Privilege Escalation
Privilege escalation refers to the technique by which an attacker, after gaining initial access, obtains higher privileges—moving from a standard user account to a local administrator or domain administrator.
Privilege escalation is a necessary step in nearly every successful cyberattack: Initial access (e.g., via phishing) typically grants only standard user privileges. To achieve the actual goal—database access, ransomware deployment, or data exfiltration—the attacker needs higher privileges.
Two Main Categories
Vertical Privilege Escalation (more common, more critical): Permissions are elevated from a lower to a higher level:
- Standard user → local administrator
- Local administrator → domain administrator
- Application context → operating system level (root/SYSTEM)
Horizontal Privilege Escalation: Access to other users’ resources at the same permission level (e.g., access to another standard user’s files).
Common Techniques (Windows)
- Token Impersonation: Taking over a privileged token belonging to another process
- UAC Bypass: Bypassing User Account Control (UAC) without an administrator dialog
- Unquoted Service Paths: Services with spaces in the path without quotation marks allow code injection
- AlwaysInstallElevated: Registry misconfiguration allows MSI installation with SYSTEM privileges
- Kerberoasting / AS-REP Roasting: Compromising service accounts with high privileges
Protective Measures
- Least Privilege Principle: Users are granted only the minimum necessary privileges
- Regular privilege reviews: Who actually has which privileges?
- Protected Users Group for privileged AD accounts
- Revoke local admin privileges: Normal workstation users do not need local admin privileges
- LAPS: Local administrator passwords are randomized and centrally managed
