Privilege escalation is a critical attack vector where an attacker gains elevated access to resources beyond what was initially compromised. For SY0-701 Objective 2.4, you must understand both the mechanisms attackers use to escalate privileges and the defenses that prevent them. This chapter covers vertical and horizontal escalation, common techniques like token manipulation, DLL hijacking, and exploiting misconfigurations, along with detection and mitigation strategies. Mastering this topic is essential for the exam and for real-world security roles.
Jump to a section
Imagine a corporate office building with a strict keycard system. Every employee has a keycard that opens only the doors they need for their job. A junior intern, Alice, has a card that opens the main entrance and the break room. She wants access to the CEO's office on the top floor, which requires a special executive keycard. To get it, she first uses a social engineering trick: she follows a senior manager through a secure door (piggybacking) to reach the HR filing room on the second floor. There, she finds a sticky note with the password for the HR director's computer. Logged in as HR director, she accesses a shared drive with a script that runs with elevated privileges. She modifies the script to add her keycard to the executive access list. When the script runs next, her keycard is upgraded. Now she can enter the CEO's office. This mirrors privilege escalation: starting with low privileges (intern), exploiting weaknesses (piggybacking, weak password, misconfigured script) to gain higher privileges (executive access). The keycard system is like the operating system's permission model, and each step is a different escalation technique: physical access, credential theft, and exploiting a privileged process.
What is Privilege Escalation?
Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or application to gain elevated access to resources that are normally protected from an application or user. The result is that the attacker obtains permissions that allow them to perform actions that the system administrator intended to prevent. There are two main types:
Vertical Privilege Escalation (also called privilege elevation): The attacker gains higher-level permissions than originally possessed. For example, a standard user gains root or Administrator access.
Horizontal Privilege Escalation: The attacker gains the same level of permissions but accesses another user's resources. For example, User A accesses User B's files without authorization. While not always considered true escalation, it is often a stepping stone to vertical escalation.
How It Works Mechanically
Privilege escalation attacks typically follow a multi-step process:
1. Initial Foothold: The attacker compromises a low-privileged account or process, often through phishing, exploiting a vulnerability, or using stolen credentials.
2. Reconnaissance: The attacker enumerates the system to identify potential escalation vectors. Tools like whoami /priv, systeminfo, and accesschk on Windows, or id, sudo -l, and find / -perm -4000 on Linux are used.
3. Exploitation: The attacker leverages a vulnerability or misconfiguration to gain higher privileges. Common techniques include:
- Token Manipulation: On Windows, attackers can steal or duplicate access tokens (e.g., using SeImpersonatePrivilege) to impersonate a higher-privileged user.
- DLL Hijacking: Placing a malicious DLL in a directory that is searched before the legitimate DLL, causing an application to load the attacker's code with the application's privileges.
- Path Interception: Manipulating the PATH environment variable or using unquoted service paths to execute arbitrary binaries.
- Unquoted Service Paths: If a service executable path contains spaces and is not enclosed in quotes, Windows will attempt to execute each token in the path, allowing an attacker to place a malicious executable earlier in the path.
- Scheduled Tasks: Creating or modifying scheduled tasks to run with elevated privileges.
- Exploiting Vulnerabilities: Using known CVEs (e.g., CVE-2021-34527 for PrintNightmare, CVE-2020-1472 for Zerologon) to directly gain SYSTEM or root access.
4. Persistence: The attacker may create a backdoor to maintain elevated access, such as creating a new user in the Administrators group or installing a service.
5. Lateral Movement: With elevated privileges, the attacker can move to other systems, often using Pass-the-Hash or Pass-the-Ticket techniques.
Key Components and Variants
- Privileged Escalation Vectors:
- Misconfigurations: Weak file permissions, unquoted service paths, vulnerable scheduled tasks.
- Vulnerabilities: Buffer overflows, race conditions, kernel exploits.
- Credential Theft: Dumping passwords from memory (Mimikatz), cracking hashes, or pass-the-hash.
- Token Theft: Exploiting token privileges like SeDebugPrivilege or SeImpersonatePrivilege.
- DLL Hijacking: Exploiting the DLL search order on Windows.
- Path Interception: Exploiting unquoted paths or writable directories in the PATH.
- Standards and Tools:
- Windows: whoami /priv, icacls, sc qc, schtasks, PowerUp.ps1, WinPEAS.
- Linux: sudo -l, find / -perm -4000, ls -la /etc/cron*, uname -a, LinPEAS.
- Metasploit: getsystem, exploit/windows/local/ modules.
