Local Admin on X -> Local Admin on All?
If an attacker gains local admin on endpoint X in a corporate environment, is it safe to assume they can laterally move to any endpoint in the environment at will?
Factually speaking, the answer is, no! That scenario is only true in a minority of cases.
Here are a few common scenarios in which one can gain local admin during an attack:
- Compromise an AD account that has local admin on all endpoints. A mature organization will mitigate this by enabling multi-factor authentication (MFA) in Active Directory Federation Services.
- Crack the local admin account password. In a perfect world, you’d have a different local admin password per endpoint. Unfortunately, I rarely see this.
- Exploit a vulnerable process running as system/admin to gain admin. Thousands of examples: https://www.exploit-db.com/local/
- Inject code into a “world writable” script being run by system/admin. It is common to find these types of avenues as it’s easy for a sysAdmin to slip up on permissions and then fail to run automated audit processes to discover them.
Assuming an organization is following best practices, there’s only a small chance of the attacker being able to move laterally immediately/directly once gaining local admin access on endpoint X. In many cases, they would have to repeat the attack phases again (recon, exploit, persist), which is not guaranteed to be successful.
Every “hop” the attacker has to make will decrease their chances of success, while their chances of getting caught increase. Because of this, it is NOT common for an intermediate to advanced attacker to pivot to a large number of endpoints. They, instead, will minimize their movement while pursuing their goal.