1

Imagine the following scenario;
A hacker want to attack a remote PC and take control of it using RAT. This PC has three user accounts. - A (administrator account. - B (non- administrator account)
- C (administrator account)
The attacker sends malicious (RAT included!) emails to both user A and user B to infect the PC.
My question is what happens if user A who has an administrator account installs the malicious application?does his action get the other two accounts infected as well and lets the hacker take control of all user accounts?or only his account is compromised?

PMD
  • 199
  • 1
  • 12

2 Answers2

1

Whenever you detect that an attacker's code has been executed, it is best to act with the assumption that all data on the system is potentially compromised. This is especially true if a privileged user was compromised, as even if they require affirmative action to don their privileges (sudo, etc), they will at some point do so. At that moment the attack code can fully compromise the system.

Even if the infected user has no privileges, a number of local vulnerabilities may exist (unknown to the administrator) that could grant the code increased privileges without any privileged user ever logging in.

It is a problem of 'unknown unknowns', and with local access the attack surface is simply much larger.

It's worth considering that local network communications can be generated, sniffed, and spoofed by the attack code so you can't merely assume that information and accounts on other machines are secure.

Jeff K
  • 291
  • 1
  • 9
0

If you're talking about a Windows PC then yes.


When you a local administrator on a system you have complete access to that machine and can escalate to SYSTEM -the highest level of privilege on a local Windows PC. Once the attacker is an admin on that system, the box (and all user accounts and data) should be considered fully compromised.

HashHazard
  • 5,105
  • 1
  • 17
  • 29