What is a Privilege Escalation Attack?
A privilege escalation attack is a cyberattack to gain illicit access of elevated rights, permissions, entitlements, or privileges beyond what is assigned for an identity, account, user, or machine. This attack can involve an external threat actor or an insider threat. Privilege escalation is a key stage of the cyberattack chain and typically involves the exploitation of a privilege escalation vulnerability, such as a system bug, misconfiguration, or inadequate access controls.
In this blog, I will explain how privilege escalation works, the key attack vectors involved with privilege escalation, and the critical privileged access security controls you can implement to prevent or mitigate it.
How does Privilege Escalation Work?
Every local interactive session or remote access session represents some form of privileged access, regardless if executed by a human or a machine. This encompasses everything from guest privileges allowing local logon only, to administrator or root privileges for a remote session and potentially complete system control. Therefore, every account that interacts with a system has some privileges assigned.
A standard user account rarely has rights to a database, sensitive files, or anything of value. So, how does a threat actor navigate an environment and gain administrator or root privileges to exploit them as an attack vector? There are five primary methods:
- Credential exploitation
- Vulnerabilities and exploits
- Misconfigurations
- Malware
- Social engineering
The attack chain diagram below shows the primary techniques used by a threat actor, regardless of whether an insider or external threat, to begin their mission and propagate through an environment.

How do Privilege Escalation Attacks Start?
Privilege escalation attacks start by threat actors gaining entry within the environment. An attacker could gain a foothold by leveraging missing security patches, social engineering, or other methods from basic password stuffing (or credential stuffing) to modern techniques using generative AI. Once the initial infiltration has been successful, threat actors will typically perform surveillance and wait for the right opportunity to continue their mission.
Threat actors strive to pursue the path of least resistance. If time permits, they clean up their activities to remain undetected. Whether this involves masking their source IP address or deleting logs based on the credentials they are using, any evidence of their presence reflects an indicator of compromise (IoC). Once an organization identifies an intrusion, they may monitor the intruder’s intentions and potentially pause or terminate the access session.
Typically, the second step in the cyberattack chain involves privilege escalation to accounts with administrative, root, or higher-privileged rights than the account initially compromised. Of course, it’s possible the initial compromise involved an administrative or root account. If this is the case, a threat actor is further along in their malicious plans and may already own an environment.
Vertical vs Horizontal Privilege Escalation
Privilege escalation attacks are separated into two broad categories—horizontal privilege escalation and vertical privilege escalation. Often confused with each other, these terms are defined as follows:
Horizontal privilege escalation
Horizontal privilege escalation involves gaining access to the rights of another account—human or machine—with similar privileges. This action is referred to as “account takeover.” Typically, this would involve lower-level accounts (i.e., standard user), which may lack proper protection. With each new horizontal account compromised, an attacker broadens their sphere of access with similar privileges. This is basic lateral movement.
Vertical privilege escalation
Vertical privilege escalation, also known as a privilege elevation attack, involves an increase of privileges/privileged access beyond what a user, application, or other asset already has. This entails moving from a low level of privileged access to a higher level of privileged access. Achieving vertical privilege escalation could require the attacker to perform a number of intermediary steps (i.e., execute a buffer overflow attack, etc.) to bypass or override privilege controls, or exploit flaws in software, firmware, the kernel, or obtain privileged credentials for other applications or the operating system itself.
5 Examples of Privilege Escalation Attacks
Let’s now look at five major classes of privilege escalation attacks:
1. Credential Exploitation
Valid single-factor credentials (1FA - username and password) will allow a typical user to authenticate against a resource. However, if a threat actor knows the username, obtaining the account’s password becomes a hacking exercise. Often, a threat actor will first target a systems administrator since their credentials frequently have privileges to directly access sensitive data and systems. With a sysadmin’s credentials and access, a cybercriminal can move laterally while arousing little or no suspicion since it is a trusted privileged account.
