Privilege escalation is not a standalone attack. It is the pivot point in almost every serious intrusion: the step between “I have a foothold” and “I own this environment.” Without escalated rights, an adversary with an initial low-privileged shell can read some files and exfiltrate limited data. With them, they can dump credentials, disable endpoint defences, and establish persistence that survives reboots and reimaging. Understanding where privilege escalation sits in the kill chain shapes how defenders prioritise detection and containment.
Where Privilege Escalation Fits in an Attack
Most intrusions follow a recognisable sequence. Attackers gain initial access through phishing, a vulnerable internet-facing service, or a misconfigured cloud resource. That initial access is usually low-privilege: a web application running as a restricted user, a VPN credential from a phished employee, or a service account with limited scope.
Privilege escalation comes next, turning that foothold into something actionable. Once elevated, attackers move to credential access, dumping password hashes or Kerberos tickets that let them authenticate across the network. Lateral movement to high-value targets follows. The escalation step is the hinge. Defenders who catch it early, before credentials are dumped and lateral movement begins, contain an intrusion rather than investigating its aftermath.
Vertical and Horizontal Escalation
The two forms of privilege escalation serve different purposes in an attack chain.
Vertical escalation increases the privilege level: standard user to local admin, local admin to domain admin, or any account to root or SYSTEM. This grants the rights needed to read protected credential stores, disable antivirus, install rootkits, and stage data for exfiltration.
Horizontal escalation expands the attacker’s reach without going higher. A compromised account gains access to other accounts at the same privilege level. In Active Directory environments, this means moving from one workstation to another. In web applications, it means reading another user’s data. Horizontal escalation often leads to vertical escalation: compromise a machine where an admin user is cached, harvest their credentials, then escalate vertically from there.
Common Escalation Routes
Kernel and OS Exploits
When an environment is unpatched, kernel exploits offer reliable escalation without needing a misconfiguration. Dirty COW (CVE-2016-5195) is the textbook example: a race condition in the Linux kernel’s copy-on-write mechanism let any local user write to read-only memory mappings and gain root. It required no special configuration, affected virtually every Linux distribution, and was exploited in the wild before a patch arrived. Kernel-level privilege escalation bugs surface regularly; environments that delay patching stay vulnerable.
Misconfigured Services and File Permissions
In practice, configuration errors are more common than kernel exploits. On Linux, SUID binaries set on root-owned executables, world-writable cron directories, and overpermissive sudoers entries are standard findings in post-compromise enumeration. On Windows, services with writable binary paths, DLL search order hijacking, and unquoted service paths account for a large share of local privilege escalation findings in penetration tests.
Unquoted service paths are a persistent example of a simple misconfiguration with serious consequences. A service path like C:\Program Files\Vendor App\service.exe without quotes causes Windows to search for C:\Program.exe first. Any attacker who can write to the root of C: can place a payload there and wait for the service to restart as SYSTEM.
Token Impersonation
Windows processes carry access tokens that define their security context. An attacker with SeImpersonatePrivilege can force a higher-privilege process to connect to an attacker-controlled named pipe and impersonate its token. In fact, that privilege is assigned by default to many service accounts, including IIS application pools and SQL Server service identities. PrintSpoofer, GodPotato, and the wider Potato family of tools automate this sequence. The specific technique that works depends on the Windows build, but typically at least one variant applies to most unpatched systems.
Credential Reuse and LSASS Dumping
Sometimes escalation requires no technical exploit at all. If a local administrator account uses the same password across multiple machines, cracking one NTLM hash grants admin access everywhere that hash is reused. LSASS memory contains credential material including NTLM hashes, Kerberos tickets, and in older configurations plaintext passwords. Mimikatz, SharpDump, and Cobalt Strike’s built-in credential extraction all target this. Any process with SeDebugPrivilege can read LSASS, and that privilege is commonly held by local administrators.
