Why It Matters
Initial access rarely lands attackers where they need to be. A phishing victim's machine seldom holds the data or capabilities adversaries seek, so they pivot through privilege escalation to reach administrative control, sensitive systems, or domain-wide compromise. Understanding escalation paths is fundamental for red teamers, pentesters, and SOC analysts building detections.
The 2020 SolarWinds breach pivoted from initial supply chain compromise to forged SAML tokens granting effective Global Admin access. The 2014 Sony Pictures attack used credential theft and Active Directory abuse to move from a single endpoint to enterprise-wide control.
Types of Privilege Escalation
Vertical (Up)
Gaining higher privileges within the same account context:
- Standard user → Local Admin
- Local Admin → SYSTEM/root
- Domain User → Domain Admin
- Cloud user → Cloud Admin/root
Horizontal (Across)
Moving between accounts at the same trust level:
- User A's mailbox → User B's mailbox
- One tenant's data → Another tenant's data (multi-tenant SaaS)
- One workload → Another workload in the same cluster
Linux Techniques
# Quick wins to check
sudo -l # Sudo permissions for current user
find / -perm -4000 2>/dev/null # SUID binaries
find / -writable -type d 2>/dev/null # Writable directories
cat /etc/crontab # Cron jobs
getcap -r / 2>/dev/null # File capabilities
echo $PATH # PATH hijacking opportunities
uname -a # Kernel version for exploits
Common Linux escalation paths:
- SUID misuse: Binaries listed in GTFOBins that escalate when SUID is set
- Sudo misconfigurations: NOPASSWD on dangerous commands like vim, find, awk
- Kernel exploits: Dirty Pipe (CVE-2022-0847), OverlayFS, Sequoia
- Writable cron jobs: Replacing scripts run by root
- Container escapes: Privileged containers, Docker socket mounts, capabilities
Windows Techniques
| Technique | Description | Detection |
|---|---|---|
| Unquoted Service Path | Service path with spaces and no quotes | Service config audit |
| Weak Service Permissions | Modify service binary or config | Sysmon Event 12/13 |
| Token Impersonation | SeImpersonatePrivilege abuse | Process token events |
| AlwaysInstallElevated | MSI install runs as SYSTEM | GPO audit |
| Kerberoasting | Crack service account tickets | Event 4769 anomalies |
| ACL Abuse | Modify AD object permissions | BloodHound, ACL audits |
| UAC Bypass | DLL hijacking elevated processes | EDR behavioral rules |
Cloud Privilege Escalation
In cloud environments, escalation often follows different paths:
- IAM role chaining (
iam:PassRole,sts:AssumeRoleabuse) - Lambda/function execution role takeover
- Excessive permissions on identity providers
- Misconfigured federation trust
- Compromised CI/CD with overly permissive deploy roles
Detection and Prevention
Defensive priorities:
- Apply least privilege rigorously and review entitlements regularly.
- Patch kernels and OS promptly, especially CISA KEV listed CVEs.
- Use Local Admin Password Solution (LAPS) to prevent lateral admin reuse.
- Monitor with EDR and Sysmon focused on escalation TTPs.
- Implement Tier 0 isolation for identity infrastructure.
- Run BloodHound to identify and prune AD attack paths.
- Limit cloud blast radius with permission boundaries and SCPs.
Related Concepts
How We Teach Privilege Escalation
In our Cybersecurity Bootcamp, you won't just learn about Privilege Escalation in theory. You'll practice with real tools in hands-on labs, guided by industry professionals who use these concepts daily.
Covered in:
Module 10: Penetration Testing and Ethical Hacking
360+ hours of expert-led training • CompTIA Security+ included