IronSights

Detection & response

Privilege escalation

A technique used by attackers to gain higher levels of system access than initially obtained, moving from a standard user account to administrator or SYSTEM-level privileges.

Also known asprivescprivilege elevation

In plain English

Privilege escalation is how attackers go from limited access to full control. Starting with a compromised regular user account, they exploit vulnerabilities or misconfigurations to elevate to administrator — unlocking the ability to disable security tools, access all data, and establish persistence across the environment.

Full definition

Most attackers land inside a network with limited access: a standard user account compromised through , or a service account with narrow permissions. Privilege escalation is how they move from that foothold to something useful. Common methods include exploiting unpatched local vulnerabilities, abusing misconfigured services that run as SYSTEM, extracting cached credentials from memory using tools like Mimikatz, or finding hardcoded admin passwords in scripts left on shared drives.

In a Windows environment, the target is usually Domain Admin. Once an attacker holds those credentials, they can read any mailbox, disable endpoint protection across the fleet, create new accounts, and deploy via group policy. The gap between initial access and Domain Admin can be hours. On networks where workstations run as local admins and patch cycles are long, it can be minutes.

Why Domain Admin is the target

2 addresses this directly through two controls: restricting administrative privileges to accounts that genuinely need them, and keeping operating systems and applications patched to close the vulnerabilities that escalation exploits. In practice, separating daily-use accounts from admin accounts is the single change that raises the cost of escalation most significantly. An attacker who compromises a user account that cannot install software, access other machines, or modify system settings has far fewer paths forward.

  • Unpatched local privilege escalation vulnerabilities in operating systems or third-party software
  • Misconfigured services running with excessive system permissions
  • Credential dumping from memory on compromised workstations
  • Hardcoded or reused passwords in scripts, config files, or shared drives

Keep learning

More terms in the IronSights Glossary.