icon-itdr.svg
ITDR

Viewing Privilege Escalation Attack Paths for Exposed Endpoint Credentials

Compromised credentials are the easiest privileged attack vector for an adversary to navigate an environment, gain administrator or root privileges, and then elevate their access rights to gain control over more sensitive systems.

The following credential misconfigurations in an identity can lead to privilege escalation:

  • Non-adherence to the principle of least privilege (e.g., domain users are made part of the local administrator’s group).
  • Misconfiguration in user account control settings (e.g., the ConsentPromptBehaviourAdmin value is set to 0).
  • Security misconfiguration in AutoLogon (e.g., default credentials for admin or auto-logon credentials for an admin).

You can view the privilege escalation attack paths for exposed endpoint credentials, investigate the vulnerability, and remediate the issues.

To view the privilege escalation attack paths for exposed endpoint credentials:

  1. Go to ITDR > Dashboard > Endpoint Credential Exposure.
  2. Select the Privilege Escalation Path tab.
  3. Select a date from the As of Date calendar to view the exposed credential issues on that scan date.

  4. The exposed credential issues and the details of privilege escalation attack paths are listed with the following information. Click a severity level (Low, Medium, High, or Critical) to filter the issues.

    • Issue: The issue name.
    • Type Of Risk: The type of risk (e.g., Privilege Escalation, Admin Auto Logon Credentials, AWS Credentials Exposure, etc.).
    • Severity: The severity level of the risk (Critical, High, Medium, or Low).
    • MITRE ATT&CK ID: The MITRE ATT&CK technique ID (e.g., T1558.003, T1078.002, etc.). Click the ID to view more details about the attack technique.
    • MITRE ATT&CK Tactics: The type of the MITRE ATT&CK tactic (e.g., Privilege Escalation, Credential Access, etc.).
    • What is the issue?: The description of the vulnerability issue with videos that demonstrate how an adversary performs the attack.
    • What is the impact?: The consequences of the attack.
    • Remediation: The remediation description and steps.
    • References: You can click the reference links to view the Microsoft documentation to understand the issue context and remediation.

    • Who is affected?: A list of systems that are vulnerable to attack.

      You can clean up exposed endpoint credentials. You can use the Actions menu to copy specific columns in the table and download the system credentials as a CSV or JSON file.

Related Articles
About the Endpoint Credential Exposure DashboardDownloading Endpoint Credential Exposure Scan DataDownloading the Endpoint Credential Exposure Executive Summary ReportViewing Exposed Endpoint Credential Details by Scan TypeCleaning Up Exposed Endpoint CredentialsViewing the Exposed Endpoint Credential Risk Reduction RoadmapViewing the Exposed Endpoint Credential Detailed Findings and Recommendations DetailsViewing Exposed Endpoint Credential Issues Grouped by MITRE ATT&CK TechniquesViewing Privilege Escalation Attack Paths for Exposed Endpoint CredentialsViewing Identities with Exposed Endpoint Credentials