What is Privilege Escalation? Definition & Explanation
Privilege escalation is a category of attack in which an adversary gains elevated permissions beyond what was initially granted — moving from a low-privileged user to administrator, root, or domain admin. Mapped as TA0004 in MITRE ATT&CK, privilege escalation is a critical step in nearly every major intrusion.
In-Depth Explanation
Privilege escalation splits into two categories: vertical (a low-privileged user gains higher-privileged access — e.g., user to admin via a kernel exploit, sudo misconfiguration, or service-account abuse) and horizontal (a user accesses another user's data without elevation — e.g., IDOR vulnerabilities in web apps). Common Linux privilege-escalation vectors include exploitable SUID binaries, weak sudo policies (NOPASSWD entries, exploitable wildcards), kernel exploits (Dirty COW, PwnKit/CVE-2021-4034), misconfigured cron jobs, and writable PATH directories. Common Windows vectors include token impersonation, DLL hijacking, unquoted service paths, AlwaysInstallElevated registry keys, JuicyPotato/RoguePotato style attacks, and Active Directory misconfigurations (Kerberoasting, ASREPRoasting, GenericWrite/WriteOwner ACL abuse, ADCS ESC1-8 vulnerabilities). Cloud privilege escalation typically involves IAM misconfigurations — assuming roles via excessive sts:AssumeRole permissions, exploiting iam:PassRole, or chaining permissions through service accounts. Tools like LinPEAS, WinPEAS, BloodHound, PingCastle, and PowerSploit help defenders and attackers alike enumerate escalation paths. Defenses include rigorous patching, least-privilege IAM, EDR detection of credential dumping and known privesc tools, and tiered admin models.
Why It Matters for Security
Privilege escalation transforms a minor compromise into a major breach — without it, an attacker who phishes a single user account is limited to that user's data and access. With it, the same attacker reaches domain admin, cloud admin, or root within hours and can deploy ransomware organization-wide. Detection and prevention of privilege escalation (via patching, least privilege, tiered admin, EDR/XDR, and identity threat detection) is one of the highest-leverage defensive investments.
Related Tools
- SentinelOne Singularity
AI-powered autonomous endpoint protection platform with EDR/XDR, automated response, and threat hunting across endpoints, cloud, and identity.
- SentinelOne Singularity Identity
AI identity threat detection across Entra ID, Active Directory, and multi-cloud.
- SentinelOne Singularity
Autonomous AI EDR/XDR with one-click rollback. Gartner Leader four years running.
Frequently Asked Questions
What does Privilege Escalation mean in cybersecurity?
Privilege escalation in cybersecurity is a category of attack in which an adversary gains elevated permissions beyond what was initially granted — moving from a low-privileged user to administrator, root, or domain admin through exploitable vulnerabilities, misconfigurations, or credential theft.
Why is Privilege Escalation important?
Privilege escalation matters because it transforms a minor compromise (a single phished user) into a catastrophic one (domain admin and organization-wide ransomware). Detection and prevention through patching, least privilege, tiered administration, and EDR-based credential-dumping detection is one of the highest-leverage defensive investments.