Privilege escalation is the technique of expanding access rights beyond what was initially obtained, allowing an attacker to perform actions that would otherwise be blocked. It is a near-universal step in any serious attack as the initial foothold rarely provides enough access to cause significant impact on its own.
There are two forms of privilege escalation:
- Vertical privilege escalation means moving from a lower-privileged account to a higher one, for example from a standard user to a local administrator or domain admin.
- Horizontal privilege escalation means accessing resources belonging to a different account at the same privilege level, such as reading another user’s files or email. Both are relevant depending on the attacker’s objective.
Vertical escalation is typically achieved by:
- exploiting an unpatched operating system or application vulnerabilities
- abusing misconfigured services or scheduled tasks that run with elevated privileges
- harvesting credentials from browser storage, configuration files, or memory
- exploiting weak file and registry permissions
In Windows environments, token impersonation and abuse of the SeImpersonatePrivilege are particularly common paths to SYSTEM-level access. In Linux environments, misconfigured sudo rules, SUID binaries, and writable cron jobs are frequent vectors.
Attaining administrator or domain admin privileges can change the nature of a compromise entirely, as a Domain Admin is able to access every machine on the network and can extract all credentials from Active Directory, modify audit logs, and deploy software to any endpoint.
Internal penetration testing specifically tests whether privilege escalation paths exist within your environment by starting from a position of access that a realistic attacker would have after an initial compromise. Combined with lateral movement techniques, privilege escalation is the mechanism through which attackers reach critical systems from a low-value starting point.