Cyber Monday Deal : Flat 30% OFF! + free self-paced courses  - SCHEDULE CALL

Top 20 Privilege Escalation Interview Questions and Answers

Introduction

Privilege escalation is a critical concept in cybersecurity, referring to the unauthorized elevation of user privileges within a system or network. It's vital because it represents a significant threat; attackers who successfully escalate privileges can gain access to sensitive data, manipulate systems, and cause substantial damage. For beginners in cybersecurity, discussing how to detect and prevent privilege escalation showcases awareness of proactive security measures, which can impress interviewers and highlight a candidate's capability to contribute to a company's cybersecurity efforts.

Q1: What Is Process Privilege Escalation?

A: This is when a hacker finds a way to gain more control over a computer system by boosting their access to resources and power. There are two common types: vertical, which means gaining more power within the same level of control, and horizontal, which means gaining more power by moving to a different level of control.

Q2: What Are The Two Types Of User Privileges?

A: In a database, there are two main kinds of privileges:

  • System privileges are about controlling what someone can do to the whole system.

  • Object privileges are about controlling what someone can do to specific things within the system.

Q3: What Is The Dirty Pipe Vulnerability For Privilege Escalation?

A: DirtyPipe is a problem in the Linux operating system that lets someone with access to the system write whatever they want to any file, even if they're not supposed to be able to. It's a way for them to sneakily gain more control over the system.

Q4: What Are Some Examples Of Malware That Uses DLL Injection?

A: It is important to remember that DLL injection is not only used for privilege escalation. Here are some examples of malware that use the DLL injection technique to either compromise a system or propagate to others:

  • Backdoor.Oldrea: injects itself in the explore.exe process

  • BlackEnergy: injects as a DLL into the svchost.exe process

  • Duqu: injects itself in many processes to avoid detection

Q5: How Do Hackers Use DLL Search Order Hijacking To Escalate Their Privileges And Compromise DLLs?

A: DLL search order hijacking is another technique used to compromise DLLs and allow attackers to escalate their privileges to progress with an attack. In this technique, attackers try to replace legitimate DLLs with malicious ones. Since the locations where programs store their DLLs can easily be identified, attackers may place malicious DLLs high up in the path traversed to find the legitimate DLL. 

Therefore, when Windows searches for a certain DLL in its normal location, it will find a DLL file with the same name but not the legitimate DLL. This type of attack often occurs in programs that store DLLs in remote locations, such as in web shares. The DLLs are, therefore, more exposed to attackers and no longer need physical access to a computer to compromise files on hard drives.

Q6: What Is The Correlation Between Metasploit And Access Token Manipulation?

A: Access token manipulation is highly used in Metasploit, a hacking and penetration testing tool. Metasploit has a Meterpreter payload that can perform token stealing and use the stolen tokens to run processes with escalated privileges. Metasploit also has a payload called The Cobalt Strike that also takes advantage of token stealing. 

The payload can steal and create its tokens, which have admin privileges. The bottom line in this type of privilege escalation method is that there is an observable trend where attackers take advantage of an otherwise legitimate system. It could be a form of defensive evasion on the side of an attacker.

Q7: What Is Dylib Hijacking?

A: Dylib hijacking is a method that is used against Apple computers. Computers with Apple's OS X use a similar search method to find dynamic libraries that should be loaded into programs. The search method is also based on paths, and, as was seen in DLL hijacking, attackers can take advantage of these paths for privilege escalation purposes. Attackers research to find out the dylibs that specific applications use, and they then place a malicious version with a similar name high up in the search path. 

Therefore, when the operating system searches for an application's dylib, it finds the malicious one first. If the targeted program runs with higher-level privileges than the computer user has, when it is started, it will auto-elevate the privileges. This instance will also create admin-level access to the malicious dylib

Q8: Is There Any Way For Black Hats To Bypass UAC?

A: There are ways that black hats have been discovered that can be used to bypass UAC. Many methods have been published on GitHub that can potentially be used against UAC. One of these is eventvwr.exe, which can be compromised since it is normally auto-elevated when it runs and can, therefore, be injected with specific binary codes or scripts. Another approach to defeating the UAC is simply by stealing admin credentials. 

The UAC mechanism is a single security system; therefore, the privileges of a process running on one computer remain unknown to lateral systems. Therefore, it is hard to nab attackers misusing the admin credentials to start processes with high-level privileges.

