What Is Privilege Escalation?
Privilege escalation is the act of exploiting a flaw, misconfiguration, or stolen credential to obtain permissions beyond what an account is supposed to have.
An attacker phishes one employee and lands on their laptop as a standard user. That account cannot read the file server, cannot touch the domain controller, cannot do much of anything interesting. It is a toehold, not a win. So the attacker looks around: a service on the host runs as SYSTEM but its executable sits in a folder any user can write to. They replace the executable, the service restarts, and their code now runs as SYSTEM. From there they harvest a domain admin's cached credentials and the whole network is in reach. The break-in got them one unprivileged account. Privilege escalation is what turned it into control.
Privilege escalation is the set of techniques an attacker uses to gain higher permissions than they started with, moving from a limited user toward administrator, root, SYSTEM, or domain-wide control. It is rarely the goal of an attack, but it is almost always on the path to it. Initial access gets an attacker in; escalation gets them the rights to actually do damage, reach sensitive data, disable defenses, move laterally, and persist.
This guide covers what privilege escalation is, the difference between vertical and horizontal forms, where it fits in an intrusion, the common techniques mapped to MITRE ATT&CK, and how defenders detect and prevent it. It is written for blue teamers who have to spot the moment a low-level foothold becomes a high-level problem.
What is privilege escalation?
Privilege escalation is the act of exploiting a flaw, misconfiguration, or stolen credential to obtain permissions beyond what an account is supposed to have. MITRE ATT&CK catalogs it as a dedicated tactic, Privilege Escalation (TA0004), defined as the techniques adversaries use to gain higher-level permissions, typically SYSTEM or root, local administrator, or a user account with specific elevated rights.
The reason escalation matters is that permissions are what gate everything an attacker wants to do. A standard user account is deliberately limited: it cannot install services, read other users' data, modify system files, or disable security tooling. Those limits are the whole point of access control. Escalation is the attacker defeating those limits, and once they hold administrative or system-level rights, most of the remaining defenses on that host are theirs to switch off.
A key insight for defenders is that escalation overlaps heavily with other tactics. Many of the same techniques that grant elevated privileges also provide persistence, a malicious service both runs as SYSTEM and survives reboots, and escalation is the enabler for lateral movement and credential theft. It is a hinge tactic: the point where a contained foothold becomes a spreading compromise.
Vertical vs. horizontal privilege escalation
Escalation comes in two directions, and the distinction shapes how you detect it.
Vertical privilege escalation is gaining higher privileges than your current account, moving up the permission ladder. A standard user becomes a local administrator; a local admin becomes SYSTEM or domain admin. This is the sense most people mean: the attacker ends up with more power than the account they compromised was ever granted.
Horizontal privilege escalation is gaining access to other accounts at the same privilege level, moving sideways. The attacker does not gain more rights, they gain more reach, accessing another standard user's data, mailbox, or session. It often looks less alarming because no admin account is involved, but accessing a peer who happens to have access to sensitive data, or whose account is a stepping stone, can be just as damaging.
| Aspect | Vertical | Horizontal |
|---|---|---|
| Direction | Up the privilege ladder | Sideways, same level |
| Goal | More rights (admin, SYSTEM, root) | More reach (other users' access) |
| Example | Standard user becomes local admin | One user accesses another user's account |
| Why it matters | Unlocks system-wide control and defense evasion | Expands access and sets up further moves |
In a real intrusion the two are used together: an attacker moves horizontally to find an account with a path upward, then escalates vertically when they find it.
Where privilege escalation fits in an attack
Escalation almost never stands alone. It sits in the middle of the attack chain, after the attacker is in and before they accomplish their objective.
The typical sequence: initial access (often via phishing) lands a low-privilege foothold. The attacker performs discovery to understand the host and find escalation opportunities. They escalate privileges. With elevated rights, they dump credentials, disable or evade defenses, move laterally to other systems, establish persistence, and work toward the goal, data theft, ransomware deployment, or long-term espionage.
The implication for defenders is that catching escalation is catching an attack mid-stride, after the foothold but before the damage. It is one of the highest-value detection points in the whole chain, because the actions that come after it, mass data access, defense tampering, domain-wide movement, all depend on the elevated rights it provides. Detect the escalation and you can break the chain before the objective.