Once a threat actor has compromised credentials, every privilege the account has is now fair game for the attacker. If the threat actor is detected, an organization typically resets passwords as a high priority and reimages infected systems to mitigate the threat (especially if it involves servers). However, requesting a password change alone does not always resolve the incident because the method of obtaining the credentials in the first place may involve other attack vectors, like malware or a compromised cell phone. This provides the threat actor with a persistent presence until their infiltration has been fully eradicated.
Compromised credentials are the easiest privileged attack vector for a threat actor to achieve success. The accounts associated with credentials control almost every aspect of a modern information technology environment—from administrators to service accounts. Unfortunately, credential theft can be accomplished via password reuse attacks, memory-scraping malware, and innumerable other ways.
Privileged escalation of credentials from a standard user to administrator can happen using a variety of techniques described in this blog. Credentials compromised for the most sensitive accounts (domain, database administrator, etc.) can be a “game over” event for some companies. IT security teams should always scrutinize any superuser accounts as well and identify them during a risk assessment. Privileged account credentials are a prime attack vector for horizontal privilege escalation, and you should prioritize their protection over the course of your privileged access management (PAM) journey.
2. Privileged Vulnerabilities and Exploits
Vulnerabilities are mistakes in code, design, implementation, or configuration that may allow malicious activity to occur via an exploit. Vulnerabilities can involve the operating system, applications, web applications, infrastructure, the cloud, and so on. They can also involve protocols, transports, and communications in between resources from wired networks, Wi-Fi, and tone-based radio frequencies (old school – i.e., 2600 club).
A vulnerability itself does not allow for a privileged attack vector to succeed; it just means a risk exists. Absent an exploit, a vulnerability is just a potential problem.
When it comes to actual exploits, some are only proof-of-concept, some are unreliable, while others are easily weaponized. Some exploits are included in commercial penetration testing tools or free, open-source hacking tools. In addition, some vulnerabilities are sold on the dark web to perpetrate cybercrimes. Other vulnerabilities are used exclusively by nation-states until they are patched or made public (intentionally or not).
Depending on the vulnerability, available exploit, and resources assessed with the flaw, the actual risk could be limited in scope, or an impending disaster. The combination of vulnerability, available exploit, exposure of resource, mitigating controls, and likelihood of an attack all contribute to how effectively a vulnerability can be leveraged against an organization. This helps formulate a risk score. The common method for scoring is CVSS.
It is important to note that only a small subset of vulnerabilities allows vertical privilege escalation as a part of the exploitation payload. However, if the vulnerability itself leads to an exploit allowing changes (privileged escalation from one user’s permissions to another), the risk is a worrisome privileged attack vector.
Elevation of privilege vulnerabilities (which allow for vertical privilege escalation) are responsible for many of the worst exploits in recent years—including BlueKeep, WannaCry, and NotPetya. However, don’t be fooled: exploitation—even with standard user privileges—can inflict devastation in the form of ransomware or other vicious attacks. Fortunately, most exploits can be contained or mitigated by reducing privileges and minimizing the surface area for a cyberattack.
Exploits wreak the most havoc with the highest privileges, hence the security best practice recommendation to operate with least privilege and remove administrative rights from all end users.
3. Misconfigurations
Configuration flaws are another form of exploitable vulnerabilities. These are flaws requiring mitigation – not remediation.
What is the difference between remediation and mitigation? Remediation implies the deployment of a software or firmware patch to correct the vulnerability. This process is commonly referred to as patch management. Mitigation, on the other hand, refers to an alteration in the existing deployment that deflects (mitigates) the risk from being exploited. Generally, these mitigations are just a change in settings or in the runtime using supported features.
The most common configuration problems exploited for privileges involve accounts with poor default security settings. Examples of poor security settings include:
- Blank or default passwords for administrator or root accounts established upon initial configuration.
- Insecure access that is not locked down after an initial installation (often due to lack of expertise).
- Undocumented backdoors into the environment.
- Accounts only secured with single factor authentication and guessable or crackable passwords or secrets.
If the flaw is severe enough, a threat actor can gain root or administrator privileges with minimal effort.
Configuration errors in cloud resources represent a rapidly growing source of privileged attacks for cloud and XaaS provides.
