Horizontal vs. Vertical Privilege Escalation

There are two types of privilege escalation:

• Horizontal privilege escalation—an attacker expands their privileges by taking over another account and misusing the legitimate privileges granted to the other user. To learn more about horizontal privilege escalation see our guide on lateral movement .
• Vertical privilege escalation—an attacker attempts to gain more permissions or access with an existing account they have compromised. For example, an attacker takes over a regular user account on a network and attempts to gain administrative permissions or root access. This requires more sophistication and may take the shape of an Advanced Persistent Threat .

Common ways attackers can gain access to credentials:

• Password exposure – in many cases passwords are available in open site, because employees share them with others, reuse them, or store them in plaintext on their machines.
• Password guessing – attackers can use publicly available information about the account owner to make educated guesses about their password. If attackers guess one password, they can often gain access to multiple resources due to password reuse.
• Shoulder surfing – attackers can observe the actions of privileged individuals, either in person, via unauthorized access to cameras, or through keyloggers on their devices, and thus gain access to passwords.
• Dictionary attacks – the use of lists of common words to automatically combine possible passwords and try to access an account. Attackers can customize the dictionary according to known password length and requirements. Password complexity policies and limiting the number of password retries are effective against these attacks.
• Rainbow table attacks – a rainbow table assumes the attacker knows the algorithm used to hash passwords, and converts these hashes into original passwords. These attacks need some seed information to succeed.
• Brute force password attacks – attackers typically use these as a last resort. They are only effective against shorter passwords with limited complexity, and where there are no limits on the number of password retries.
• Password spraying – this is the opposite of a brute force attack: an automated attempt to gain access to a large number of accounts using a few very common passwords.
• Pass-the-Hash (PtH) – this involves using the NT Lan Manager hash of a password instead of the original plaintext password. The hash can be scraped from active memory or obtained by other techniques that exploit weaknesses in the authentication protocol.
• Security questions – many password mechanisms rely on security questions in case the user forgets their password. These are questions about the user’s life, many of which are easy to obtain from social media or individuals who know the user, or from the dark web (many security question databases were exposed in previous breaches).
• Credential stuffing – attackers use a list of usernames or email addresses and passwords they obtained from previous breaches or the dark web, and try it against accounts in a target system. Because individuals commonly reuse passwords, this technique has high success rates.
• Password changes and resets – attackers can easily compromise password reset mechanisms. Whenever a password is reset, there is an implicit risk in the process of transmission and storage of the new password. Attackers can gain access to a password legitimately reset by a user, or request password reset themselves after compromising a device.