CEO or payment provider) to manipulate individuals into disclosing sensitive information or performing actions that will compromise business systems |
| 2. Credential exploitation | - Brute-force attacks: Attempting a large number of various login credential combinations in an effort to crack weak passwords - Credential phishing: Tricking users into revealing sensitive login information |
| 3. Vulnerabilities and exploits | - Zero-day exploits: Targeting unknown software vulnerabilities before they are patchedBuffer overflow attacks: - Overloading a program's buffer to execute malicious code and gain unauthorized access |
| 4. Misconfigurations | - Insecure permissions: Exploiting improperly configured access controls to gain unauthorized privileges - Unprotected sensitive files: Exploiting misconfigured file permissions to access and manipulate critical system files |
| 5. Malware | - Standard malware: Worms, spyware, trojans, keyloggers, and ransomware - Fileless malware: Uses tools already present on the system to evade detection - Privilege escalation malware: Malicious software designed to elevate its own permissions for broader system access - Rootkits: Conceals malicious activities by replacing or modifying essential system files to avoid detection |
| Other common vectors | - Supply chain attacks: Compromising third-party vendors or software to gain access and potentially escalate privileges - Insider threats: Abusing authorizations to escalate access level and compromise systems - Man-in-the-middle attacks: Intercepting network traffic to steal credentials or inject malicious code |
Timeline of a typical privilege escalation attack
In a typical privilege escalation attack, an attacker…
1. Gains initial access to an organization’s network through the vectors described above.
2. Explores the network for exploitable systems and users in one or more of the following ways:
Using automated tools to scan for open ports, vulnerable services, and user accounts
Analyzing network traffic to identify potential weaknesses and connected systems
Exploiting misconfigured network shares or weak passwords to access additional systems (horizontal escalation / lateral movement)
Using social engineering tactics to trick users into revealing sensitive information or granting access
3. Gains low-level user privileges on a vulnerable system.
4. Exploits those privileges, then escalates to higher-level access through one or more of the following ways:
Scanning for misconfigurations or unpatched vulnerabilities in software or firmware
Leveraging tools or scripts designed to exploit known vulnerabilities
Moving laterally across the network, searching for other vulnerable systems or accounts with higher privileges
Using local social engineering e.g., impersonating IT personnel with an “urgent software update”
5. Establishes persistence and expands their control within the network.
6. Achieves one or more of their original objectives (e.g., data theft, disruption, ransom).
After initial access, attackers may not make their next move right away. Often, they simply wait for the right opportunity to continue their mission (this time spent waiting to act is known as “dwell time”). When the goal is extracting ransom payments from the organization, attackers are using new methods as well, often involving a triple threat: The first step is sending a ransom note to the primary organization demanding payment for access to data.
This may be followed by a secondary threat to leak confidential data if another ransom is not paid. Finally, the third threat involves threatening to compromise the primary organization’s systems (e.g., a DDoS attack) or, more commonly, threatening third parties such as customers, employees, or end users that their confidential data will be leaked if they do not pay an additional ransom.
This puts ransomware among the most feared cyber threats—and privilege escalation is a critical step for attackers to disseminate ransomware within your network, allowing them to move laterally, disable defenses, exfiltrate data, and encrypt sensitive data. But even without the threat of ransom, there’s a lot to worry about, including data loss impacting your business, regulatory fines, and reputation loss.
OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers
Wiz Research recently found 4 critical vulnerabilities in OMI, which is one of Azure's most ubiquitous yet least known software agents and is deployed on a large portion of Linux VMs in Azure.
Read more
Real-world examples of privilege escalation
Privilege escalation is a feature of many of today’s most severe vulnerabilities, such as CVE-2023-2640 and CVE-2023-32629, also known as GameOver(lay), which allows the kernel to be tricked into escalating privileges to root with a simple executable file.
This vulnerability affected up to 40% of Ubuntu users—with Ubuntu being the core of a massive number of today’s online services (10% of known websites and 16% of the top 1,000,000 sites, according to w3techs). Fortunately, it was discovered and reported by Wiz Research, allowing Ubuntu to release a patch within a month.
But not all privilege escalation vulnerabilities are discovered in time. For example, CVE-2023-23397, a vulnerability in Microsoft Outlook, was one of the most commonly exploited vulnerabilities of 2023.