4. Malware
Malware, which includes viruses, spyware, worms, adware, ransomware, etc., refers to any class of undesirable or unauthorized software designed to have malicious intent on a resource. The intent can range from surveillance, data exfiltration, disruption, command and control, denial of service, to extortion. Malware provides a vehicle for attackers to instrument cybercriminal activity.
Malware, like any other program, can potentially execute at any permission from standard user to administrator (root) based on the context it was originally executed within. Malware can install on a resource via:
- Vulnerability and exploit combinations
- Legitimate installers or bootlegged software or media
- Weaknesses in the supply chain
- Social engineering via phishing or drive-by Internet attacks.
Irrespective of the malware delivery mechanism, the motive is to execute code on a resource. Once running, it becomes a race between detection by endpoint security vendors and threat actors to keep executing, evade discovery, and remain persistent. Modern malware continues evolving to better elude detection and disable cyber defenses to continue its proliferation.
Malware may perform functions like scraping memory for password hashes and keystroke logging. This allows for the stealing of passwords to perform attacks based on privileges by the malware itself, or other attack vectors deployed by the threat actor.
Malware is just a transport vehicle to continue the propagation of a sustained attack. As such, malware ultimately needs permissions to obtain the target information sought after by the attacker. The malware subset that scrapes memory, installs additional malicious software, or provides surveillance is the most pertinent to privileged escalation. Its goal is surveillance to execute a vertical privileged attack in the future.
5. Social Engineering
Social engineering attacks capitalize on the trust people have in the communications (voice, email, text, etc.) addressed to them. If the message is well crafted, and potentially even spoofs someone trusted, then the threat actor has already succeeded in the first step of an attack.
From a social engineering perspective, threat actors attempt to capitalize on a few key human traits to meet their goals:
- Trustworthiness: The belief the correspondence, of any type, is from a trustworthy source.
- Credulity: The belief the contents, as crazy or simple as they may be, are in fact real. This drives much of our behavior in believing “fake news”.
- Sincerity: The intent of the content is in your best interest to respond or open.
- Curiosity: The attack technique has not been identified (as part of previous training), or the person remembers the attack vector but does not react accordingly.
- Laziness: The correspondence initially looks good enough but investigating the URLs and contents for malicious activity does not seem worth the effort. This includes obvious misspellings that may be included and ignored in the contents.
If we consider each of these characteristics, we can appropriately train team members to improve resistance to social engineering attacks. The difficulty is overcoming human traits. For instance, if a team member is victimized by a social engineering attack, then the threat actor can gain access and potentially install malware, ransomware, or escalate privileges. Successful social engineering allows the employee to “open the door” for a threat actor to conduct their nefarious mission.
Operating Systems and Privileged Escalation
We have considered common methods leveraged for privileged escalation and the most common techniques to obtain administrative privileges—but how does this apply to your organization? Consider the table below:

Some operating systems are more prone to social engineering simply based on user interaction. For instance, social engineering is a more common contributor to Windows privilege escalation attacks. On the other hand, Unix and Linux privilege escalation attacks are rarely the result of social engineering, but rather misconfigurations, vulnerabilities and exploits, and targeted insider attacks. This is true simply because Windows is far more prevalent on end-user desktops than other operating systems.
However, credential exploitation can happen on any operating system and device. If credentials are exposed using any of the techniques we have discussed, then a privileged escalation can occur using any of the additional methods available to threat actors. No asset, application, or resource is immune to a credential-based attack. And none of them are immune from privileged escalation. By adopting technologies like Single Sign On (SSO) and Multi-Factor Authentication (MFA), organizations can mitigate risk. When this is combined with good cybersecurity hygiene like segmentation, privileged access management (PAM), patch management, vulnerability management, and change control, a strong defense-in-depth emerges. But remember, none of these security practices are 100% effective.
Privilege Escalation Attack Vectors
An attack vector is a technique by which a threat actor, hacker, or attacker gains access to a system, application, or resource to perform malicious activity. This can include everything from installing malware, altering files or data, or even some form of persistent reconnaissance.