Common privilege escalation techniques
Attackers escalate through three broad avenues: exploiting vulnerabilities, abusing legitimate features and misconfigurations, and using stolen credentials. Each maps to a MITRE ATT&CK technique.
| Technique | What the attacker does | ATT&CK |
|---|---|---|
| Exploitation for privilege escalation | Exploits an OS or software vulnerability to run code at a higher level | T1068 |
| Access token manipulation | Steals or impersonates another process's access token to assume its privileges | T1134 |
| Abuse elevation control (UAC bypass, sudo) | Bypasses User Account Control or abuses sudo/setuid to elevate | T1548 |
| Valid accounts | Uses stolen or default credentials for a higher-privileged account | T1078 |
| Scheduled task / service | Creates or hijacks a task or service that runs with elevated rights | T1053 / T1543 |
| Hijack execution flow | Plants a malicious file the system loads with high privilege (DLL, unquoted path) | T1574 |
Exploiting vulnerabilities is the classic route: an unpatched kernel or driver flaw, or a vulnerable application running with high privilege, lets the attacker execute code as SYSTEM or root (T1068). This is why escalation-class CVEs are patched urgently.
Abusing misconfigurations and legitimate features is often easier than exploiting a bug, and quieter. Weak permissions on a service (the writable executable from the opener), an unquoted service path, an over-permissive sudo rule, a scheduled task running as SYSTEM that a user can modify, none of these require an exploit, just an environment that was set up carelessly. Access token manipulation (T1134) and UAC bypass (T1548.002) abuse normal Windows mechanics to elevate.
Using stolen credentials sidesteps the technical problem entirely. If an attacker can steal or guess the credentials of a privileged account, through credential dumping, password reuse, or kerberoasting, they do not need to exploit anything; they simply log in with rights they should not have (T1078). This is frequently the path of least resistance, which is why credential hygiene is central to preventing escalation.
Windows and Linux differ in the details
The concept is universal but the specifics differ by platform, and defenders need both.
On Windows, escalation targets SYSTEM and domain admin, and revolves around access tokens, UAC, service and task permissions, DLL hijacking, and Active Directory attacks like kerberoasting. The endpoint is rich with autostart and service mechanisms that double as escalation paths.
On Linux, escalation targets root and revolves around setuid binaries, sudo misconfigurations, writable cron jobs, kernel exploits, and weak file permissions. The classic move is finding a setuid-root binary or an overly broad sudo rule that lets a normal user run something as root.
Different artifacts, same goal: turn an unprivileged shell into full control of the host, then the network.
How to detect privilege escalation
Because escalation often abuses legitimate mechanisms, detection means watching for the signs of elevation rather than a single signature.
- Watch for new privileged accounts and group changes. Account creation (Windows Event ID 4720) and additions to privileged groups (4728, 4732) are high-value signals; a new domain admin no one provisioned is an escalation until proven otherwise.
- Monitor service and scheduled-task creation. New services (Event IDs 7045, 4697) and tasks running with high privilege deserve scrutiny, especially when the binary lives somewhere unusual.
- Alert on suspicious process lineage. A standard user's process spawning a SYSTEM-level child, or office software launching a command shell, is the kind of parent-child anomaly that escalation produces. Endpoint detection and response tooling is built to surface exactly this.
- Track token and special-privilege use. Logon events with special privileges (Event ID 4672) on accounts that should not have them, and abnormal token manipulation, point to elevation.
- Catch the credential theft that enables it. Since stolen credentials are a primary route, detecting credential dumping and abnormal authentication is also detecting escalation's setup.
A concrete detection pass looks like this: pull the privileged-group membership and compare it to a known-good list, so any account added outside a change ticket stands out. Then review service and task creation on sensitive hosts for binaries running as SYSTEM from user-writable or temporary paths. Then check process-creation logs for a non-admin user's process spawning an elevated child. Each of those is a single query, and together they cover the three escalation avenues, exploitation, misconfiguration, and stolen credentials, from the traces they leave rather than from any one signature.
The unifying idea is baselining: elevated rights are supposed to be rare and assigned deliberately, so an account or process suddenly operating with more privilege than its history shows is the anomaly worth chasing.
How to prevent privilege escalation
Prevention shrinks both the opportunities to escalate and the damage if someone does.
- Enforce least privilege. The single most effective control: give accounts only the rights they need, and remove standing local-administrator rights from regular users. An attacker who lands on a user account that is not a local admin has a much harder climb.
