PC Account Attacks: Admin vs Standard User

TL;DR

This guide shows how attackers try to take control of both admin and standard user accounts on a single PC. It covers techniques like password cracking, keyloggers, privilege escalation, and using compromised standard accounts to gain higher access.

Understanding the Threat

Attackers often target PCs with multiple accounts because compromising one account can lead to others. Admin accounts have full control, while standard user accounts provide a foothold for further attacks.

Attacking Standard User Accounts

1. Password Cracking: Attackers use tools to guess or crack passwords.
   • Offline Brute-Force: If they get hold of the password database (e.g., using a disk imaging tool), they can try every possible combination.
   • Dictionary Attacks: They use lists of common passwords and variations.
   • Rainbow Tables: Precomputed tables speed up cracking.
2. Keyloggers: These record keystrokes, capturing usernames and passwords.
   • Software Keyloggers: Installed via malicious downloads or phishing emails.
   • Hardware Keyloggers: Physical devices connected between the keyboard and PC.
3. Phishing: Tricking users into revealing their passwords on fake login pages.
4. Malware: Viruses, Trojans, and other malware can steal credentials or provide remote access.

Attacking Admin Accounts

Admin accounts are the primary target. Attackers use several methods:

1. Direct Password Attacks: Similar to standard user attacks, but with higher stakes.
2. Pass-the-Hash: If they steal a password hash (from memory or disk), they can use it to authenticate as the admin without knowing the actual password. This often requires local access.

   runas /user:administrator cmd

   This attempts to run Command Prompt as administrator, prompting for credentials if not already authenticated.

3. Token Impersonation: Attackers can steal an admin’s access token and use it to execute commands with elevated privileges.

Privilege Escalation

This is when an attacker gains admin rights from a standard user account. Common techniques include:

1. Exploiting Vulnerabilities: Finding and using flaws in the operating system or installed software.
2. Misconfigured Permissions: Incorrectly set file or registry permissions can allow access to sensitive resources.
   • Check for files/folders with ‘Everyone’ having write access.
3. Unquoted Service Paths: Services running with admin privileges from paths containing spaces are vulnerable if the path isn’t properly quoted.
4. Scheduled Tasks: Exploiting tasks that run with elevated privileges.

Using Compromised Standard Accounts

Even a standard user account can be valuable:

1. Lateral Movement: Using the compromised account to access other systems on the network.
2. Data Theft: Stealing sensitive information accessible by the user.
3. Installing Malware: Deploying malware that can spread to other accounts or systems.
4. Reconnaissance: Gathering information about the system and network.

Mitigation

1. Strong Passwords: Use long, complex passwords for all accounts.
2. Multi-Factor Authentication (MFA): Add an extra layer of security beyond just a password.
3. Least Privilege: Grant users only the permissions they need to perform their tasks.
4. Regular Updates: Keep your operating system and software up to date with the latest security patches.
5. Antivirus/Anti-Malware Software: Use reputable software and keep it updated.
6. Firewall: Enable a firewall to block unauthorized access.
7. User Education: Train users to recognize phishing attempts and other social engineering attacks.