Privileged escalation attack vectors arguably represent the worst cyber threats because the attacker can become the administrator and owner of all the information technology resources within your company. And with this power, your data, assets, applications, and resources potentially can fall under some form of foreign control.
Now that we understand the techniques for privileged attacks, let’s explore the most common methods by which privileges and credentials are compromised, and hence, stolen and leveraged for escalation.
Password Hacking
Password hacking involves attackers attempting to use a variety of programmatic techniques and automation by leveraging specialized tools. These attacks can lead to administrator privileges if the account has been granted these rights. This represents another reason to limit the number of administrator accounts in an environment and enforce least privilege. If the account is an administrator, the threat actor can easily circumvent other security controls, achieve lateral movement, and opportunistically attempt to crack other privileged account passwords.
Password Guessing
One of the most popular techniques for password hacking is simply password guessing. A random guess is rarely successful unless it is a common password or based on a dictionary word. Flat-out guessing is somewhat of an art, but knowing information about the target identity enhances the likelihood of a successful guess. Relevant information can be gathered via social media, direct interaction, deceptive conversation, or even data gleaned and merged or aggregated from prior breaches. Password guessing attacks also tend to leave evidence in event logs and result in auto-locking of an account after “n” attempts.
In addition, if the account holder reuses passwords between resources, then the risks of password guessing and lateral movement dramatically increase. Imagine a person who uses only one or two base passwords everywhere—for all their digital presence and privileged accounts. Unfortunately, this happens all the time!
Shoulder Surfing
Shoulder surfing enables a threat actor to gain knowledge of credentials through observation. This includes observing passwords, pins, and swipe patterns as they are entered, as well as passwords scribbled on a sticky note. The shoulder surfing concept is simple, yet ancient. A threat actor watches physically, or with the aid of an electronic device like a camera, for passwords and later reuses them for an attack. Therefore, we should all be mindful of shielding the entry of our ATM PIN.
Dictionary Attacks
Dictionary attacks are an automated technique (unlike password hacking or guessing) utilizing a list of passwords against a valid account to reveal the password. The list itself is a dictionary of words. Basic password crackers use these lists of common single words like “baseball” to crack a password, hack an account, and reveal the complete credential used for authentication.
If the threat actor knows the resource they are trying to compromise, like password length and complexity requirements, they can customize the dictionary to more efficiently target the resource. Therefore, more advanced programs often use a dictionary on top of mixing in numbers or common symbols at the beginning or end of the attempt to mimic a real-world password with complexity requirements.
An effective dictionary attack tool lets a threat actor do the following:
- Set complexity requirements for length, character requirements, and character set
- Allow for the manual addition of words, such as names or another personally identifiable combination of words
- Include common misspellings of frequently used words
- Operate with dictionaries in multiple languages of words
The most common methods to mitigate the threats of a dictionary attack are account lockout attempts and password complexity policies. Lock-out protections mean after “n” times of wrong attempts, a user’s account is automatically locked for a period of time, then manually unlocked by an authority (i.e., the help desk), or via an automated password reset solution.
In many environments, especially for nonhuman accounts, account lockout attempts can hamper business runtime. Therefore, many disable this security setting. Consequently, if logon failures are not being monitored in event logs, a dictionary attack is an effective attack vector for a threat actor. This is especially true if privileged accounts do not have this setting enabled as a mitigation strategy.
Brute Force Password Attacks
Brute force password attacks are the least efficient method for trying to hack a password, so they are generally used as a last resort. Brute force password attacks utilize a programmatic method to try all the possible combinations for a password. This method is efficient for passwords that are short in string (character) length and complexity but can become infeasible—even for the fastest modern systems—with a password of eight characters or more.
If a password only has alphabetical characters, all in capitals or all in lowercase (not mixed), it will take 8,031,810,176 guesses. You have a better chance of winning the lottery! This estimation also assumes the threat attacker knows the length of the password and complexity requirements. Other factors include numbers, case sensitivity, and special characters in the localized language.