How Attackers Exploit
Attackers use automated scripts and manual enumeration to find escalation opportunities. For example, on Windows, they might run:
whoami /privIf they see SeImpersonatePrivilege enabled, they can use tools like JuicyPotato or RoguePotato to impersonate SYSTEM. On Linux, they might look for SUID binaries:
find / -perm -4000 -type f 2>/dev/nullIf a binary like nmap or vim has the SUID bit set, they can run it as root to execute commands. Another common technique is exploiting unquoted service paths:
sc qc <service_name>If the binary path is C:\Program Files\Vulnerable App\service.exe, an attacker can place a malicious Program.exe in C:\, which will be executed with SYSTEM privileges when the service starts.
How Defenders Deploy Countermeasures
Defenders must:
- Apply the Principle of Least Privilege: Users and services should have only the minimum permissions necessary.
- Patch Systems Regularly: Apply security updates to fix known vulnerabilities.
- Harden Configurations: Remove unnecessary privileges, disable unused services, and enforce secure defaults.
- Monitor for Escalation Attempts: Use SIEM and EDR tools to detect anomalous behavior like token manipulation, unusual process creation, or privilege elevation.
- Conduct Regular Audits: Review user permissions, service configurations, and scheduled tasks.
- Use Application Control: Whitelist allowed executables to prevent unauthorized binaries.
- Implement User Account Control (UAC): On Windows, UAC can prevent silent elevation.
- Disable Unnecessary Privileges: For example, remove SeImpersonatePrivilege from service accounts where not needed.
Real Command/Tool Examples
Windows Token Manipulation with JuicyPotato:
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {CLSID}Linux SUID Exploit:
./nmap --interactive
nmap> !shChecking for Unquoted Service Paths:
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v "\""Using PowerUp for Automated Enumeration:
Import-Module .\PowerUp.ps1
Invoke-AllChecksInitial Compromise
The attacker gains a foothold on the target system, typically as a low-privileged user. This could be through a phishing email that installs a backdoor, exploiting a remote vulnerability, or using stolen credentials. At this stage, the attacker has limited access, often as a standard domain user or local user. The attacker may use tools like `whoami` to confirm their current user and privileges. Logs would show a new process or network connection from an external IP. The attacker's goal is to gather information about the system to find ways to elevate privileges.
System Enumeration
The attacker enumerates the system to identify potential escalation vectors. On Windows, they run commands like `whoami /priv` to list privileges, `systeminfo` for OS details, and `tasklist /svc` for running services. On Linux, they use `id`, `sudo -l`, and `find / -perm -4000` for SUID binaries. The attacker also checks for misconfigurations like unquoted service paths, writable directories in PATH, and scheduled tasks. Tools like `WinPEAS` or `LinPEAS` automate this. Logs may show unusual command execution or enumeration activity. The attacker is looking for any weakness that can be exploited.
Exploit Identification
Based on the enumeration results, the attacker selects a specific technique. For example, if `SeImpersonatePrivilege` is enabled, they plan to use a token impersonation tool like `JuicyPotato`. If an unquoted service path is found, they prepare a malicious executable. If a vulnerable service version is detected, they search for a matching exploit (e.g., CVE-2021-34527 for PrintNightmare). The attacker may also check for missing patches using `wmic qfe list`. This step is critical; choosing the wrong exploit can fail or alert defenders. The attacker verifies the exploit's compatibility with the target OS version and architecture.
Escalation Execution
The attacker executes the chosen exploit. For token impersonation, they run a tool that spawns a new process with SYSTEM privileges. For unquoted service paths, they place a malicious executable in the writable directory and restart the service. For SUID binaries, they run the binary with arguments that spawn a shell. The attacker verifies success by running `whoami` again or checking for elevated access. Logs will show a new process created with higher integrity level or a service starting from an unexpected path. EDR tools may detect the anomalous behavior and alert. The attacker now has elevated privileges, often SYSTEM or root.
Persistence and Lateral Movement
With elevated privileges, the attacker establishes persistence to maintain access. They may create a new user account in the Administrators group, install a service, or modify startup scripts. On Windows, they might use `net user /add` and `net localgroup Administrators /add`. On Linux, they could add an SSH key to root's authorized_keys. The attacker also attempts lateral movement to other systems, using tools like `Mimikatz` to dump credentials and `psexec` or `wmic` to execute commands remotely. Logs will show new user creation, service installation, or remote logins. Defenders should monitor for these indicators and investigate immediately.
