← All glossary terms
Identity Security7 min read

What is Privilege Escalation?

Privilege escalation is the process by which an attacker (or insider) gains higher permissions than they were originally granted. Learn the types, real-world examples, and how to defend against it.

What is Privilege Escalation?

Definition

Privilege escalation is the process by which a user, process, or attacker gains higher access rights than originally granted. It is one of the most critical stages of nearly every successful breach, sitting in the TA0004 Privilege Escalation tactic of MITRE ATT&CK.

In simple terms:

Privilege escalation is how a small foothold becomes a big problem.

Attackers rarely start with the access they want. They start with whatever they can get — a phished user, a stolen token, a misconfigured cloud role — and escalate from there.


Why Privilege Escalation Matters

The damage of a breach is largely determined by how much an attacker can escalate. A phished marketing user is bad; a phished marketing user who can become Domain Admin via a hidden path is catastrophic.

Modern environments are full of escalation opportunities:

  • Complex AD relationships (nested groups, ACL weaknesses, AD CS misconfigurations).
  • Overprivileged service accounts.
  • Cloud roles with iam:PassRole, sts:AssumeRole, or *:* permissions.
  • Misconfigured OAuth apps and consent.
  • Shared admin accounts and standing privilege.

Escalation is also a key driver of blast radius — the metric that ultimately determines the impact of an incident.


Vertical vs Horizontal Escalation

Vertical Privilege Escalation

Going from lower privilege to higher privilege.

Examples:

  • User → Local Administrator
  • Local Administrator → Domain Admin
  • IAM user → AWS root
  • Reader → Owner in a SaaS tenant
  • Service account → Tier 0

Horizontal Privilege Escalation

Going from one identity to another at the same level — typically to access different data or systems.

Examples:

  • User A reading User B's mailbox by impersonating them.
  • One tenant accessing another tenant's data via misconfigured trust.
  • One developer assuming a peer's role to access a different production environment.

Both matter — and both should be prevented.


Common Privilege Escalation Techniques

Active Directory Techniques

  • Kerberoasting — request service tickets, crack offline to recover service account passwords.
  • AS-REP Roasting — abuse accounts with "Do not require Kerberos preauthentication."
  • DCSync — replicate password hashes from a domain controller via legitimate AD APIs.
  • AdminSDHolder abuse — modify the security descriptor that protects privileged accounts.
  • Group membership manipulation — add accounts to privileged groups via misconfigured ACLs.
  • Unconstrained / constrained delegation abuse — capture credentials of users who authenticate to a service.
  • AD CS misconfigurations (ESC1–ESC15) — issue certificates that authenticate as privileged users.
  • GPO abuse — modify a Group Policy Object that runs on Tier 0 systems.

Cloud Techniques

  • iam:PassRole abuse in AWS — pass an over-privileged role to a service.
  • sts:AssumeRole chaining — hop across roles or accounts.
  • Service account impersonation in Google Cloud (iam.serviceAccounts.getAccessToken).
  • Managed identity abuse in Azure — get tokens via instance metadata.
  • Cross-tenant federation abuse.
  • OAuth consent abuse — escalate via tenant-wide app permissions.

Operating System Techniques

  • SUID/SGID misconfigurations on Linux.
  • Sudo misconfigurations (NOPASSWD, dangerous binaries).
  • Token impersonation on Windows.
  • DLL hijacking with privileged services.
  • Unquoted service paths.
  • Vulnerable kernel exploits.

Identity Provider Techniques

  • Federation trust manipulation (Golden SAML).
  • Skeleton key attacks.
  • PIM activation abuse — compromise an eligible admin to activate a privileged role.

Real-World Examples

Example 1: From Helpdesk to Domain Admin

A help desk account has the Reset Password right delegated on an OU that contains a Tier 1 admin account. The attacker phishes the help desk, resets the admin password, logs in, and uses the admin's session to reach a Tier 0 system.

Example 2: Kerberoast → Service Account → DCSync

  • Attacker has a normal user account.
  • Performs Kerberoasting to get a service ticket.
  • Cracks a weak service account password offline.
  • The service account belongs to a group with replication rights.
  • Performs DCSync to dump the KRBTGT hash.
  • Forges a Golden Ticket and gains effective Domain Admin.

This kind of chain is invisible to traditional IAM tools but obvious in attack path analysis.

Example 3: AD CS ESC1

A misconfigured certificate template allows any authenticated user to request a certificate as another user. The attacker enrolls a certificate as a Domain Admin and authenticates with it.

Example 4: AWS iam:PassRole

A developer's IAM role can pass a high-privilege role to an EC2 instance. The attacker spins up an EC2 with that role and inherits its privileges.

A user is tricked into consenting to a malicious OAuth app with Mail.ReadWrite.All and Files.ReadWrite.All. The app reads every mailbox in the tenant — effectively escalating from a single user compromise to tenant-wide data access.