While a brute force attack with the proper parameters will eventually find the password, the time and computing power required may render the brute force test futile. And the time it takes to perform the attacks is not only based on the speed required to generate all the possible password permutations, but also the challenge and response time of a failure on the target system. The response lag time is what really matters when trying to brute force a password.
Pass-the-Hash (PtH)
Pass-the-Hash is a hacking technique allowing an attacker to authenticate to a resource by using the underlying NT LAN Manager (NTLM) hash of a user’s password, in lieu of using the account’s actual human-readable password. After a threat actor obtains a valid username and hash for the password using a variety of techniques, like scraping a system’s active memory, they can use the credentials to authenticate to a remote server or service using LM or NTLM authentication.
PtH attacks exploit an implementation weakness in the authentication protocol, where the password hash remains static for every session until the password itself is changed. You can perform a PtH against almost any server or service accepting LM or NTLM authentication, regardless of whether the resource is using Windows, Unix, Linux, or another operating system. Unfortunately, modern malware can contain techniques to scrape memory for hashes, making any active-running user, application, service, or process a potential target. Once you obtain the hash, command and control or other automation allows for additional lateral movement (horizontal) or data exfiltration.
Modern systems can defend against Pass-the-Hash attacks in a variety of ways. However, changing the password frequently (after every interactive session) is a good defense to keep the hash different between the sessions. Password management solutions that frequently rotate passwords or customize the security token are good defenses against this technique.
Security Questions
Financial institutions and merchants use security questions to verify a user against their account. The concept is to ask them questions challenging them to respond to private and personal information only the end user should know.
Many organizations require a user to answer these questions when they set up a new account. The question-answer pairs serve as a form of two-factor authentication to verify a user’s identification in the event of a forgotten password. The end user is prompted to respond to security questions when logging on from a new resource, when they select “forgot password”, or even when they change their password to improve the confidence of their identity.
However, many organizations also use common security questions and thus present potentially far-reaching risks. For instance, the more places and people that know the answers to your security questions, the more likely they can be answered by someone else. Additionally, if the information is public, then it is not a legitimate security question at all.
When a resource requests that you complete and use security questions, my recommendation is to use the most obscure questions no one besides yourself may know the answers to. Moreover, be careful to never share information online similar to another site that uses the same security questions.
Credential Stuffing
Credential stuffing is a type of automated hacking technique using stolen credentials comprised of lists of usernames (or email addresses) and the corresponding passwords to gain unauthorized access to a system or resource. The technique generally involves automation to submit login requests against an application and to capture successful login attempts for future exploitation.
Credential stuffing attacks do not attempt to brute force or guess any passwords. In these attacks, the threat actor automates authentication based on previously discovered credentials. The result can be millions of attempts to determine where a user potentially reused their credentials on another website or application. Credential stuffing attacks prey on password reuse and are only effective because so many users reuse the same credential combinations across multiple sites.
Password Spraying
Password spraying is a credential-based attack that tries to access a multitude of accounts by using a few common passwords. This is conceptually the opposite of a brute force password attack.
During a password-spray attack, the threat actor attempts a single, commonly used password (such as “12345678” or “Passw0rd”) against many accounts before moving on to attempt a second password. Essentially, the threat actor tries every user account in their list with the same password before resetting the list and trying the next password. This technique minimizes the risk of the threat actor being caught, avoids account lockouts, and evades hacking detection on a single account due to the time between attempts.
Password Changes and Resets
How often do you change your passwords? Every 30 or 90 days when prompted to at work? How about at home? How often do you rotate passwords for your banking, e-commerce, streaming, or social media accounts? Probably not often, if ever, and surprisingly, that might be okay!
Without a password manager, keeping all of one’s passwords unique and complex is a daunting task—even for the most seasoned security professional.
