What Is Privilege Escalation? Attacks & Defense Explained

Privilege escalation is a cyberattack where an external threat actor or insider gains rights, permissions, entitlements, or privileges beyond those assigned to an identity, account, user, machine, or AI agent. This attack can involve an external threat actor or an insider threat. Privilege escalation is a key stage of the cyberattack chain and typically involves the exploitation of a privilege escalation vulnerability, such as a system bug, misconfiguration, or inadequate access controls.

In this blog, I will explain:

• How privilege escalation works
• How privilege escalation attacks start
• Horizontal vs vertical privilege escalation
• Common privilege escalation attacks
• Which operating systems are vulnerable to privilege escalation
• Privilege escalation attack vectors
• How to prevent and stop privilege escalation attacks

Privilege escalation attacks start when a threat actor gains an initial foothold through an exposed account, unpatched system, social engineering attempt, credential stuffing, generative AI assisted tactic, or supply chain weakness. They might leverage techniques like:

• Missing security patches

• Social engineering

• Basic password stuffing (or credential stuffing) tactics

• Emerging technologies such as generative AI

• Faults in supply chain connectivity and solution updates

Once the initial infiltration has been successful, threat actors will typically perform surveillance and wait for the right opportunity to continue their nefarious activity.

Threat actors strive to pursue the path of least resistance. If time permits, they clean up their activities to remain undetected, such as by masking their source IP address or deleting logs based on the credentials they are using. They want to mask or remove any evidence of their presence, which reflects an indicator of compromise (IoC). Once an organization identifies an intrusion, they may monitor the intruder’s intentions and potentially pause or terminate the session based on the threat actor’s activity or resources that have been compromised.

The second step in the cyberattack chain involves escalating privilege to accounts with administrative, root, or higher-privileged rights than the account initially compromised. Of course, it’s possible the initial compromise involved an administrative or root account to begin with. If this is the case, a threat actor is further along in their malicious plans and may already own an environment beyond the ability to remediate the breach without a complete rebuild.

Horizontal privilege escalation expands access across accounts at a similar privilege level, while vertical privilege escalation raises access from a lower-privilege foothold to higher-privileged control. Horizontal privilege escalation involves gaining access to the rights of another account—human or non-human (including machine identities, AI agents, etc.)—with similar privileges. Vertical privilege escalation involves an increase of privileges/privileged access beyond what a user, application, or other asset already has. This includes the confused deputy problem commonly found in agent AI attacks.

There are five major privilege escalation attack examples that threat actors favor:

1. Credential exploitation, which take advantage of compromised credentials to log into an account and leverage its privileges to move laterally.
2. Privileged vulnerabilities and exploits, which leave unpatched assets open for exploitation and further privilege escalation.
3. Misconfigurations, which are improperly configured system settings that can leave security flaws ripe for exploitation.
4. Malware, which can include lay of the land attacks that enable threat actors to perform surveillance and seek vertical privilege escalation paths.
5. Social engineering, which involves tricking humans into accidentally granting them an initial foothold by bypassing security controls, and allowing a step deeper into the environment.

Next, let’s dive deeper into these five examples of privilege escalation attacks:

1. Credential Exploitation

Credential exploitation uses valid usernames, passwords, hashes, tokens, or secrets to access an account and inherit its assigned privileges. However, if a threat actor knows the username, obtaining the account’s password becomes a hacking exercise. Often, a threat actor will first target a systems administrator since their credentials frequently have privileges to directly access sensitive data and systems. With a sysadmin’s credentials and access, a cybercriminal can move laterally while arousing little or no suspicion since it is a trusted privileged account.

Once a threat actor has compromised credentials, every privilege the account has is now fair game for the attacker. If the threat actor is detected, an organization typically resets passwords as a high priority and reimages infected systems to mitigate the threat (especially if it involves servers). However, requesting a password change alone does not always resolve the incident because the method of obtaining the credentials in the first place may have involved other attack vectors, like malware or a compromised cell phone. These alternate methods provide the threat actor with a persistent presence until their infiltration has been fully eradicated.

Compromised credentials are the easiest privileged attack vector for a threat actor to achieve success. The accounts associated with credentials control almost every aspect of a modern information technology environment—from administrators to service accounts. Unfortunately, credential theft can be accomplished via password reuse attacks, memory-scraping malware, and innumerable other ways.