Example 6: GCP Service Account Impersonation

A user has roles/iam.serviceAccountTokenCreator on a service account that owns the production project. They impersonate the service account, obtain its access token, and act as production owner.


Why Privilege Escalation Often Goes Undetected

  • It uses legitimate features (Kerberos tickets, SAML assertions, OAuth tokens, IAM roles).
  • It blends with normal admin activity.
  • Many environments lack fine-grained identity logging.
  • Hidden privilege paths are not surfaced by traditional IAM tools.
  • Detection focuses on endpoints and networks, not identity behavior.

Defenses Against Privilege Escalation

1. Eliminate Standing Privilege

JIT elevation (PIM/PAM) means there are fewer permanently privileged identities to compromise.

2. Right-Size Service Accounts

Most privilege escalation chains pass through overprivileged service accounts. Fixing them breaks many paths.

3. Harden Active Directory

  • Strong, long passwords on service accounts.
  • Disable Kerberos pre-auth opt-out (DONT_REQ_PREAUTH).
  • Restrict delegation; eliminate unconstrained delegation.
  • Audit AD CS templates and remove dangerous flags (ESC1-ESC15).
  • Protect AdminSDHolder and Tier 0 OUs.
  • Rotate KRBTGT regularly.

4. Tighten Cloud IAM

  • Avoid *:* and built-in super roles.
  • Restrict iam:PassRole, sts:AssumeRole, iam.serviceAccounts.getAccessToken.
  • Enforce conditions (MFA, IP, tags).
  • Use IAM analyzers to right-size.

5. Map and Reduce Attack Paths

Continuously analyze who can escalate to what, and break the chains at choke points.

6. Detect Escalation Behavior

  • Kerberoasting, AS-REP roasting, DCSync detections.
  • Anomalous role activations and assumptions.
  • New OAuth grants and consent.
  • Federation and trust changes.

7. Tier Administration

Separate admin accounts and workstations into tiers (Tier 0, 1, 2). Don't let Tier 1/2 credentials flow into Tier 0 systems.

8. Strong, Phishing-Resistant MFA Everywhere

Most escalation starts with credential compromise. Phishing-resistant MFA prevents many initial accesses that would otherwise lead to escalation.


Privilege Escalation Defense Checklist

  • Are admin rights JIT, with no standing privilege?
  • Are service accounts right-sized and rotated?
  • Are AD service account passwords long and randomized?
  • Is AD CS audited for ESC1-ESC15?
  • Are unconstrained and risky constrained delegations removed?
  • Are cloud PassRole / AssumeRole / impersonation rights restricted?
  • Are attack paths to Tier 0 continuously analyzed?
  • Are escalation-related events alerted in SIEM?
  • Is the admin tier model enforced?
  • Is OAuth consent governed and monitored?

How Forestall Helps

Privilege escalation is fundamentally a graph problem — chains of legitimate permissions that combine into illegitimate outcomes. Forestall solves it as a graph problem:

  • Builds a complete model of identities, groups, devices, sessions, and resources across AD, Entra ID, AWS, GCP, and SaaS.
  • Computes every escalation path to Tier 0 and other defined critical assets.
  • Ranks paths by exploitability and impact.
  • Identifies choke points — fixes that break many paths at once.
  • Tracks how the path count shrinks over time.

Forestall transforms privilege escalation from an invisible risk into a measurable, prioritized, fixable backlog.


Frequently Asked Questions

Is privilege escalation a vulnerability?

It can be enabled by vulnerabilities, but more often it exploits misconfigurations and excessive privilege that are not technically "bugs."

What's the difference between privilege escalation and lateral movement?

Lateral movement is moving sideways (host to host, account to account at the same level). Privilege escalation is moving up to higher rights. Real attacks usually combine both.

What's the most common AD escalation today?

AD CS abuse (ESC1-ESC15), Kerberoasting weak service accounts, and DCSync via overprivileged accounts remain the most common.

Can MFA stop privilege escalation?

It stops the initial access in many cases. Once attackers have a foothold, escalation often relies on misconfigurations that MFA doesn't address.

How do I prioritize what to fix first?

Fix choke points — single misconfigurations or overprivileged accounts that enable many escalation paths. Attack path analysis identifies these directly.


Conclusion

Privilege escalation is the bridge between a foothold and a disaster. It is also the stage where defenders have the most leverage: a single well-chosen fix can break dozens of escalation paths at once.

Modern identity environments are too complex for spreadsheets and ad hoc audits. Continuous, graph-based attack path analysis, combined with strong baseline hygiene (JIT, least privilege, hardened AD and cloud IAM), is the most effective way to prevent privilege escalation — and to dramatically reduce the impact of every other attack technique that depends on it.

Privilege EscalationLateral MovementActive DirectoryMITRE ATT&CK

Eliminate the privilege escalation paths attackers find.

Forestall surfaces every chain that turns ordinary access into Tier 0 — and prioritizes the choke points to fix first.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

What is Privilege Escalation? Types & Defenses | Forestall