Q9: How Does Windows Keep Normal Users From Allowing A Program To Execute A Program With Admin Privileges?

A: Windows has a well-structured mechanism for controlling the privileges of all users in a network and on the local machine. It has a Windows User Account Control (UAC) feature that acts as a gate between normal and admin-level users. The Windows UAC feature gives permissions to the program, elevates their privileges, and allows them to run with admin-level privileges. 

Therefore, Windows always prompts users to permit programs that want to execute with this level of access. It is also notable that only admin users can allow programs to run with these privileges. Therefore, a normal user will be denied permission to allow a program to execute a program with admin privileges.

Q10: What Is The Launch Daemon Method In Privilege Escalation?

A: Launch daemon is another privilege escalation method applicable to Apple-based operating systems, especially OS X. When OS X boots up, launches are normally run-to-end system initialization. The process is responsible for loading the parameters for the daemons from the list files found in /Library/LaunchDaemons. The daemons have property list files that point to the executables to be auto-started. 

Attackers may take advantage of this auto-start process to perform privilege escalation. They may install their launch daemons and configure them to start during the bootup process using the launched process. The attackers' daemons may be given disguised names from a related OS or application. Launch daemons are created with admin privileges but executed with root privileges. 

Therefore, if the attackers are successful, they will have their daemons auto-started and their privileges escalated from admin to root. It can be noted that, again, attackers are relying on an otherwise legitimate process in order to perform privilege escalation

Q11: When Does Privilege Escalation Generally Occur?

A: Privilege escalation normally occurs deep into an attack. This means the attacker will have already done reconnaissance and successfully compromised a system, thereby gaining entry. After this, the attacker will have traversed the compromised system through lateral movement and identified all the systems and devices of interest. In this phase, the attacker wants a strong grip on the system. 

The attacker may have compromised a low-level account and will, therefore, be looking for an account with higher privileges to study the system further or prepare to give the final blow. Privilege escalation is not a simple phase, as it will sometimes require the attacker to use a combination of skills and tools to heighten the privileges. There are generally two classifications of privilege escalation: horizontal and vertical.

Q12: What Is Horizontal Privilege Escalation?

A: In horizontal privilege escalation, the attacker uses a normal account to access other users' accounts. It is a simple process since the attacker does not actively seek to upgrade the privileges of an account; they are granted to him. Therefore, no tools are used to upgrade the accounts in this type of privilege escalation. There are two main ways through which a horizontal privilege escalation can occur. 

The first one is through software bugs, whereby a normal user can view and access other users' files due to an error in the coding of a system. As can be seen, no tools have been used, yet an attacker can access files that should have otherwise been protected from the eyes of normal users.

Q13: How Does Access Token Manipulation Work?

A: Access token manipulation occurs when attackers cleverly copy access tokens from existing processes using built-in Windows API functions. They specifically target the processes that admin users start in a machine. When they paste an admin's access tokens to Windows as it starts a new process, it will execute the processes with admin privileges. 

Access token manipulation can also occur when hackers know an admin's credentials. These can be stolen in different attacks and used for access token manipulation. Windows has the option of running an application as an administrator. To do this, Windows will request a user enter admin login credentials to start a program/process with admin privileges.

Lastly, access token manipulation can also occur when an attacker uses stolen tokens to authenticate remote system processes, provided that the tokens stolen have the appropriate permissions on the remote system

Q14: How To Detect Privilege Escalation Attacks

A: Detecting unauthorized access and keeping your system safe relies on being able to spot when someone is trying to gain more control than they should. Here's how organizations can do that:

  • Check System Logs: Keep an eye on system logs regularly. Look for anything weird, like lots of failed login attempts or unusual commands being used.

  • Use Anomaly Detection Tools: These tools help you notice when things aren't normal on your network. For example, sudden changes in what different users can do might mean someone is trying to get more privileges.

  • Try User and Entity Behavior Analytics (UEBA): UEBA uses smart computer programs to learn how users usually behave. If someone starts acting strangely, it can send you a warning.

  • Monitor Passwords: If passwords are being changed without permission, it might mean someone is trying to keep their extra control over your system.

  • Use Intrusion Detection Systems (IDS). These systems look for known tricks that hackers use to gain more control, like certain types of computer bugs or sneaky ways to change databases. They can catch these things early before they cause big problems.

Q15: What Is Application shimming In Windows?