Privileged escalation of credentials from a standard user to administrator can happen using a variety of techniques described in this blog. Credentials compromised for the most sensitive accounts (domain, database administrator, etc.) can be a “game over” event for some companies. IT security teams should always scrutinize any superuser accounts as well and identify them during a risk assessment for pathways to privileged access. Privileged account credentials are a prime attack vector for horizontal privilege escalation, and you should prioritize their protection over the course of your privileged access management (PAM) journey.

2. Privileged Vulnerabilities and Exploits

Privilege escalation vulnerabilities are code, design, implementation, or configuration weaknesses attackers can exploit to gain broader or higher-level access. Vulnerabilities can involve the operating system, applications, web applications, infrastructure, the cloud, and so on. They can also involve protocols, transports, and communications in between resources from wired networks, Wi-Fi, and tone-based radio frequencies (old school – i.e., 2600 club).

A vulnerability itself does not allow for a privileged attack vector to succeed; it just means a risk exists. Absent an exploit, a vulnerability is just a potential problem.

When it comes to actual exploits, some are only proof-of-concept, some are unreliable, while others are easily weaponized. Some exploits are included in commercial penetration testing tools or free, open-source hacking tools. In addition, some vulnerabilities are sold on the dark web to perpetrate cybercrimes. Other vulnerabilities are used exclusively by nation-states until they are patched or made public (intentionally or not).

Depending on the vulnerability, available exploit, and resources assessed with the flaw, the actual risk could be limited in scope, or an impending disaster. The combination of vulnerability, available exploit, exposure of resource, mitigating controls, and likelihood of an attack all contribute to how effectively a vulnerability can be leveraged against an organization. This helps formulate a risk score, such as using standards like CVSS.

It is important to note that only a small subset of vulnerabilities allows vertical privilege escalation as a part of the exploitation payload. However, if the vulnerability itself leads to an exploit allowing changes (privileged escalation from one user’s permissions to another), the risk is a worrisome privileged attack vector.

Elevation of privilege vulnerabilities (which allow for vertical privilege escalation) are responsible for many of the worst exploits in recent years—including BlueKeep, WannaCry, and NotPetya. However, don’t be fooled: even exploitation with standard user privileges can inflict devastation in the form of ransomware or other vicious attacks. Fortunately, most exploits can be contained or mitigated by reducing privileges and minimizing the surface area for a cyberattack.

Exploits wreak the most havoc with the highest privileges, hence the security best practice recommendation to operate with least privilege and remove administrative rights from all end users and patch any critical vulnerabilities as soon as possible.

3. Misconfigurations

Misconfigurations create privilege escalation risk when system, application, cloud, or account settings expose access beyond intended permissions. These are flaws requiring mitigation, which involves a change in settings or in the runtime within the existing deployment that deflects (mitigates) the risk from being exploited. This differs from remediation, which implies the deployment of a software or firmware patch to correct the vulnerability before exploitation.

The most common configuration problems exploited for privileges involve accounts with poor default security settings. Examples of poor security settings include:

• Blank or default passwords for administrator or root accounts established upon initial configuration.

• Insecure access that is not locked down after an initial installation (often due to lack of expertise).

• Undocumented backdoors into the environment.

• Accounts only secured with single factor authentication and guessable or crackable passwords or secrets.

If the flaw is severe enough, a threat actor can gain root or administrator privileges with minimal effort.

Configuration errors in cloud resources, in particular, represent a rapidly growing source of privileged attacks for cloud, XaaS providers, and supply chains.

4. Malware

Malware can support privilege escalation by executing code, stealing credentials, disabling defenses, or enabling surveillance under a user or system security context. The intent can range from surveillance, data exfiltration, disruption, command and control, denial of service, configuration changes, all the way through extortion. Malware provides a vehicle for attackers to instrument cybercriminal activity.

Malware, like any other program, can potentially execute at any permission from standard user to administrator (root), based on the context it was originally executed within. Malware can install on a resource via:

• Vulnerability and exploit combinations

• Legitimate installers or bootlegged software or media

• Weaknesses in the supply chain

• Social engineering via phishing or drive-by Internet attacks.

Irrespective of the malware delivery mechanism, the motive is to execute code or commands on a resource. Once running, it becomes a race between detection by endpoint security vendors and threat actors to keep executing, evade discovery, and remain persistent. Modern malware continues evolving to better elude detection and disable cyber defenses to continue its proliferation.

