Privilege Escalation Techniques
Privilege escalation is the set of techniques an attacker uses to gain higher-level permissions than initially obtained.
Continue your mission
Privilege escalation is the set of techniques an attacker uses to gain higher-level permissions than initially obtained.
# Privilege Escalation Techniques
Privilege escalation is the set of techniques an attacker uses to gain higher-level permissions than initially obtained. Initial access typically provides standard user privileges: access to the compromised user's email, files, and applications. Privilege escalation transforms that limited access into administrative control: access to every system, every user's data, and the ability to modify security controls, deploy ransomware, and exfiltrate data at scale.
In the MITRE ATT&CK framework, Privilege Escalation is the fifth tactic (TA0004) with 13 techniques and dozens of sub-techniques. It sits between Initial Access (getting in) and Lateral Movement (moving through the environment). Privilege escalation is the bridge between "we compromised one user's account" and "we control the domain." Every ransomware operator, every APT group, and every insider threat actor who achieves domain-level impact passes through privilege escalation.
The distinction between local privilege escalation (gaining admin on a single system) and domain privilege escalation (gaining admin across the entire Active Directory domain) determines the scope of the eventual impact. An attacker with local admin on one workstation can access that workstation's data. An attacker with domain admin can access every system, every file share, every database, and every mailbox in the domain simultaneously.
Local privilege escalation elevates the attacker's privileges on the compromised system from standard user to local administrator or SYSTEM.
Kernel exploits. Vulnerabilities in the operating system kernel that allow a standard user process to execute code with kernel-level (SYSTEM) privileges. Windows kernel exploits (PrintNightmare CVE-2021-34527, HiveNightmare CVE-2021-36934, and dozens of monthly Patch Tuesday kernel vulnerabilities) are the most direct local escalation path. A single unpatched kernel vulnerability can provide SYSTEM access to any local user.
Defense: timely patching of operating system vulnerabilities. Kernel vulnerabilities are the highest-priority patches because they provide the most direct escalation path.
Service misconfigurations. Windows services configured with insecure permissions allow a standard user to modify the service's executable path or inject a DLL into the service process. If the service runs as SYSTEM (which many services do by default), the attacker's code executes with SYSTEM privileges.
Common misconfiguration patterns: unquoted service paths (the service executable path contains spaces and is not quoted, allowing the attacker to place a malicious executable in the path resolution order), weak service permissions (the standard user group has "modify" or "full control" on the service configuration), and writable service binary directories (the attacker can replace the service executable with a malicious one).
Defense: audit service configurations for insecure permissions. Tools like PowerUp, WinPEAS, and Seatbelt enumerate service misconfigurations. CIS Benchmarks address service permission hardening. Endpoint hardening (SPH-B02) systematically remediates these misconfigurations.
Token manipulation. Windows access tokens represent a user's security context. Techniques like token impersonation (SeImpersonatePrivilege abuse via tools like Juicy Potato, PrintSpoofer, or GodPotato) allow a process with impersonation privileges to assume the security context of a higher-privileged token. Service accounts and IIS application pool identities commonly have SeImpersonatePrivilege, making them escalation targets.
Defense: restrict SeImpersonatePrivilege to accounts that require it. Monitor for known token manipulation tools and techniques.
UAC bypass. Windows User Account Control prompts for consent when a standard user attempts an administrative action. Dozens of UAC bypass techniques exist that execute code at high integrity (admin) without triggering the consent prompt. UAC bypasses exploit trusted Windows processes that auto-elevate to admin context.
Defense: configure UAC to "Always Notify" (the highest UAC setting). Deploy application control (WDAC/AppLocker) to prevent unauthorized executables from running regardless of privilege level.
Scheduled task and registry abuse. An attacker with write access to scheduled task configurations or registry autorun keys can insert malicious code that executes with the privileges of the task owner (often SYSTEM) or at the next user logon.
Defense: audit scheduled tasks and registry autorun locations. Monitor for creation of new scheduled tasks by non-administrative users. Restrict write access to autorun registry keys.
Domain privilege escalation elevates the attacker from a standard domain user to Domain Admin or equivalent domain-level control.
Credential theft and reuse. The most common domain escalation path. The attacker dumps cached credentials from the compromised system's memory (LSASS memory dumping with Mimikatz, comsvcs.dll, or Task Manager) and finds credentials for higher-privileged accounts. If an administrator logged into the workstation at any point (for troubleshooting, software installation, or remote assistance), their credential material is cached and extractable.
The escalation chain: compromise a workstation (initial access), dump credentials from memory (find a help desk admin's hash), move laterally to a server the help desk admin accessed (find a system admin's hash), move to a domain controller the system admin accessed (find the domain admin's hash). Each step escalates through the credential cache of the compromised system.
Defense: Credential Guard (prevents credential caching in extractable form), LSA protection (restricts LSASS access), LAPS (unique local admin passwords per endpoint), tier model enforcement (admin credentials are only used on systems at the appropriate tier), and PAM (no standing privileged accounts, just-in-time elevation).
