Skip to main content

Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 5

June 10, 2016

In this blog series I am covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:

CSC5 Featured

CSC 5: Controlled Use of Administrative Privileges

The Control

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

The Attack

Some vulnerabilities can be caused out of the desire for functionality over security. It is not uncommon for organizations to grant end users administrative privileges on their machines so that IT does not need to get involved every time they want to install a piece of software. It is extremely common to see administrative privileges granted so that people can install tools such as WebEx or other conferencing software.

In my attack below, I will demonstrate how the improper assignment of administrative privileges can result in a user obtaining administrative privileges when they should not have them anywhere. This escalation of privileges attack is very common to find within organizations.

I have configured a system in the same way that I commonly see conference room computers configured. Due to the need for several users to access the system, often in conjunction with conference software, it is common to see that the domain users active directory group has been granted permissions to the administrator group. 

CSC 5.1
A conference room computer with domain users as an administrator

For all intents and purposes, this may seem like a benign problem because some organizations don’t really see risk in non-trivial systems such as conference room computers where no sensitive data is held. If an attacker is able to obtain domain credentials through phishing or password guessing, or leveraging temporary credentials a vendor may be given, the following screenshot shows how easy it is to scan for systems which allow administrative access.

CSC 5.2
Scanning for administrator privileges

Once a system is found where the username and password have administrative privileges, it is easy to exploit it to gain full access. Once the system has been compromised, it would be possible for an attacker to install key logging software to capture the credentials of anyone else who uses this shared machine or to extract the password hashes of the local accounts which are likely to be reused throughout the organization. This would provide an attacker with the ability to perform lateral movement to other machines and systems where they may be able to perform further escalation of privileges attacks or potentially obtain sensitive data.

CSC 5.3
Attacking a machine remotely with known credentials

The Solution

Again, this control starts with developing a policy. A policy should be defined on which users need administrator access and for what purposes administrator access will be granted. It is not uncommon for organizations to give all users local administrator access to the machines they use on a regular basis, however, this does not follow the principle of least privilege. Organizations should only grant privileges to the users who require those privileges in order to perform their daily duties.

Minimizing the number of administrator privileged accounts is a great first step, but it is by no means conclusive. Automated auditing tools should be configured to monitor these accounts for a couple things. First, all administrator account usage should be logged and maintained. This can assist in providing accountability of actions, but can also assist in forensic investigations where privileged accounts were compromised. Second, whenever a privileged account is modified, such as a password change, user creation or deletion, or activation or deactivation, it should be reporting in real-time to the organization’s administrators to determine if the action was indeed legitimate. 

It’s also important to ensure that any devices that are connected to the network or software installed on systems have had their built-in default administrator passwords changed. It is very common to identify devices and software within the organization configured with an initial setup and never visited again. Depending on the type of the device or application, this can provide an attacker with a strong foothold into a system or network.

The next post will cover CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs.

    Joshua Platz

By: Joshua Platz

Senior Consultant

See More

Related Blogs

June 03, 2016

Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 4

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportuni...

See Details

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.