Unfortunately, there is a common risk in resetting (not to be confused with changing) passwords that makes them targets for threat actors. Resetting a password is the act of a forced password change by someone else—not a change initiated by the password user. Risks associated with password resets include:
- Easily guessable, pattern-based passwords (as described earlier) when reset
- Passwords reset via email or text message and kept by the end user
- Passwords reset by the help desk that are reused every time a password reset is requested
- Automated password resets blindly given due to account lockouts
- Passwords that are verbally communicated and can be heard aloud
- Complex password resets that are written down by the end user
Anytime a password is reset, there is an implicit acknowledgment that the old password is at risk and needs to be changed. Perhaps it was forgotten, expired, or triggered a lockout due to numerous failed attempts. The reset, transmission, and storage of the new password are a risk until the password is changed again by the end user.
When an identity has been compromised, a threat actor may request a password reset. The attacker then creates their own credentials for the account. Anytime a user requests a password reset, the following best practices should be implemented:
- The password should be random and meet the complexity requirements per business policy.
- The password should be changed by the end user after the first logon and require, if implemented, two-factor or MFA to validate.
- Password reset requests should always come from a secure location.
- Public websites for businesses (not personal) should never have “Forgot Password” links.
- Password resets via email assume the end user maintains access to email in order to receive the new password. If the email password itself requires resetting, another method needs to be established.
- Do not use SMS text messages—they are not sufficiently secure for sending password reset information.
- If possible, password resets should be ephemeral. That is, the password reset should only be active for a predefined duration. If the end user has not accessed the account again within the predefined amount of time, an account lockout will occur.
While changing passwords frequently remains a security best practice for privileged accounts, resetting passwords and transmitting them through unsecure mediums is not. For the individual, a simple password reset can be the difference between a threat actor trying to own your account and a legitimate reason.
Access Token manipulation
Access Token manipulation provides adversaries with a vehicle to modify access tokens to operate under a different user or system security context and to perform actions and bypass access controls. The Microsoft Windows operating system uses access tokens to determine the runtime ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to a user other than the one who started the process. If this occurs, the process also takes on the security attributes associated with the new token.
The Windows API allows for a threat actor to copy access tokens from existing processes. This is called token stealing. Applying stolen tokens to an existing process or using them to spawn a new process is analogous to theft or impersonation in the real world. Fortunately, a threat actor needs to be an administrator to steal a token.
However, threat actors commonly use token theft to elevate the processes of their profile from the administrator to operating as SYSTEM. In addition, a stolen token can be used for lateral movement to authenticate to a remote system if the account for that token can authenticate as a valid user on the remote system. As an example, any standard user can use the “RunAs” command via the user interface or command line, and the Windows API functions, to create an impersonation token. Actual administrator access to an account is not a requirement. Therefore, this provides a method for a privileged attack if a threat actor has local access to a host.
UAC (User Account Control) bypass techniques
UAC (User Account Control) bypass techniques provide a vehicle for threat actors to bypass UAC security controls to elevate running process privileges on a system. Windows UAC functionality allows a program to elevate its privileges to perform a task after prompting the user to accept the changes to its runtime permissions. The user has a choice to select these options based on a UAC prompt:
- Deny the operation to continue and terminate the process immediately
- Allow the user to perform the action if they are in the local administrators group
- Prompt the user to supply credentials that have privileges to continue the operation.
Depending on the UAC protection level set on the computer (only high is immune), certain Windows applications can elevate privileges or execute some operating system functions, like COM, without prompting the user. A threat actor could bypass UAC controls if the protection level is set lower than “high” for application compatibility or for usability. Malicious software may also be injected into a trusted process to gain elevated privileges—without prompting a user—making this privileged attack vector a prime choice for exploitation.
Identity Enumeration
Identity Enumeration attacks, including those exploiting sudo, occur when a threat actor can apply techniques like brute force to either guess or confirm valid users are available for authentication to a resource. User enumeration is often associated with web-based applications, although it can also be found in any application requiring a traditional user and credential-based authentication. Two of the most common areas where user enumeration occurs are:
- In an application login page, based on a failed authentication response
- ‘Forgot Password' functionality that may trigger a workflow or reply “no account found”
Essentially, the threat actor is looking for the server's response based on the validity of submitted credentials to determine if the account they tried is valid. This is a common response mechanism for many applications.