Malware is just a transport vehicle to continue the propagation of a sustained attack. As such, malware ultimately needs permissions to obtain the target information sought after by the attacker. As an example, a malware subset that scrapes memory for password hashes and keystroke logging, installs additional malicious software, or provides surveillance requires administrative privileges and typically occurs after a successful privileged escalation, Once complete, malware can be leveraged to perform additional privileged attacks in the future.

5. Social Engineering

Social engineering can start a privilege escalation attack by tricking a user into sharing credentials, installing malware, or approving access. If the message is well-crafted, and potentially even spoofs someone trusted, then the threat actor has already succeeded in the first step of an attack.

From a social engineering perspective, threat actors attempt to capitalize on a few key human traits to meet their goals:

Trustworthiness: The belief the correspondence, of any type, is from a trustworthy source.

• Credulity: The belief the contents, as crazy or simple as they may be, are in fact real. This drives much of our behavior in believing “fake news”.

• Sincerity: The intent of the content is in your best interest to respond or open.

• Curiosity: The attack technique has not been identified (as part of previous training), or the person remembers the attack vector but does not react accordingly.

• Laziness: The correspondence initially looks good enough, but investigating the URLs and contents for malicious activity does not seem worth the effort. This includes obvious misspellings that may be included and ignored in the contents.

If we consider each of these characteristics, we can appropriately train team members to improve resistance to social engineering attacks. The difficulty is overcoming human traits. For instance, if a team member is victimized by a social engineering attack, then the threat actor can gain access and potentially install malware, ransomware, or escalate privileges. Successful social engineering allows the employee to “open the door” for a threat actor to conduct their nefarious mission.

Any operating system can be vulnerable to privilege escalation, although attack patterns differ across Windows, macOS, Unix, Linux, infrastructure, third-party applications, IoT, and IIoT assets. For instance, social engineering is a more common contributor to Windows privilege escalation attacks, since this OS is the most prevalent on end-user desktops. On the other hand, Unix and Linux privilege escalation attacks are rarely the result of social engineering, but rather misconfigurations, vulnerabilities and exploits, and targeted insider attacks.

Consider the Privilege Escalation by Operating System table below:

Common privilege escalation attack vectors are the methods attackers use to gain access, manipulate credentials, alter security context, or establish persistence before escalating privileges. This can include everything from installing malware, altering files or data, or even establishing some form of persistent reconnaissance. Examples of common privilege escalation attack vectors include:

• Password hacking, in which programmatic techniques and automation are used to find and illicitly use an account’s password.

• Password guessing, in which attackers make educated guesses to break into someone’s account.

• Shoulder surfing, in which a threat actor observes passwords, pins, and swipe patterns in person, in order to uncover and repeat someone’s login information.

• Brute force attacks, in which a threat actor uses automated tools to run a long list of potential passwords and discover if any of them work for logging onto an account.

• Pass-the-Hash, in which an attacker uses the hash associated with a user’s password to authenticate to various systems.

• Credential stuffing, in which the attacker uses a known password to attempt to log onto other accounts owned by the same person

• Password spraying, in which the attacker attempts to use a single, common password to log onto several accounts at once

• Password changes and resets, in which the threat actor initiates a password change and uses this new password to log onto a user’s account. They might use security questions to do so.

• Access token manipulation, in which an attacker modifies access tokens, allowing them to operate under a different user or system security context and to perform actions and bypass access controls.

• UAC (User Account Control) bypass techniques, in which an attacker can elevate running process privileges on a Windows system.

• Identity enumeration, in which an attacker searches for valid accounts in order to pair them with other password exploitation techniques and, ultimately, log in.

• Malware, in which a threat actor executes malicious software in order to damage devices, steal data, perform reconnaissance, etc.

• Generative AI, which can fast-track and improve the success of all of the above attack vectors.

Privilege escalation attack vectors arguably represent the worst cyber threats because through them, an attacker can become the administrator and owner of all the information technology resources within your company. And with this power, your data, assets, applications, and resources can potentially fall under some form of external control and manipulation.

Let’s take a closer look at these common methods by which privileges and credentials are compromised, and hence, stolen and leveraged for escalation.

Password Hacking

Password hacking uses programmatic techniques and automation to discover, test, or misuse account passwords for unauthorized access. These attacks can lead to administrator privileges if the account has been granted these rights. This represents another reason to limit the number of administrator accounts in an environment and enforce least privilege. If the account is an administrator, the threat actor can easily circumvent other security controls, achieve lateral movement, and opportunistically attempt to crack other privileged account passwords.