A: Application shimming is a Windows Application Compatibility framework that Windows created to allow programs to run on versions of the OS that they were not initially created to run on. Most applications that used to run on Windows XP can run on Windows 10 today due to this framework. The operation of the framework is quite simple: it creates a shim to buffer between a legacy program and the operating system. During the execution of programs, the shim cache is referenced to determine whether they will need to use the shim database. 

If so, the shim database will use an API to ensure that the program's codes are redirected effectively to communicate with the OS. Since shims are in direct communication with the OS, Windows decided to add a safety feature where they are designed to run in user mode.

Without admin privileges, the shims cannot modify the kernel. However, attackers have been able to create custom shims that can bypass user account control, inject DLLs into running processes, and meddle with memory addresses. These shims can enable attackers to run malicious programs with elevated privileges. They can also turn off security software, especially the Windows Defender.

Q16: What Are Some Accessibility Features Windows Offer?

A: Windows has several accessibility features that are supposed to help users interact better with the OS, and more attention is given to users who may have visual impairments. These features include the magnifier, screen keyboard, display switch, and narrator. These features are conveniently placed on the Windows login screen to support the user from the instant he/she logs in. 

However, attackers can manipulate these features to create a backdoor to log into the system without authentication. It is quite an easy process and can be executed in minutes. An attacker must have compromised a Windows computer using a Linux LiveCD. This tool will allow the attacker to boot the computer with a temporary Linux Desktop OS. Once in the machine, the Windows OS drive will be visible and editable. 

All these accessibility features are stored as executables in the System32 folder. Therefore, a hacker will go and delete one or more of these and replace them with a command prompt or a backdoor. Once the replacement is done and the hacker has logged out, everything will seem normal when the Windows OS is started. 

However, an attacker will have a walk-around to bypass the login prompt. When the OS displays the password prompt, the attacker can simply click on any accessibility features and launch the command prompt

Q17: What Is A DLL Injection Method In Privilege Escalation?

A: DLL injection is another privilege escalation method that attackers are using. It also involves compromising legitimate processes and services of the Windows operating system. DLL injection is used to run malicious code in the context of a legitimate process. By using the context of a process recognized to be legitimate; an attacker gains several advantages, especially the ability to access the process's memory and permissions. 

The legitimate processes also mask the attacker's actions. A rather sophisticated DLL injection technique called reflective DLL injection was discovered recently. It is more effective since it loads the malicious code without making the usual Windows API calls and bypasses DLL load monitoring. It uses a clever process of loading a malicious library from the memory onto a running process. 

Instead of following the normal DLL injection process of loading a malicious DLL code from a path, a process that not only creates an external dependency and degrades the stealth of an attack, reflective DLL injection sources its malicious code in the form of raw data. It is more difficult to detect, even on machines adequately protected by security software. 

Attackers have used DLL injection attacks to modify the Windows Registry, create threads, and do DLL loading. These actions require admin privileges, but attackers sneak their way into doing them without such privileges.

Q18: What Is Vertical Privilege Escalation?

A: The other type of privilege escalation is vertical privilege escalation. It consists of more demanding privilege escalation techniques and includes hacking tools. It is complex but not impossible since an attacker is forced to perform admin- or kernel-level operations to illegally elevate access rights. Vertical rights escalation is more difficult but more rewarding since the attacker can acquire system rights. 

A system user has more rights than an administrator and can do more damage. The attacker also has a higher chance of staying and performing actions on a network system while remaining undetected. With superuser access rights, an attacker can perform actions that the administrator cannot stop or interfere with. Vertical escalation techniques differ from system to system. 

In Windows, a common practice is to cause a buffer overflow to achieve vertical privilege escalation. This has already been witnessed in a tool called EternalBlue, which is alleged to be one of the hacking tools in the possession of the NSA. The tool has, however, been made public by a hacking group called the Shadow Brokers.

Q19: How Do Attackers Avoid Alerts During Privilege Escalation?

A: Just like in the preceding phases, it is in the interests of the hacker to avoid raising any alarms that the victim's system has been compromised. Detection, especially at this phase, would be costly, as it would mean that all the efforts an attacker had made would have been for nothing. Therefore, before the attacker performs this phase, it is normal to disable security systems if possible. The methods of privilege escalation are also quite sophisticated. Most of the time, the attacker must create files with malicious instructions rather than use a tool to execute malicious actions against the system.

