Cybersecurity

    What is Privilege Escalation? | Definition & Guide

    Privilege escalation is the set of techniques adversaries use to obtain higher-level permissions within a compromised system or environment than those initially acquired during initial access. An attacker who gains access through a standard user account needs domain admin, root, or cloud IAM administrator privileges to access sensitive data, modify security configurations, deploy ransomware across an organization, or disable security tools. MITRE ATT&CK documents privilege escalation as tactic TA0004, covering techniques including exploitation of software vulnerabilities for local privilege escalation (T1068), abuse of elevated execution mechanisms like sudo and setuid binaries (T1548), manipulation of access tokens (T1134), and exploitation of Active Directory misconfigurations to escalate from domain user to domain admin. Privilege escalation is a prerequisite for most high-impact adversary objectives and is closely linked to lateral movement — the two tactics often execute in tandem as the adversary expands both their access scope and permission level.

    Definition

    Privilege escalation is the process by which an adversary elevates their access permissions from a lower-privilege level (standard user, limited service account) to a higher-privilege level (domain admin, root, cloud IAM administrator) within a compromised environment. MITRE ATT&CK classifies privilege escalation as tactic TA0004, subdivided into techniques for local privilege escalation (gaining admin/root on a single system) and domain-level escalation (gaining domain admin or equivalent access across an Active Directory environment). The distinction matters operationally: an adversary with local admin on one workstation has limited impact, while an adversary with domain admin access can control every system in the domain — deploying ransomware, exfiltrating data, and disabling security tools across the entire organization.

    Why It Matters

    Privilege escalation is the prerequisite for almost every high-impact adversary action. Deploying ransomware across an enterprise requires domain-level credentials to push the payload to multiple systems. Accessing sensitive databases requires database admin or service account credentials. Disabling EDR agents requires local admin privileges on each endpoint, or domain-level access to push a group policy that disables the security tool. Exfiltrating cloud data at scale requires cloud IAM privileges that exceed the initial foothold.

    The implication for defenders is that privilege escalation detection is a high-value detection opportunity. If the SOC can identify and block escalation attempts, the adversary remains confined to a low-privilege foothold with limited ability to achieve their objectives. This is why zero trust architecture emphasizes the principle of least privilege: reducing the permissions available to any account limits the damage an adversary can cause even if that account is compromised, and makes escalation attempts more visible because they deviate from the account's normal permission boundaries.

    The challenge is that many privilege escalation techniques exploit legitimate administrative mechanisms rather than software vulnerabilities. Active Directory misconfigurations — unconstrained delegation, excessive group memberships, writable Group Policy Objects — provide escalation paths that use intended AD functionality. Kerberoasting extracts service account credentials through legitimate Kerberos ticket requests. These techniques do not require exploitation of a vulnerability; they abuse the intended design of the system in ways that the system's administrators did not anticipate when they configured it.

    How It Works

    Privilege escalation operates at multiple levels:

    1. Local privilege escalation — The adversary elevates from a standard user to local administrator or root on the compromised system. On Windows, techniques include exploiting unpatched local privilege escalation vulnerabilities (kernel exploits, service misconfigurations), abusing UAC (User Account Control) bypass techniques, DLL hijacking in elevated processes, and exploiting misconfigured service permissions. On Linux, techniques include exploiting setuid binaries, kernel vulnerabilities, sudo misconfigurations, and writable cron jobs. The result is full control over the local system, enabling the adversary to dump credentials, install persistence mechanisms, and disable local security tools.

    2. Domain-level escalation — In Active Directory environments, the adversary escalates from a standard domain user to domain admin or equivalent. Kerberoasting (T1558.003) requests Kerberos service tickets for service accounts, then cracks the ticket encryption offline to obtain the service account's password — and service accounts often have domain admin privileges. AS-REP Roasting (T1558.004) targets accounts configured without Kerberos pre-authentication. DCSync (T1003.006) uses domain replication privileges to extract password hashes for all domain accounts directly from a domain controller. BloodHound, a widely-used open-source tool, automates the mapping of Active Directory attack paths from any user account to domain admin.

    3. Cloud privilege escalation — In cloud environments (AWS, Azure, GCP), escalation targets IAM roles and service account permissions. An adversary with access to a developer's workstation may find AWS access keys with limited permissions, then discover that those permissions include the ability to assume a more privileged IAM role (sts:AssumeRole). In Azure, escalation paths include exploiting Azure AD role assignments, consent grants, and managed identity configurations. Cloud privilege escalation often exploits the gap between intended permissions and actual permissions — overly permissive IAM policies that grant more access than the role requires.

    4. Detection and prevention — Privilege escalation detection focuses on monitoring for: credential access patterns (LSASS dumps, Kerberoasting ticket requests), unusual use of administrative tools by non-admin accounts, changes to group memberships and role assignments, and exploitation indicators (kernel exploit artifacts, UAC bypass patterns). Prevention relies on reducing escalation opportunity: patching local privilege escalation vulnerabilities promptly, enforcing least-privilege IAM policies, eliminating unnecessary domain admin accounts, protecting service account credentials, and deploying ITDR platforms that monitor identity-based attack patterns.

    Privilege Escalation and SEO/AEO

    Privilege escalation is a technique-focused search term that attracts security engineers, penetration testers, and detection engineers evaluating their organization's exposure to identity-based attacks. We target privilege escalation and related identity security terminology as part of our cybersecurity SEO practice because content addressing escalation paths, Active Directory attack techniques, and the connection between privilege management and zero trust architecture resonates with the security professionals responsible for both offensive testing and defensive detection of these high-impact techniques.

    Related Terms