- Patch aggressively, especially escalation flaws. Kernel, driver, and privileged-application vulnerabilities are escalation fuel. Prioritize patching anything that grants elevation.
- Fix the misconfigurations. Audit service permissions, unquoted paths, sudo rules, and setuid binaries. These are free wins because they need no exploit to abuse and no patch to fix, just correct configuration.
- Protect credentials and require MFA. Strong, unique credentials, protected privileged accounts, and multi-factor authentication blunt the stolen-credential route. Tier administrative accounts so a workstation compromise does not expose domain admin.
- Adopt Zero Trust and segmentation. Do not let elevation on one host translate automatically into access everywhere; verify and segment so escalation stays contained.
Layered, these turn escalation from a routine next step into a hard, noisy problem for the attacker.
Getting started with detecting privilege escalation
If you want to build the skill, learn the techniques by performing them in a lab and then detecting them from the traces they leave.
- Learn the access model. Understand Windows tokens, UAC, and privileged groups, and Linux users, sudo, and setuid. You cannot spot abuse of a mechanism you do not understand.
- Map techniques to ATT&CK. Work through the Privilege Escalation tactic so each technique and its detection are familiar.
- Escalate in a lab, then hunt it. Exploit a misconfiguration or weak permission in a safe environment, then find the evidence in the logs and process tree it produced.
- Investigate a real intrusion. Trace how an attacker escalated and moved.
The bottom line
Privilege escalation is how an attacker turns a low-level foothold into the administrative, SYSTEM, or root access that real damage requires. It comes in two directions, vertical for more rights and horizontal for more reach, and it sits at the center of the attack chain, after initial access and before the objective, which makes it one of the highest-value points to detect. Attackers get there by exploiting vulnerabilities, abusing misconfigurations and legitimate features, or simply using stolen privileged credentials, often the easiest path of all. The defense is least privilege, disciplined patching and configuration, credential protection, and watching for the anomaly of an account or process operating with more power than it should. Catch the escalation and you break the attack before it spreads.
Frequently asked questions
<p>Vertical privilege escalation is moving up the privilege ladder, gaining more rights than your account had, such as a standard user becoming an administrator, SYSTEM, or root. Horizontal privilege escalation is moving sideways to other accounts at the same privilege level, gaining more reach rather than more rights, such as one user accessing another user's data or session. Attackers often move horizontally to find an account that offers a path upward, then escalate vertically.</p>
<p>Because permissions gate everything an attacker wants to do. A limited account cannot access most data, install services, or disable defenses; administrative or system-level rights can. Escalation is the hinge that turns a contained foothold into a full compromise, enabling credential theft, defense evasion, lateral movement, persistence, and the attacker's ultimate objective. Catching it breaks the attack before the damage.</p>
<p>Common techniques include exploiting OS or software vulnerabilities (ATT&CK T1068), access token manipulation (T1134), bypassing User Account Control or abusing sudo/setuid (T1548), using stolen or default credentials for a privileged account (T1078), and abusing services or scheduled tasks that run with elevated rights (T1543/T1053). Misconfigurations such as weak service permissions, unquoted service paths, and over-broad sudo rules are frequent routes because they need no exploit.</p>
<p>If an attacker can obtain the credentials of a privileged account, through credential dumping, password reuse, phishing, or kerberoasting, they can simply authenticate as that account with rights they should not have (ATT&CK T1078). This sidesteps the need to exploit any vulnerability, which makes it the path of least resistance in many intrusions and is why protecting and tiering privileged credentials is central to prevention.</p>
<p>Detect it by watching for the signs of elevation: new privileged accounts and group changes (Windows Event IDs 4720, 4728, 4732), new services or scheduled tasks running with high privilege (7045, 4697), suspicious process lineage such as a user process spawning a SYSTEM child, special-privilege logons (4672) on unexpected accounts, and the credential theft that enables escalation. The core method is baselining, since elevated rights should be rare and deliberate, so a sudden increase is the anomaly.</p>
<p>The most effective single control is least privilege: remove standing local-administrator rights from regular users and grant only the permissions each account needs. Combine that with aggressive patching of escalation-class vulnerabilities, fixing misconfigurations (service permissions, unquoted paths, sudo and setuid), protecting credentials with MFA and account tiering, and segmenting the network so elevation on one host does not grant access everywhere.</p>