Initial access rarely grants attackers the permissions they need. The real work begins after compromising an initial foothold: escalating privileges to gain administrative control. Understanding these techniques helps organisations defend against them effectively.
Privilege escalation exploits differences between what systems think users should access and what they actually can access. These gaps emerge from misconfigurations, unpatched vulnerabilities, and overly permissive security policies.
Local privilege escalation occurs on a single compromised system. An attacker with standard user access exploits vulnerabilities in the operating system, installed software, or system configuration to gain administrator or root privileges. Success grants complete control over that machine.
Windows services running with excessive privileges create prime escalation opportunities. A service running as SYSTEM that allows authenticated users to modify its configuration or executable essentially gives those users SYSTEM privileges. Attackers enumerate services systematically, looking for these misconfigurations. Professional internal network penetration testing specifically targets escalation paths that organisations often overlook.
Unquoted service paths represent a classic Windows privilege escalation vector. If a service executable path contains spaces but isn’t quoted, Windows might execute a malicious binary from an unexpected location. Defending against this requires proper service configuration practices.
William Fieldhouse, Director of Aardwolf Security Ltd, notes: “Privilege escalation deserves attention during security assessments because it represents the difference between a minor incident and catastrophic breach. Our internal network penetration testing specifically targets escalation paths that organisations often overlook.”
Sudo misconfigurations plague Linux systems. Granting users sudo access to specific commands seems safe in theory. In practice, many commands allow shell escapes or file writes that enable privilege escalation. Even seemingly innocuous commands can be chained creatively.
Kernel exploits provide powerful escalation vectors. A vulnerability in the operating system kernel itself grants attackers complete control. These exploits require more skill to develop but work reliably across many systems running vulnerable kernel versions.
Scheduled tasks and cron jobs frequently run with elevated privileges. If attackers can modify what these tasks execute, they effectively gain the privileges of the task itself. Poor file permissions on task configurations or executed scripts enable this attack.
DLL hijacking exploits the Windows library loading process. Applications search multiple directories for required DLLs. If an attacker can plant a malicious DLL in a directory the application searches before finding the legitimate one, their code executes with the application’s privileges.
Credential theft accelerates privilege escalation dramatically. Compromised administrator credentials eliminate the need for technical exploitation. Attackers dump credentials from memory, harvest them from configuration files, or steal cached credentials. Working with the best penetration testing company ensures a comprehensive evaluation of your privilege management controls.
Token impersonation allows attackers to assume other users’ privileges. Windows processes run with security tokens indicating their privileges. If an attacker can steal or duplicate a token from a privileged process, they gain those privileges without needing credentials.
