Blog/Infosec 101/

How to defend yourself from a privilege escalation attack

John Sears

John Sears


Mar 17, 2020


4 min read

Would you give $100 to a stranger? While generous, it’s unlikely. What if your best friend asked you for the money? This time, you’re more likely to agree. We treat people based on what we know about them.

Your device tries to do the same. The first job of an OS is to distinguish between guests, regular users, and administrators. And then it has to either grant or deny access. System security depends on the OS doing this job well. Sadly, the world is full of strangers pretending to be our friends and guest users acting as admins. In cybersecurity, this is called a privilege escalation attack.

What is privilege escalation?

In a privilege escalation attack, a hacker gains access to data by posing as someone else. There are two main types of these attacks: horizontal and vertical privilege escalation.

In horizontal privilege escalation, a hacker takes over someone’s account. In such situations, the hacker is snooping without trying to gain higher-level access.

Vertical privilege escalation is all about going up the access stairs. A hacker who needs root access may enter the network as a guest user and work their way up.

How does privilege escalation happen?

Every OS has certain features that ordinary users can't use unless they get the administrator's privileges. It's a simple precaution. But while most users aren’t aware of such features, the hackers know them well. They know that certain tricks fool the OS into granting access when it shouldn't.

Privilege escalation is not universal. But the principles of Windows privilege escalation are the same as in macOS, Linux, or any other system. Before execution, a hacker will find out as much information about the target network as possible. Then it’s only a matter of finding a weak spot based on publicly known vulnerabilities. Sometimes it’s a device, other times it’s a person.

Here are the most common privilege escalation attack types.

Access token manipulation

An access token is used to identify the user and their access level. But there are ways to go around it. Using someone's username and password is a basic type of access token manipulation. It could also include stealing the token itself and injecting it to trick the OS.

Social engineering

Social engineering is pretending to be someone you're not. "Catch me if you can" (2002) is all about it. Frank Abagnale fools everyone into believing he's a pilot, a bank teller, and a teacher. In the same way, hackers pretend to be janitors, tech support, and plumbers. In most cases, no one ever suspects a thing.

Process injection

There are hundreds of background processes running on every OS. If one has a vulnerability, a hacker can use it to inject their piece of code and take over the system.

How can you protect yourself from privilege escalation?

As you see, privilege escalation can be very different. It could be as innocent as your child using your pattern lock to watch YouTube cartoons. And it could be as complex as hackers reading your messages to find out more about your system. Registering the privilege escalation attack is difficult. If the OS thinks the administrator logged in, there's no need to raise the alarm.

But there are a few things you could be doing to make sure you stay protected.

Keep your systems and anti-virus updated

Hackers often go for the easiest catch, which often is software and hardware vulnerabilities. Software updates plug the holes that hackers may use to get into the network.

Encrypting your files

No system is 100% safe. But, if someone gets through the window, it doesn't mean they should get the key to your safe immediately. Using a strong password for NordLocker makes privilege escalation against you nearly impossible.

Users should have minimal access

If you have several users on your network, make sure they only get access to what they absolutely must. Anything above that weakens your system.

Stay off public networks

The number of ways to exploit public Wi-Fi networks is too long to list. If you can, don’t use public networks altogether. If you can’t, at least turn off the automatic connection to a Wi-Fi network on all of your devices.

Use strong passwords

Hackers buy password databases because they know we like to reuse passwords. Never use the same password twice. Instead, use a password manager that creates and fills in complex passwords for you. Every password is strong and unique.

Remove ex-employees from the network user list

It seems like an obvious one, but time and time again, company networks are infiltrated using old user credentials. If an employee exits the organization, their access should be revoked immediately.

If you’re connected to a network, your security is only as strong as the network itself. Make sure to perform regular security checks to plug any leaks and always keep your files under NordLocker encryption. Even if someone weasels their way into your network, they won’t get to your data.

John Sears

John Sears

Verified author

John believes that the best things in life are simple. He uses the same approach when he’s writing about online security. John says that his #1 pet peeve is phishing scams. Ironically, his favorite non-work related activity is fishing.