Password Guessing

Password guessing attempts to access an account by testing likely passwords based on common patterns, reused credentials, or information about the target identity. A random guess is rarely successful unless it is a common password or based on a dictionary word. Flat-out guessing is somewhat of an art, but knowing information about the target identity enhances the likelihood of a successful guess. Relevant information can be gathered via social media, direct interaction, deceptive conversation, or even data gleaned and merged or aggregated from prior breaches. Password guessing attacks also tend to leave evidence in event logs and result in auto-locking of an account after “n” attempts.

In addition, if the account holder reuses passwords between resources, then the risks of password guessing and lateral movement dramatically increase. Imagine a person who uses only one or two base passwords everywhere—for all their digital presence and privileged accounts. Unfortunately, this happens all the time!

Shoulder Surfing

Shoulder surfing exposes credentials when a threat actor observes passwords, PINs, swipe patterns, or written login details. The shoulder surfing concept is simple, yet ancient. A threat actor watches physically, or with the aid of an electronic device like a camera, for passwords and later reuses them for an attack. Therefore, we should all be mindful of shielding the entry of our ATM PIN.

Brute Force Password Attacks

Brute force password attacks use automated attempts to test possible password combinations until one works or controls block the attempt.

As a subset, a dictionary attack, which is a type of brute force attack, the attacker will use a list, or ‘dictionary’, of common words to crack a password. Some advanced attack techniques even mix in numbers or common symbols at the beginning or end of the attempt to mimic a real-world password with complexity requirements.

Brute force attacks are efficient for passwords that are short in string (character) length and complexity but can become infeasible—even for the fastest modern systems—with a password of eight characters or more. If a password only has eight English alphabetical characters, all in capitals or all in lowercase (not mixed), it will take 8,031,810,176 guesses. You have a better chance of winning the lottery! This estimation also assumes the threat attacker knows the length of the password and complexity requirements. Other factors include numbers, case sensitivity, and special characters in the localized language.

While a brute force attack with the proper parameters will eventually find the password, the time and computing power required may render the brute force test futile. And the time it takes to perform the attacks is not only based on the speed required to generate all the possible password permutations, but also the challenge and response time of a failure on the target system. The response lag time is what really matters when trying to brute force a password.

The most common methods to mitigate the threats of a dictionary attack are account lockout attempts and password complexity policies. However, in many environments, especially for non-human accounts, account lockout attempts can hamper business runtime. Therefore, many disable this security setting. Consequently, if logon failures are not being monitored in event logs, a brute force attack can be more effective. This is especially true if privileged accounts do not have this setting enabled as a mitigation strategy and MFA is not enabled.

Pass-the-Hash (PtH)

Pass-the-Hash  is a credential-based technique that lets an attacker authenticate with an NT LAN Manager hash instead of a plaintext password. After a threat actor obtains a valid username and hash for the password using a variety of techniques, like scraping a system’s active memory, they can use the credentials to authenticate to a remote server or service using LM or NTLM authentication.

PtH attacks exploit an implementation weakness in the authentication protocol, where the password hash remains static for every session until the password itself is changed. You can perform a PtH against almost any server or service accepting LM or NTLM authentication, regardless of whether the resource is using Windows, Unix, Linux, or another operating system. Unfortunately, modern malware can contain techniques to scrape memory for hashes, making any active-running user, application, service, or process a potential target. Once you obtain the hash, command and control or other automation allows for additional lateral movement (horizontal) or data exfiltration.

Modern systems can defend against Pass-the-Hash attacks in a variety of ways. However, changing the password frequently (after every interactive session) is a good defense to keep the hash different between the sessions. Password management solutions that frequently rotate passwords or customize the security token are good defenses against this technique.

Credential Stuffing

Credential stuffing uses stolen username and password pairs to test whether users reused the same credentials across other systems or applications. The technique generally involves automation to submit login requests against an application and to capture successful login attempts for future exploitation.

Credential stuffing attacks do not attempt to brute force or guess any passwords. In these attacks, the threat actor automates authentication based on previously discovered credentials. The result can be millions of attempts to determine where a user potentially reused their credentials on another website or application. Credential stuffing attacks prey on password reuse and are only effective because so many users reuse the same credential combinations across multiple sites.

Password Spraying

Password spraying tests one or a few common passwords across many accounts to reduce lockout risk and evade single-account detection patterns. This is conceptually the opposite of a brute force password attack.