Scenario 1: Help Desk Escalation
A help desk analyst receives a call from a user who forgot their password. The analyst resets it but inadvertently uses a weak password. An attacker, who has already compromised the user's machine via a phishing email, now has the new password. The attacker logs in as the user and runs whoami /priv, discovering SeImpersonatePrivilege is enabled. The attacker downloads JuicyPotato from a remote server and executes it to spawn a SYSTEM shell. From there, they dump all local passwords using Mimikatz and move laterally to the domain controller. The SOC analyst reviewing logs sees a process (JuicyPotato.exe) created by a non-admin user that spawned cmd.exe with SYSTEM integrity. The correct response is to isolate the compromised machine, revoke the user's access, and investigate the lateral movement. A common mistake is to assume the user's account is the only compromised entity, ignoring the SYSTEM-level access.
Scenario 2: Unquoted Service Path in Enterprise
During a routine vulnerability scan, an internal pentester identifies an unquoted service path on a file server running a custom application. The service runs as NT AUTHORITY\SYSTEM. The path is C:\Program Files\Custom App\service.exe. The pentester creates a malicious executable named Program.exe and places it in C:\. They then restart the service using sc stop and sc start. The service executes C:\Program.exe instead of the intended binary, giving the pentester SYSTEM access. The SOC team sees a service restart and a new process (Program.exe) originating from C:\. The correct response is to check the service configuration, verify the executable path, and remove the rogue file. A common mistake is to focus on the service failure rather than the path manipulation.
Scenario 3: Linux SUID Binary Exploitation
An attacker gains access to a Linux web server as the www-data user. They run find / -perm -4000 and find that /usr/bin/nmap has the SUID bit set. Nmap is an older version that allows interactive mode. The attacker runs nmap --interactive and then !sh to spawn a root shell. They then add a new user to /etc/passwd with UID 0. The system administrator notices an unexpected user in the passwd file and checks ausearch logs showing nmap executed by www-data. The correct response is to remove the SUID bit from nmap and audit all SUID binaries. A common mistake is to patch the kernel but overlook misconfigured SUID permissions.
What SY0-701 Tests
Objective 2.4 specifically covers privilege escalation attacks. The exam expects you to:
Distinguish between vertical and horizontal escalation.
Identify common escalation techniques: token manipulation, DLL hijacking, path interception, unquoted service paths, scheduled tasks, and kernel exploits.
Recognize misconfigurations that enable escalation (e.g., weak permissions, unquoted paths).
Understand how to mitigate these attacks: least privilege, patching, UAC, service hardening.
Know tools used for escalation (Mimikatz, JuicyPotato, PowerUp, LinPEAS) and detection (SIEM, EDR).
Common Wrong Answers
Choosing 'buffer overflow' as the primary escalation technique: While buffer overflows can lead to escalation, the exam focuses on misconfigurations and token-based attacks. Candidates confuse remote code execution with local escalation.
Selecting 'pass-the-hash' as a privilege escalation technique: Pass-the-hash is a lateral movement technique, not escalation. It uses existing credentials, not privilege elevation.
Thinking 'phishing' is a form of escalation: Phishing is an initial access vector. The exam distinguishes between gaining a foothold and escalating privileges.
Confusing 'DLL hijacking' with 'DLL injection': DLL hijacking exploits the search order; DLL injection inserts code into a running process. The exam tests hijacking for escalation.
Specific Terms and Values
SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege: Token privileges often exploited.
JuicyPotato, RoguePotato: Tools for token impersonation.
PowerUp, WinPEAS, LinPEAS: Enumeration scripts.
Unquoted Service Path: A path like C:\Program Files\My App\service.exe without quotes.
SUID (Set User ID): Linux permission bit (chmod u+s) that allows execution as file owner.
Trick Questions
A question might describe a user running a program that accesses another user's files (horizontal escalation) vs. running a program that gains admin rights (vertical). Read carefully.
A scenario where an attacker uses a vulnerability in a service to run code as SYSTEM is vertical escalation; if they use stolen credentials to access another user's data, it's lateral movement.
'Privilege escalation' vs. 'privilege abuse': Escalation is gaining higher privileges; abuse is misusing existing privileges.
Decision Rule
On scenario questions, ask: Does the attacker start with low privileges and end with higher ones? If yes, it's vertical escalation. If they access another user's resources at the same level, it's horizontal. If the technique involves impersonating a token or exploiting a service path, it's likely token manipulation or unquoted path. Eliminate options that describe initial access (phishing) or lateral movement (pass-the-hash).
Vertical escalation gains higher privileges (e.g., user to admin); horizontal escalation accesses another user's resources at the same level.
Common Windows escalation vectors: token manipulation (SeImpersonatePrivilege), unquoted service paths, DLL hijacking, and scheduled tasks.
Common Linux escalation vectors: SUID binaries, sudo misconfigurations, kernel exploits, and cron jobs.
Tools like WinPEAS, LinPEAS, and PowerUp automate enumeration of escalation opportunities.