Kerberoasting. Any domain user can request a Kerberos service ticket for any service account with a Service Principal Name (SPN). The service ticket is encrypted with the service account's password hash. The attacker requests tickets for all service accounts and cracks them offline. Service accounts with weak passwords (common in legacy environments where service account passwords were set once and never changed) produce cracked credentials that often have excessive domain privileges.
Defense: strong, random service account passwords (managed through PAM with automated rotation), Group Managed Service Accounts (gMSAs) where possible, and monitoring for anomalous service ticket requests (Kerberoasting detection in SIEM).
AD CS exploitation. Active Directory Certificate Services misconfigurations (the ESC1 through ESC13 attack chain documented by SpecterOps) allow standard domain users to request certificates that grant domain admin privileges. ESC1 is the most common: a certificate template configured to allow the enrollee to specify an arbitrary Subject Alternative Name (SAN), enabling any domain user to request a certificate for the domain admin account and authenticate as domain admin.
Defense: audit all AD CS certificate templates for misconfigurations. Remove the "Supply in Request" flag from templates that allow SAN specification. Restrict enrollment permissions on sensitive templates. Tools like Certify and Certipy enumerate AD CS vulnerabilities.
DCSync. An attacker with specific replication permissions (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) can simulate a domain controller and request the password hashes for any domain account, including the krbtgt account (which enables Golden Ticket forging for persistent, unrestricted domain access).
Defense: restrict replication permissions to actual domain controllers. Monitor for DCSync activity (replication requests from non-DC sources) in SIEM. This is one of the highest-priority detection rules in any Active Directory environment.
Group Policy abuse. An attacker with write access to Group Policy Objects (GPOs) linked to domain controllers or privileged OUs can modify GPO settings to execute malicious code, create backdoor accounts, or modify security configurations across every system the GPO applies to. GPO modification is a high-impact, low-noise escalation technique because GPO changes are expected operational events that may not trigger alerts.
Defense: restrict GPO modification permissions to a small number of authorized administrators. Monitor all GPO modifications in SIEM. Compare GPO content against a known-good baseline for unauthorized changes.
Linux systems have their own escalation vectors:
SUID/SGID binaries. Executables with the SUID bit set run with the file owner's privileges (often root). An attacker who finds a vulnerable SUID binary (one that can be exploited to execute arbitrary commands) gains root access. Tools like GTFOBins catalog SUID binaries that can be abused for escalation.
Sudo misconfigurations. The sudoers file defines which users can execute which commands with elevated privileges. Misconfigurations (allowing a user to run a text editor as root, allowing NOPASSWD for sensitive commands) provide escalation paths. CVE-2021-3156 (Baron Samedit) was a heap-based buffer overflow in sudo that allowed any local user to gain root without a valid sudo configuration.
Cron job abuse. Cron jobs that run as root with writable scripts or writable directories enable the attacker to modify the script and execute arbitrary code as root at the next cron execution.
Kernel exploits. Linux kernel vulnerabilities (Dirty Pipe CVE-2022-0847, Dirty COW CVE-2016-5195) provide direct user-to-root escalation.
Defense: minimize SUID binaries, audit sudoers configurations, restrict cron job permissions, and patch the kernel promptly.
Privilege escalation converts a single compromised account into domain-level control. Without escalation, the attacker's impact is limited to one user's access. With escalation, the attacker's impact is unlimited: every system, every file, every database. Preventing or detecting privilege escalation is the most effective way to limit the damage from an initial compromise.
Every major ransomware operation depends on privilege escalation to domain admin before deploying the encryption payload. The attacker does not encrypt from a standard user account (they would only encrypt files the user can access). They escalate to domain admin and deploy encryption domain-wide through Group Policy, PsExec, or WMI. Blocking escalation blocks the ransomware's deployment mechanism.
Privilege escalation techniques generate detectable artifacts: LSASS access by non-system processes, anomalous Kerberos ticket requests, unusual service ticket volumes, DCSync replication from non-DC sources, GPO modifications outside change windows, new scheduled tasks with SYSTEM privileges, and SUID binary execution by non-administrative users. Each artifact is a detection opportunity that, if caught, prevents the escalation from succeeding.
Privilege escalation sits at the intersection of TID (detection) and IAT (prevention) in the Planetary Defense Model. IAT prevents escalation through controls that eliminate the techniques: Credential Guard prevents credential dumping, PAM eliminates standing privileged accounts, AD CS hardening removes certificate-based escalation paths, and RBAC restricts the permissions that GPO and DCSync abuse requires. TID detects escalation attempts through detection rules tuned to the specific techniques: LSASS access monitoring, Kerberoasting detection, DCSync detection, and GPO modification alerting.
IAT-D02 (Privilege Escalation Test, 20 estimated hours) specifically tests the organization's resistance to escalation: the red team attempts to escalate from standard user to domain admin using documented techniques. The test reveals which escalation paths are open, which are blocked by controls, and which are detected by TID. The results directly inform IAT hardening priorities and TID detection rule development.
CDA approaches privilege escalation with one principle: the tier model is the structural defense. If admin credentials are never used on standard workstations (tier model enforcement), there are no admin credentials cached on standard workstations for the attacker to steal. The most common escalation path (credential theft from memory) is eliminated architecturally, not through detection. Prevention through architecture is stronger than detection after the fact.
Word count: 1,957
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.