Privilege Escalation
Privilege Escalation (PrivEsc) is the process of gaining higher-level permissions on a system than initially grantedβusually moving from a limited user to administrative (Windows: Administrator, SYSTEM; Linux: root).
In red teaming and adversary simulations, this is a critical post-exploitation milestone, enabling control, persistence, and pivoting within a network.
π‘ Why Privilege Escalation Mattersβ
Initial access often lands an operator in a restricted context:
- Limited shell from a phished user
- Web app RCE as
www-data - Initial C2 beacon running as a service account
With these constraints, the attacker can't:
- Install persistence mechanisms in protected areas
- Access credential stores (e.g., SAM, LSA secrets, LSASS)
- Dump memory or sensitive logs
- Manipulate system services or security settings
- Move laterally across boundaries like UAC, domains, or containers
PrivEsc unlocks post-ex capabilities, turning a foothold into a beachhead.
π Types of Privilege Escalationβ
π§ Horizontal vs Verticalβ
| Type | Description |
|---|---|
| Vertical | Low β High (e.g., user β SYSTEM) |
| Horizontal | Lateral in scope, gaining access to another userβs account with equivalent privileges, often for access to different resources |
πͺ On Windowsβ
| Category | Examples |
|---|---|
| Unquoted Service Paths | Services with spaces in path without quotes |
| Insecure Registry Permissions | Writeable keys in HKLM\SYSTEM\... |
| DLL Hijacking | Abuse of DLL load order in services or apps |
| Token Impersonation | Steal or impersonate tokens (e.g., Incognito, PrintSpoofer) |
| UAC Bypass | Masquerading as trusted binaries (fodhelper.exe, eventvwr.exe) |
| Scheduled Tasks | Abuse of misconfigured or writable tasks |
| AlwaysInstallElevated | Misconfigured installer policies |
π§ On Linux/macOSβ
| Category | Examples |
|---|---|
| SUID Binaries | Find misconfigured files with find / -perm -4000 |
| Cron Jobs | Writable or weakly configured scheduled tasks |
| Shell Escapes | From limited shells into full TTYs |
| Weak Permissions | Writable system scripts run by root |
| Kernel Exploits | e.g., Dirty COW, Dirty Pipe, Stack Clash |
| PATH Hijacking | Replace binaries in PATH if running as root |
π Tools & Techniquesβ
Popular enumeration and escalation tools include:
These tools automate the detection of misconfigs and exploitation pathways.
π§ OPSEC Considerationsβ
Privilege escalation often involves:
- Writing to disk (exploits, binaries)
- Loading unsigned code or DLLs
- Triggering EDR-monitored events (e.g.,
reg add,schtasks,seclogon)
Mitigation:
- Use in-memory techniques (e.g., Cobalt Strikeβs Beacon, Sliverβs BOFs)
- Abuse native tools and avoid spawning child processes
- Clean up logs and artifacts after testing exploitability
π― Goals After Escalationβ
Once escalation is successful:
- Dump credentials from LSASS or SAM
- Pivot to sensitive services (SQL, RDP, AD tools)
- Establish persistence with higher integrity
- Modify or disable AV/EDR settings
- Hijack network-bound processes
π§ Where Does PrivEsc Fit?β
Initial Access β Execution β [ Post-Ex Recon ] β [ Privilege Escalation ] β Persistence β Lateral Movement β Objectives
It often occurs early in the post-exploitation phase, enabling or enhancing the effectiveness of all other actions.
π Summaryβ
Privilege escalation isnβt just about admin rightsβitβs about control. It widens your operational scope, enhances stealth and durability, and sets the stage for deeper access and broader compromise.
Whether you're simulating adversaries or defending real networks, understanding escalation is foundational.