Critical Vulnerabilities in Ivanti Exploited in-the-Wild: everything you need to know
Detect and mitigate CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893, critical vulnerabilities in Ivanti VPN products. Organizations should patch urgently, and government agencies are instructed to isolate Ivanti VPN instances.
Read more
Your 6 best defenses against privilege escalation
Take advantage of these five defense techniques to keep yourself safe:
1. Enable MFA authentication
While it’s not foolproof, multi-factor authentication (MFA)—requiring that users identify themselves through other means; not just with a password—significantly strengthens account security and is strongly recommended by CISA, Google, and Microsoft as part of your overall cloud infrastructure security program.
To minimize privilege escalation risks, enforce MFA organization-wide, especially for privileged accounts. Additionally, implement access controls that restrict sensitive data to fully authenticated users. This comprehensive approach enhances account security and reduces the potential for malicious actors to exploit vulnerabilities and gain unauthorized access.
2. Simplify vulnerability prioritization and management
Streamline your security efforts and prioritize vulnerabilities effectively using risk-based management. This approach analyzes vulnerabilities alongside factors like external exposure and access rights, highlighting the most critical threats. By focusing on these high-risk issues first, you can significantly reduce alert fatigue, optimize resource allocation, and maintain robust security in complex cloud environments.
3. Automate patch management
Patches fix vulnerabilities that attackers can exploit to gain higher access levels, but there are often so many patches that it’s hard to know where to begin. Prioritize patching systems containing sensitive data or known exploited vulnerabilities, regardless of their internal or external location. Even if attackers bypass specific products, unpatched vulnerabilities within your environment remain exploitable.
4. Implement behavior-based analysis
When you can identify potential attacks and intervene quickly to stop them, you minimize the risk of attackers exploiting vulnerabilities and gaining unauthorized privileges. Threat detection through continuous workload monitoring, combined with cloud events, is vital to prevent privilege escalation. Use a combination of real-time techniques, including both anomaly detection and behavioral analysis, to identify suspicious activities within your cloud environment.
5. Simplify vulnerability prioritization and management
Streamline your security efforts and prioritize vulnerabilities effectively using risk-based management. This approach analyzes vulnerabilities alongside factors like external exposure and access rights, highlighting the most critical threats. By focusing on these high-risk issues first, you can significantly reduce alert fatigue, optimize resource allocation, and maintain robust security in complex cloud environments.
6. Adopt a zero-trust, least-privilege approach
A zero-trust and least-privilege approach can help you proactively minimize risks and protect critical assets. The principle of least privilege grants users and accounts only the minimum access necessary and removes unused accounts to reduce potential attack surfaces. Zero trust continuously verifies every access attempt, regardless of whether it originates within or outside your network. This approach ensures only authorized users on approved devices can access the specific resources they need.
CNAPP vs CSPM
Learn where CNAPP and CSPM overlap, where they differ, and which one is right for your organization.
Read more
CNAPP: Your best defense against privilege escalation
Wiz is a cloud security platform that proactively identifies and remediates vulnerabilities and misconfigurations that could be exploited for privilege escalation, empowering organizations to stay ahead of attackers and secure their cloud environments. Wiz also supports full reactive security measures with cloud detection and response (CDR).
As an integrated cloud native application protection platform (CNAPP) platform, Wiz brings together every security solution you might need behind a single pane of glass. Count on Wiz for
Deep insights: Wiz uncovers hidden connections in your cloud in real time, highlighting the most critical security risks.
Hassle-free rollout: Wiz is agentless, with no software to install, so it’s easy to roll out across any size of organization—from small businesses to large enterprises.
Seamless integrations: Wiz gives you the smoothest possible workflow, with easy connections to your existing security and collaboration tools.
Prioritized threats: Wiz identifies "toxic combinations" based on real impact, not just industry-standard CVEs that might not be relevant for your business.
Wiz’s interface is easy and intuitive, making it simpler to find and fix issues. It provides you with clear guidance on how to remediate the most urgent issues, cutting through alert fatigue while giving you real-time threat detection. And AI-powered features like the Wiz Security Graph and the Wiz inventory give you enhanced visibility and meaning.
Get a demo now to see how simple it is to boost your entire security posture with Wiz.
Learn what makes Wiz the platform to enable your cloud security operation