Mitigation includes least privilege, patching, UAC, service hardening, and monitoring for anomalous process creation.
Token manipulation exploits privileges like SeImpersonatePrivilege to impersonate SYSTEM accounts.
Unquoted service paths allow execution of arbitrary binaries if a writable directory exists earlier in the path.
These come up on the exam all the time. Here's how to tell them apart.
Token Manipulation
Exploits token privileges like SeImpersonatePrivilege
Requires ability to spawn processes or threads
Common tools: JuicyPotato, RoguePotato
Gains SYSTEM or Network Service privileges
Often used in Windows environments
DLL Hijacking
Exploits DLL search order
Requires a vulnerable application that loads DLLs from user-writable paths
Common tools: custom DLLs, PowerUp script
Gains privileges of the vulnerable application
Works on Windows and some Unix systems via LD_PRELOAD
Mistake
Privilege escalation only occurs on Windows systems.
Correct
Linux and macOS systems are equally vulnerable. Techniques like SUID exploitation, cron job manipulation, and kernel exploits are common on Unix-like systems.
Mistake
User Account Control (UAC) always prevents privilege escalation.
Correct
UAC can be bypassed using techniques like DLL hijacking or token manipulation. It is a deterrent, not a definitive control.
Mistake
Horizontal escalation is less dangerous than vertical escalation.
Correct
Horizontal escalation can lead to vertical escalation. For example, accessing another user's credentials may allow impersonation of a privileged user.
Mistake
Privilege escalation requires exploiting a software vulnerability.
Correct
Misconfigurations (e.g., unquoted service paths, weak permissions) are more common than software flaws. Attackers often exploit configuration errors.
Mistake
Patching systems eliminates all privilege escalation risks.
Correct
Patching addresses known vulnerabilities but does not fix misconfigurations. Proper hardening and least privilege are essential.
Vertical privilege escalation (elevation) occurs when an attacker gains higher-level permissions, such as a standard user becoming an administrator. Horizontal escalation occurs when the attacker accesses another user's resources at the same privilege level, such as reading another user's files. For the exam, vertical escalation is the primary focus, but horizontal escalation can be a precursor. In scenario questions, look for whether the attacker's final privileges are higher (vertical) or just different (horizontal).
Token manipulation exploits the Windows access token system. If a user has privileges like SeImpersonatePrivilege, they can impersonate another user, including SYSTEM. Tools like JuicyPotato use COM objects to get a SYSTEM token and spawn a new process with that token. This is a common technique in post-exploitation. The attacker must have the privilege enabled, which is often the case for service accounts. Mitigation involves removing unnecessary privileges from accounts.
An unquoted service path occurs when the path to a service executable contains spaces and is not enclosed in quotation marks. For example: `C:\Program Files\My App\service.exe`. When the service starts, Windows interprets each space-separated segment as a potential executable. If an attacker can place a malicious executable in a directory earlier in the path (e.g., `C:\Program.exe`), it will be executed with the service's privileges. This is a configuration error that can be fixed by quoting the path.
Yes. Common Linux privilege escalation techniques include exploiting SUID binaries (executables that run with the owner's privileges), misconfigured sudo permissions (e.g., allowing a user to run commands as root), kernel exploits (e.g., DirtyCow CVE-2016-5195), and cron job manipulation (editing scripts that run as root). Mitigation includes removing SUID bits from unnecessary binaries, auditing sudo rules, patching the kernel, and securing cron scripts.
On Windows, tools like PowerUp (PowerShell script), WinPEAS, and Windows Exploit Suggester are used. On Linux, LinPEAS, Linux Exploit Suggester, and enumeration commands like `find / -perm -4000` are common. These tools automate the discovery of misconfigurations, vulnerabilities, and weak permissions. For the exam, know that these tools exist and what they check for, not necessarily the exact commands.
Detection involves monitoring for unusual process creation (e.g., a non-admin user spawning a SYSTEM process), changes in token privileges, service start/stop events, and unexpected file writes to system directories. SIEM rules can alert on events like event ID 4672 (special privileges assigned to new logon) or 4698 (scheduled task creation). EDR tools can detect known escalation tools by hash or behavior. Regular auditing of user privileges and service configurations also helps.
DLL hijacking exploits the DLL search order to load a malicious DLL instead of the legitimate one. The attacker places a malicious DLL in a directory that is searched before the application's directory. DLL injection involves forcing a running process to load a malicious DLL, often using Windows API calls like CreateRemoteThread. For the exam, hijacking is a privilege escalation technique; injection is more often used for code execution or persistence.
You've just covered Privilege Escalation Attacks — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?