Most systems are coded only to allow privileges to legitimate services and processes. Therefore, attackers will try to compromise these services and processes to gain the benefit of executing with heightened privileges. It is challenging for hackers to use brute force to get admin privileges, so they often opt to use the path of least resistance. If it means creating files identical to the ones a system recognizes as legitimate, they will do so.

Another way to avoid alerts is to use legitimate tools to perform the attack. The use of PowerShell as a hacking tool is growing because of its power and because many systems will not raise alerts since this is a valid, built-in OS tool.

Q20: How Can One Perform Privilege Escalation?

A: Privilege escalation can be done in several ways, depending on the hacker's skill level and the intended outcome of the privilege escalation process. In Windows, administrator access should be rare, and normal users should not have administrative access to systems. However, sometimes it becomes necessary to give remote users admin access to enable them to troubleshoot and solve some issues. When giving remote users admin access, admins should be cautious enough to ensure that this type of access is not used for privilege escalation. There are risks when normal employees in an organization maintain admin access. They open a network to multiple attack vectors.

To begin with, malicious users can also use this access level to extract password hashes that can later be used to recover the actual passwords or be used directly in remote attacks through pass-the-hash. Another threat is that they can use their systems for packet capturing. They can also install software that might turn out to be malicious. Lastly, they can interfere with the registry. Therefore, it is assumed that it is bad for users to be given admin access.

Since admin access is a closely guarded privilege, attackers will mostly have to fight their way into getting access using various tools and techniques. Apple computers have a somewhat more reliable operating system when it comes to security. However, attackers have discovered several ways to perform privilege escalation in OS X.

Cyber Security Training & Certification

  • Personalized Free Consultation
  • Access to Our Learning Management System
  • Access to Our Course Curriculum
  • Be a Part of Our Free Demo Class

Conclusion

JanBask Training offers cybersecurity courses that cover everything from the basics to advanced techniques like dealing with privilege escalation. These courses can give beginners a solid foundation in cybersecurity and help them stand out in interviews by showing they're ready to tackle security threats head-on.

Trending Courses

Cyber Security

  • Introduction to cybersecurity
  • Cryptography and Secure Communication 
  • Cloud Computing Architectural Framework
  • Security Architectures and Models

Upcoming Class

4 days 14 Dec 2024

QA

  • Introduction and Software Testing
  • Software Test Life Cycle
  • Automation Testing and API Testing
  • Selenium framework development using Testing

Upcoming Class

10 days 20 Dec 2024

Salesforce

  • Salesforce Configuration Introduction
  • Security & Automation Process
  • Sales & Service Cloud
  • Apex Programming, SOQL & SOSL

Upcoming Class

4 days 14 Dec 2024

Business Analyst

  • BA & Stakeholders Overview
  • BPMN, Requirement Elicitation
  • BA Tools & Design Documents
  • Enterprise Analysis, Agile & Scrum

Upcoming Class

4 days 14 Dec 2024

MS SQL Server

  • Introduction & Database Query
  • Programming, Indexes & System Functions
  • SSIS Package Development Procedures
  • SSRS Report Design

Upcoming Class

3 days 13 Dec 2024

Data Science

  • Data Science Introduction
  • Hadoop and Spark Overview
  • Python & Intro to R Programming
  • Machine Learning

Upcoming Class

4 days 14 Dec 2024

DevOps

  • Intro to DevOps
  • GIT and Maven
  • Jenkins & Ansible
  • Docker and Cloud Computing

Upcoming Class

7 days 17 Dec 2024

Hadoop

  • Architecture, HDFS & MapReduce
  • Unix Shell & Apache Pig Installation
  • HIVE Installation & User-Defined Functions
  • SQOOP & Hbase Installation

Upcoming Class

10 days 20 Dec 2024

Python

  • Features of Python
  • Python Editors and IDEs
  • Data types and Variables
  • Python File Operation

Upcoming Class

11 days 21 Dec 2024

Artificial Intelligence

  • Components of AI
  • Categories of Machine Learning
  • Recurrent Neural Networks
  • Recurrent Neural Networks

Upcoming Class

4 days 14 Dec 2024

Machine Learning

  • Introduction to Machine Learning & Python
  • Machine Learning: Supervised Learning
  • Machine Learning: Unsupervised Learning

Upcoming Class

17 days 27 Dec 2024

Tableau

  • Introduction to Tableau Desktop
  • Data Transformation Methods
  • Configuring tableau server
  • Integration with R & Hadoop

Upcoming Class

10 days 20 Dec 2024