During a password-spray attack, the threat actor attempts a single, commonly used password (such as “12345678” or “Passw0rd”) against many accounts before moving on to attempt a second password. Essentially, the threat actor tries every user account in their list with the same password before resetting the list and trying the next password. This technique minimizes the risk of the threat actor being caught, avoids account lockouts, and evades hacking detection on a single account due to the time between attempts.

Password Changes and Resets

How often do you change your passwords? Every 30 or 90 days when prompted to at work? How about at home? How often do you rotate passwords for your banking, e-commerce, streaming, or social media accounts? Probably not often, if ever, and surprisingly, that might be okay!

Without a password manager, keeping all of one’s passwords unique and complex is a daunting task—even for the most seasoned security professional.

Unfortunately, there is a common risk in resetting (not to be confused with changing) passwords that makes them targets for threat actors. Resetting a password is the act of a forced password change by someone else—not a change initiated by the password user. Risks associated with password resets include:

• Easily guessable, pattern-based passwords (as described earlier) when reset

• Passwords reset via email or text message and kept by the end user

• Passwords reset by the help desk that are reused every time a password reset is requested

• Automated password resets blindly given due to account lockouts

• Passwords that are verbally communicated and can be heard aloud

• Complex password resets that are written down by the end user

• Easily guessable security questions that allow account changes and password resets

Anytime a password is reset, there is an implicit acknowledgment that the old password is at risk and needs to be changed. Perhaps it was forgotten, expired, or triggered a lockout due to numerous failed attempts. The reset, transmission, and storage of the new password are a risk until the password is changed again by the end user.

When an identity has been compromised, a threat actor may request a password reset. The attacker then creates their own credentials for the account. Anytime a user requests a password reset, the following best practices should be implemented:

• The password should be random and meet the complexity requirements per business policy.

• The password should be changed by the end user after the first logon and require, if implemented, two-factor or MFA to validate.

• Password reset requests should always come from a secure location.

• Public websites for businesses (not personal) should never have “Forgot Password” links.

• Password resets via email assume the end user maintains access to email in order to receive the new password. If the email password itself requires resetting, another method needs to be established.

• Do not use SMS text messages—they are not sufficiently secure for sending password reset information.

• If possible, password resets should be ephemeral. That is, the password reset should only be active for a predefined duration. If the end user has not accessed the account again within the predefined amount of time, an account lockout will occur.

While changing passwords frequently remains a security best practice for privileged accounts, resetting passwords and transmitting them through unsecure mediums is not. For the individual, a simple password reset can be the difference between a threat actor trying to own your account and a legitimate reason.

Access Token Manipulation

Access token manipulation abuses the way Microsoft Windows assigns security context to processes, allowing an attacker to impersonate another user or process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to a user other than the one who started the process. If this occurs, the process also takes on the security attributes associated with the new token.

The Windows API allows for a threat actor to copy access tokens from existing processes. This is called token stealing. Applying stolen tokens to an existing process or using them to spawn a new process is analogous to theft or impersonation in the real world. Fortunately, a threat actor needs to be an administrator to steal a token.

However, threat actors commonly use token theft to elevate the processes of their profile from the administrator to operating as SYSTEM. In addition, a stolen token can be used for lateral movement to authenticate to a remote system if the account for that token can authenticate as a valid user on the remote system. As an example, any standard user can use the “RunAs” command via the user interface or command line, and the Windows API functions, to create an impersonation token. Actual administrator access to an account is not a requirement. Therefore, this provides a method for a privileged attack if a threat actor has local access to a host.

UAC (User Account Control) bypass techniques

UAC (User Account Control) bypass techniques allow attackers to elevate process privileges by abusing Windows elevation behavior or trusted process execution paths. Windows UAC functionality allows a program to elevate its privileges and perform a task after prompting the user to accept the changes to its runtime permissions. The user has a choice to select these options based on a UAC prompt:

• Deny the operation to continue and terminate the process immediately
• Allow the user to perform the action if they are in the local administrators group
• Prompt the user to supply credentials that have privileges to continue the operation.

Depending on the UAC protection level set on the computer (only high is immune), certain Windows applications can elevate privileges or execute some operating system functions, like COM, without prompting the user. A threat actor could bypass UAC controls if the protection level is set lower than “high” for application compatibility or for usability. Malicious software may also be injected into a trusted process to gain elevated privileges—without prompting a user—making this privileged attack vector a prime choice for exploitation.

