Restricting to Local Admin != Mitigation
I frequently come across and use endpoint exploits and attack vectors that “require admin”. Almost as frequently, I hear people in the industry stating, “We’re safe from that; it requires local admin|system”. In many cases, that is not a mitigation. If you’re putting trust in the assumption that restricting to local admin will protect you, how secure do you think you really are from an attacker?
First let me say, one would hope that all sensitive file paths, registry keys, processes, and services would be locked down to admin/system access only. Additionally, zero users on your network should have admin privileges on their “everyday use” account. This alone can be more effective than patching, AV, FWs, etc.
But, you need to understand much damage can be done to your organization without ever getting local admin: keylogger, screenscraper, exfil’ing data that the “limited user” has access to in DBs and network resources (i.e. mapped drives), many MiTM attacks, MiTB attacks, and so on. Don’t underestimate the damage an attacker can cause operating under a non-admin user account.
Like having a lock on the front door of your house, local admin really only stops the “dumb guys” and/or “lazy guys”. How hard do you think it really is for a determined attacker to get local admin, and even escalate to system, on an endpoint? Best I can remember, I have never failed to get local admin during a full scope testing engagement, and I’ve never heard of any other pentester/red teamer having anything less than a stellar success rate. “100% of advanced cyber attacks involve the escalation of privilege” (https://www.cyberark.com/privilegefirst/, https://www.infosecurity-magazine.com/news/privileged-accounts-at-root-of/), and any other tester I’ve meet has a near, if not complete, perfect track record of success.
To be clear, when I say “success”, understand that every attack launched is not 100% successful. For example, I may throw 100 phishing emails over several days to get a handful of victims. But, like with any determined attacker carrying out a targeted attack, I’m persistent and will eventually (with a high probability) be successful.
For targeted attacks, you can count on the attacker getting local admin, system, and typically full domain admin at that. So, how much security does this “mitigation” really buy you? Not much. Do NOT rely heavily on admin-only as a mitigation. You should assume the attacker will gain full privileges in your environment.