When the user enters a valid username and invalid password, the server returns a response saying the password is incorrect. If the threat actor enters an invalid username, regardless of the password, typical applications respond with no account found. Consequently, a threat actor can determine if their hacking attempt is using a valid account and incorrect password, or if the account they are trying will never authenticate. Based on automation and brute force checks, they can enumerate valid accounts for a resource and attempt future privileged attacks based on common passwords, reused passwords, or others gleaned from previous attacks.
Finally, if the threat actor can determine the naming pattern for a company (i.e., first initial last name), then building a list for enumeration and future attacks becomes much easier.
Malware
Malware is any piece of computer software (including firmware, microcode, etc.) written with the intent of damaging devices, stealing data, and generally, causing a resource to behave in ways not in accordance with its intended design.
There are eight different types and sources for malware, any of which can be used for privilege escalation attacks:
- Bugs are a type of error, flaw, vulnerability, or failure that produces an undesirable or unexpected result due to poor software coding or unexpected operational conditions.
- Worms rely on bugs, vulnerabilities, and exploits to deliver a payload and propagate themselves to other resources.
- A virus is any piece of malicious software loaded onto your website or computer without your knowledge.
- Bots are malicious software programs created to perform a specific set of tasks with a known intent.
- A Trojan disguises itself as a normal file or application and tricks the user into downloading, opening, or executing it.
- Ransomware denies access to your files, typically through encryption, and demands a ransom (usually in the form of digital and cryptocurrencies like Bitcoin) to release the threat actor’s grip on your data.
- Adware is a type of malware used to automatically display unwanted, and potentially illegal, advertisements to an end user.
- Spyware is a type of malware used to conduct surveillance on a user’s activity. These functions can include monitoring the user’s screen, capturing keystrokes, and even enabling the asset’s camera and microphone for surveillance.
Finally, generative AI is a relative newcomer to the privileged attack landscape, but as a technology in and of itself, does not represent a method of attack. Instead, it can be used to expedite any other of the attack vectors listed above by creating more convincing social engineering attacks, create new forms of malware, and even enumerate assets for an attack based on public information. While some may consider generative AI a security risk in developing code or fallible for creating documentation, it provides an easy step for threat actors to create malicious content that otherwise would have been too time consuming or difficult to create based on information readily available. While new defensive measures are actively being developed, fingerprinting and classification of attacks built with generative AI will be the first step in mitigating the risks through an enterprise.
How to Prevent and Stop Privilege Escalation Attacks
Because privilege escalation attacks can start and advance in a myriad of different ways, multiple defense strategies and tactics are required for protection. However, implementing an identity-centric approach and privileged access management controls will help your organization protect against the broadest range of attacks and go the furthest to reducing the attack surface. Here are some best practices:
- Fully manage the identity lifecycle, including provisioning and de-provisioning of identities and accounts to ensure there are no orphaned accounts to hijack.
- Use a password management solution to consistently apply strong credential management practices (discovery, vaulting, central management, check-in, check-out) for both humans and machines. This also entails eliminating default and hardcoded credentials.
- Enforce least privilege: Remove admin rights from users and reduce application and machine privileges to the minimum required. Just-in-time access should also be implemented to reduce persistent or standing privileges.
- Apply advanced application control and protection to enforce granular control over all application access, communications, and privilege elevation attempts.
- Monitor and manage all privileged sessions to detect and quickly address any suspicious activity that might indicate a hijacked account or an illicit attempt at privilege escalation or lateral movement.
- Harden systems and applications: This complements the principle of least privilege and can involve configuration changes, removing unnecessary rights and access, closing ports, and more. This improves system and application security and helps prevent and mitigate the potential for bugs that leave vulnerability to injection of malicious code (i.e., SQL injections), buffer overflows, etc. or other backdoors that could allow privilege escalation.
- Vulnerability management: Continuously identify and address vulnerabilities, such as with patching, fixing misconfigurations, eliminating default and/or embedded credentials, etc.
- Secure remote access should always be monitored and managed for any form of privileged access since attacks can occur horizontally and vertically to exploit privileges.

Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.