Identity Enumeration

Identity enumeration helps attackers confirm valid accounts before pairing those identities with password attacks, credential stuffing, or other privilege escalation techniques. User enumeration is often associated with web-based applications, although it can also be found in any application requiring a traditional user and credential-based authentication. Two of the most common areas where user enumeration occurs are:

• In an application login page, based on a failed authentication response
• ‘Forgot Password' functionality that may trigger a workflow or reply “no account found”

Essentially, the threat actor is looking for the server's response based on the validity of submitted credentials to determine if the account they tried is valid. This is a common response mechanism for many applications.

When the user enters a valid username and invalid password, the server returns a response saying the password is incorrect. If the threat actor enters an invalid username, regardless of the password, typical applications respond with no account found. Consequently, a threat actor can determine if their hacking attempt is using a valid account and incorrect password, or if the account they are trying will never authenticate. Based on automation and brute force checks, they can enumerate valid accounts for a resource, then attempt future privileged attacks based on common passwords, reused passwords, or others gleaned from previous attacks.

Finally, if the threat actor can determine the naming pattern for a company (i.e., first initial last name), building an enumeration list becomes much easier.

Malware

Malware can operate as a privilege escalation vector when it steals data, captures credentials, executes commands, or changes system behavior. There are several variations of how malware is installed and used to execute an attack. A bad actor might install it via a misconfiguration or security flaw, or they might leverage social engineering to trick a user into installing it, such as with a Trojan. From there, the malware might deny access to files (ransomware), display unwanted or illegal ads (adware), perform a set of malicious tasks (bots), execute malicious commands via trust applications, or conduct surveillance on a user’s activity (spyware), etc.

Generative AI

Generative AI, can accelerate privilege escalation vectors by improving social engineering, malware development, asset enumeration, and attacker automation. It ultimately enables threat actors to create malicious content that otherwise would have been too time consuming or difficult to create otherwise. However, generative AI can also play an important role on the defense side. This includes advanced threat hunting, agentic AI visibility, and even behavioral analysis for human and machine accounts. The goal is to use AI as a defensive strategy to balance any AI offense techniques used by threat actors.

Organizations prevent and limit privilege escalation by managing identities, enforcing least privilege, reducing standing access, controlling applications, monitoring privileged sessions, hardening systems, and managing vulnerabilities. Implementing an identity-centric approach and privileged access management controls will help your organization protect against the broadest range of attacks and go the furthest to reducing the attack surface. Here are some best practices:

1. Fully manage the identity lifecycle, including provisioning and de-provisioning of identities and accounts to ensure there are no orphaned accounts to hijack. This is true for human, machine (non-human), and agentic AI identities.
2. Use a password and secrets management solution to consistently apply strong credential management practices (discovery, vaulting, central management, check-in, check-out) for both humans and machines, including AI agents. This also entails eliminating default and hardcoded credentials.
3. Enforce least privilege by removing admin rights from users and reduce application, machine, and agentic AI privileges to the minimum required. Just-in-time access should also be implemented to reduce persistent or standing privileges.
4. Apply advanced application control and protection to enforce granular control over all application access, communications, and privilege elevation attempts.
5. Monitor and manage all privileged sessions to detect and quickly address any suspicious activity that might indicate a hijacked account or an illicit attempt at privilege escalation or lateral movement.
6. Harden systems and applications by changing configurations, removing unnecessary rights and access, closing ports, and more. This improves system and application security and helps prevent and mitigate the potential for bugs that leave vulnerability to injection of malicious code (i.e., SQL injections), buffer overflows, etc. or other backdoors that could allow privilege escalation.
7. Manage vulnerabilities by continuously identifying and addressing vulnerabilities, such as with patching, fixing misconfigurations, eliminating default and/or embedded credentials, etc.
8. Monitor secure remote access  by managing all forms of privileged access, as attacks can occur horizontally and vertically to exploit privileges.

As we’ve seen throughout this post, privilege escalation relies on a wide variety of pathways that can lead from less-protected, standard accounts, all the way up to admin / root privileges. So, it’s clear that defending against privilege escalation starts with discovering and protecting these direct and indirect pathways across your entire identity estate.

BeyondTrust empowers organizations to know and defend their Paths to Privilege™: the pathways to escalate privilege that enable attackers to gain footholds, compromise identities, and move laterally. We provide Privileged Access Management (PAM) and Identity Threat Detection and Response (ITDR) solutions that offer proactive and reactive defense across domains.

See our Paths to Privilege approach to identity security in action, with a no-cost Identity Security Risk Assessment that illuminates pathways across your environment within 24 hours.