Attacker Tooling
LinPEAS and WinPEAS are the standard first-run enumeration tools after initial access. They scan the local system for escalation opportunities: SUID binaries, writable paths, cron jobs, weak service permissions, and kernel versions mapped against a built-in exploit database. They produce dense output that attackers triage for the fastest path to elevated rights, often within minutes of getting a shell.
BloodHound maps Active Directory relationships graphically, showing the shortest path from any compromised account to Domain Admins. It turns what was previously a labour-intensive manual exercise into a near-instant graph query. DCSync, shadow credentials, and Resource-Based Constrained Delegation attacks all surface as BloodHound paths before an attacker executes them.
For credential extraction, Mimikatz remains the dominant tool despite detection improvements. Rubeus handles Kerberos ticket operations without touching LSASS. Certipy targets Active Directory Certificate Services misconfigurations for escalation paths that bypass credential-dumping defences entirely. The toolset keeps evolving to stay ahead of detection.
What Defenders Need to Monitor
Catching privilege escalation requires telemetry at the process and token level. On Windows, the critical event IDs are 4688 (process creation with command-line logging), 4672 (special privileges assigned at logon), 4673 (sensitive privilege use), and 7045 (new service installed). Together, these form the core of escalation detection. Correlate them against a baseline of normal behaviour to surface anomalies.
For credential-dumping detection, monitor for processes opening LSASS with PROCESS_VM_READ access rights. Most credential-dumping tools require this access. Windows Defender Credential Guard reduces the risk by isolating credential material using VBS, but monitoring remains necessary for environments that cannot enable it.
On Linux, auditd rules on execve for known SUID binaries, writes to /etc/sudoers and cron directories, and changes to file capabilities catch most filesystem-based escalation. eBPF-based tools such as Falco provide richer kernel-level telemetry and flag anomalous parent-child process relationships, including a web server spawning a shell or a database process making outbound connections.
Behavioural detections matter as much as signature matching. A process running at a higher integrity level than the parent that spawned it is worth immediate investigation. So is a user account suddenly added to an administrative group, or a service account that reads LSASS memory. These signals apply regardless of whether a known-bad hash matches.
Frequently Asked Questions
Does privilege escalation always require running exploit code?
No. Misconfigured IAM roles, overly permissive cloud resource policies, and Active Directory ACL misconfigurations can all grant escalated rights without running any exploit. An attacker who finds a service account with GenericWrite permissions over a privileged AD object can escalate through Kerberoasting or shadow credentials attacks. So no standalone exploit binary is required.
What stopped the older Potato attacks on modern Windows?
Microsoft patched the COM interfaces that JuicyPotato and RottenPotato relied on in Windows Server 2019 and Windows 10 build 1809. So attackers moved to PrintSpoofer, which abuses the Print Spooler service’s named pipe impersonation. After Microsoft patched that in response to the PrintNightmare disclosure, GodPotato and SweetPotato emerged targeting different COM interfaces. The underlying SeImpersonatePrivilege abuse remains possible because the privilege itself is legitimately required by many services.
How do cloud privilege escalation paths differ from on-premises?
Cloud escalation paths are often permission-based rather than exploit-based. In AWS, a role with iam:AttachRolePolicy can grant itself AdministratorAccess without touching any exploit. In Azure, a service principal with Reader permissions on a Key Vault that stores admin credentials can read those credentials directly. Pacu enumerates AWS escalation paths; ROADtools does the same for Azure AD. The underlying principle is the same as on-premises: find the misconfiguration that grants more rights than intended.
Is MFA effective against privilege escalation?
MFA protects the authentication step, not post-authentication privilege abuse. Pass-the-hash and pass-the-ticket attacks bypass the authentication step entirely by reusing credential material, so MFA does not help once an attacker has a valid hash or Kerberos ticket. MFA reduces initial foothold risk, but privilege escalation requires separate controls: least privilege assignment, PAM tooling, and detection at the process and token level.
