What is Privilege Escalation? How Attackers Gain Admin Access

Types of Privilege Escalation

Vertical Privilege Escalation

Vertical privilege escalation is the gain of higher-level permissions than originally granted — a standard user account gaining administrator-level access, or a local administrator account gaining domain administrator rights. This is the form that matters most in breach scenarios because it is what converts a compromised low-privilege account into the domain-wide control needed for ransomware deployment, mass data exfiltration, or persistent backdoor installation.

The most impactful vertical escalation targets in Windows environments are domain administrator, local administrator on a large number of machines, and accounts with Azure or Microsoft 365 Global Administrator roles. An attacker who achieves any of these has effectively won — the environment is compromised at a scope that cannot be remediated without understanding and evicting every persistence mechanism they have established.

Horizontal Privilege Escalation

Horizontal privilege escalation is the use of one account's privileges to access resources that a different account at the same privilege level can access. An attacker who compromises a finance employee's account and uses those credentials to access another finance employee's email, files, or systems is escalating horizontally. This is the form most relevant to insider threat scenarios and data theft operations where the attacker wants breadth of access within a specific data category rather than administrative control.

The Most Common Privilege Escalation Techniques

Kerberoasting

Kerberoasting targets Active Directory service accounts. Any domain-authenticated user can request a Kerberos service ticket for any account registered with a Service Principal Name — and those tickets are encrypted using the service account's password hash. The attacker requests the ticket, captures it, and cracks the encryption offline. Service accounts with weak passwords — common because service accounts are often configured once and never rotated — yield to GPU-accelerated cracking in minutes or hours, producing credentials with the service account's typically elevated permissions.

Token Impersonation and Pass-the-Token

Windows access tokens represent the security context of a running process. An attacker with code execution on a system can attempt to impersonate tokens belonging to higher-privileged processes or logged-in users. The SeImpersonatePrivilege — a Windows privilege held by many service accounts — enables token impersonation attacks that can escalate a service account compromise to SYSTEM-level access on the local machine.

Misconfigured Sudo and Overprivileged Service Accounts

In Linux and cloud environments, privilege escalation commonly exploits misconfigured sudo permissions that grant users the ability to run specific commands as root, misconfigured SUID binaries that execute with the permissions of the file owner rather than the executing user, and cloud IAM misconfigurations that grant service accounts or Lambda functions more permissions than their function requires. In AWS, Azure, and GCP environments, privilege escalation through IAM misconfigurations is one of the most common cloud security findings — because cloud IAM is complex, least-privilege is hard to maintain as environments grow, and auditing for overprivilege is rarely part of routine operations.

How Attackers Use Privilege Escalation in Practice

Privilege escalation is rarely the attacker's objective — it is the enabler of their objective. The sequence is consistent: initial access through phishing or credential theft, lateral movement to identify escalation opportunities, privilege escalation to gain the permissions needed for the actual objective, and then the objective itself — ransomware deployment, data exfiltration, persistent access establishment.

The critical decision point for breach scope is the privilege level the attacker achieves before detection. An attacker contained at standard user privileges can access what that user can access. An attacker who escalates to domain administrator before detection can access everything, can create persistent backdoor accounts that survive password resets, can exfiltrate the Active Directory database containing all credential hashes, and can deploy ransomware across the entire domain simultaneously.

Privilege Escalation in Cloud Environments

Cloud environments introduce privilege escalation pathways that do not exist in traditional on-premises networks — and that are less well understood by most security teams. In AWS, an attacker with access to an IAM role that can assume other roles, modify IAM policies, or access EC2 instance metadata can escalate to administrative permissions through chains of intermediate permissions that individually appear low-risk. In Azure, Contributor role at the subscription level provides the ability to create new privileged role assignments, effectively enabling escalation to Owner. In both environments, misconfigured service principals, instance metadata service access, and overprivileged Lambda/Function execution roles are common escalation pathways documented in red team engagements.

Preventing and Detecting Privilege Escalation

Privilege escalation prevention centers on eliminating the misconfigurations and over-permissions that escalation techniques exploit. Least-privilege access — granting every user account, service account, and system the minimum permissions required for its specific function — removes the escalation targets that attackers use. This requires regular privilege review cycles, not one-time configuration at onboarding.

Service account hygiene addresses Kerberoasting: service accounts should have long, randomly generated passwords that are rotated regularly, managed service accounts (gMSAs) should be used where possible to automate rotation, and SPNs should be assigned only to accounts that genuinely require them. These changes do not prevent Kerberoasting attempts — they make the resulting tickets computationally infeasible to crack.

Privileged Access Workstations (PAWs) limit the environments where administrative credentials are used — reducing the attack surface for credential dumping from systems where administrators are logged in. Combining PAW controls with tiered administrative accounts, where domain administrator credentials are never used on internet-connected workstations, eliminates the most common pathways to domain administrator compromise through credential theft.

Detection of privilege escalation requires monitoring for the specific activities that indicate escalation attempts: Kerberoasting ticket requests (volume of TGS requests for SPN-registered accounts), LSASS memory access by unexpected processes, new local administrator accounts created outside normal provisioning workflows, and anomalous role assignments in cloud IAM. These are specific, monitorable events that a properly configured SIEM or identity threat detection platform surfaces clearly.