CVEs in Linux/Windows kernel, unpatched graphics drivers, SUID services with flaws, misconfigured sudo, kernel exploits (Dirty COW, PetitPotam).
What is privilege escalation
Attack technique whereby an unprivileged user gains administrative or root access to a system. Direct result of local vulnerabilities or permission misconfiguration.
Why it matters
Privilege escalation is critical because: Converts minor breach into catastrophe: access to a standard employee account becomes total server control. Facilitates persistence: with administrative privileges, attackers can create hidden accounts, install rootkits, and guarantee future access. Enables mass data exfiltration: access to system directories, databases, encryption keys, trade secrets. Affects multiple systems in cascade: administrative control of one server enables lateral movement to other network servers. Bypasses access controls: ACLs, RBAC, and application-level security are bypassed with root access. Impacts regulatory compliance: ISO 27001, NIS2, and DORA require regular patching and administrative privilege restriction.
Key points
system files with world-writable permissions, shared or weak root/admin passwords, sudoers allowing commands without password, credentials in configuration files.
an attacker succeeds in phishing an employee (initial access as standard user), but their true objective requires administrative access (privilege escalation).
most privilege escalations exploit publicly known OS or application CVEs; patches available for months but not applied.
end users should not have sudo permission; servers should run with the least privileged account possible.
permission changes, group modifications, service installation, and OS configuration changes are detectable in audit logs.
Real-world example
An IT employee receives a phishing email directing them to a fake Microsoft 365 site and their password is captured. The attacker accesses their standard domain account. From there, they gain RDP access to an internal server using tools discovered in the shared file server. On the server, the attacker is a standard user without access to critical databases. They discover the server is running an old, vulnerable Linux kernel version (unpatched for 6 months). They use a public Dirty COW exploit to gain root access. With administrative privileges, they access database encryption keys, decrypt it, and steal 2 years of customer data. The incident is discovered when audit logs show creation of administrative accounts and changes to critical file permissions.
Common mistakes
- delaying OS updates due to "changes might break things" results in systems vulnerable to known escalations.
- employees with administrator rights on their machines facilitate accidental or intentional escalation.
- changes to sudoers, adding users to administrative groups, or creating accounts should not go unnoticed.
- a web server never needs to run as root; it should only access necessary files.
- one compromised admin account affects all systems; shared admin accounts hinder auditing.
- use of sudo, elevated PowerShell, or RunAs should be audited and alerted in SIEM.
Related terms
Related services
This concept may be related to services such as:
Frequently asked questions
What is the difference between horizontal and vertical privilege escalation?
Vertical escalation is becoming administrator/root on the SAME system (standard user → root). Horizontal escalation is accessing another user's data or resources without changing your privilege level. Both are dangerous; vertical is more critical because it gives total system control.
How does privilege escalation relate to the principle of "least privilege"?
The principle of least privilege reduces the attack surface for escalation. If users lack administrative rights, attackers must exploit OS vulnerabilities rather than simply reusing stolen credentials. If services run with minimal privileges, even if compromised, damage is limited.
Why is patching so critical for preventing privilege escalation?
Most escalations exploit publicly known OS kernel, driver, or service CVEs. A patch available for 6 months but not applied is equivalent to leaving the backdoor open. Attackers use automated tools that scan for unpatched systems and execute public exploits.
How does a SIEM or EDR detect privilege escalation?
By monitoring ACL and permission changes, execution of privileged commands (sudo, RunAs, UAC bypass), creation of administrative accounts, changes to administrative groups, and anomalous process behaviour (system binaries executed from unusual locations). EDR should alert on attempts using known escalation techniques.