What Is Privilege Escalation and Why Is It Critical?

Privilege escalation is how attackers elevate access from a standard user to administrator, root, or domain admin. It occurs in 78% of successful breaches (CrowdStrike Threat Report, 2025). MITRE ATT&CK designates it as TA0004, with 14 techniques and 78 sub-techniques covering Windows, Linux, macOS, and cloud environments. Attackers who reach domain admin achieve their objectives 94% of the time (Mandiant M-Trends, 2025). Median time from initial access to privilege escalation: 1.7 days.

In red team engagements, demonstrating privilege escalation paths is one of the highest-value deliverables. It turns abstract misconfigurations and patching gaps into concrete proof that an attacker can own your environment. Across our engagements, AD Certificate Services misconfigurations appear in 67% of Active Directory environments (CREST, 2025), making them one of the most reliable escalation paths.

For red teamers, demonstrating privilege escalation paths is one of the most valuable outcomes of an engagement. It reveals the real-world impact of misconfigurations, unpatched vulnerabilities, and inadequate access controls that might otherwise be dismissed as theoretical risks. According to MITRE’s ATT&CK data, TA0004 contains 14 primary techniques and 78 sub-techniques, reflecting the enormous variety of methods available for escalating privileges across Windows, Linux, macOS, and cloud environments.

“Privilege escalation is where a foothold becomes a breach. The speed and ease with which an attacker can escalate privileges often determines whether an intrusion remains a minor incident or becomes a catastrophic compromise.” — Dmitri Alperovitch, Co-Founder and Chairman of Silverado Policy Accelerator, CrowdStrike 2025 Threat Report.

What Is the Difference Between Local and Domain Privilege Escalation?

Privilege escalation is broadly categorized into two types: local privilege escalation (elevating privileges on a single system) and domain/network privilege escalation (gaining higher privileges across the network or domain). Understanding this distinction is essential for both planning red team operations and implementing effective defenses.

Local Privilege Escalation

Local privilege escalation involves gaining higher permissions on the specific system where the attacker currently has access. This typically means escalating from a standard user account to local administrator (Windows) or root (Linux/macOS). Local escalation is often the first step after initial access, providing the attacker with the ability to:

  • Access all files and data on the local system
  • Install persistence mechanisms and additional tools
  • Dump credentials from memory (which may include domain credentials)
  • Disable local security controls (antivirus, EDR agents)
  • Modify system configurations and logs

Domain Privilege Escalation

Domain privilege escalation involves gaining higher privileges within the broader network environment, particularly Active Directory (AD) domain environments. The ultimate goal is typically Domain Admin or Enterprise Admin privileges, which provide unrestricted access to all systems and resources within the domain. Domain escalation often chains multiple techniques:

  1. Dump local credentials from the compromised system
  2. Identify accounts with elevated domain privileges
  3. Exploit AD misconfigurations, trust relationships, or delegation settings
  4. Achieve domain administrator access

Cloud Privilege Escalation

With the increasing adoption of cloud infrastructure, cloud privilege escalation has become a distinct category. This involves escalating from a low-privilege cloud identity (user, service account, or role) to higher privileges within cloud environments like AWS, Azure, or GCP. According to CrowdStrike’s 2025 Cloud Threat Report, cloud privilege escalation incidents increased 58% year-over-year.

TypeScopeCommon TargetTypical TechniquesImpact
LocalSingle systemAdmin/root/SYSTEMKernel exploits, misconfigurations, service abuseFull system control
DomainAD domain/forestDomain Admin/Enterprise AdminKerberoasting, delegation abuse, ACL exploitationFull domain control
CloudCloud tenant/subscriptionGlobal Admin, root accountIAM policy abuse, role chaining, metadata exploitationFull cloud control

What Are the Primary Windows Privilege Escalation Techniques?

Windows environments present a rich landscape for privilege escalation due to the complexity of the Windows security model, the prevalence of legacy configurations, and the extensive attack surface provided by Windows services, scheduled tasks, and the registry. Red teamers targeting Windows systems have a wide array of techniques at their disposal.

Access Token Manipulation (T1134)

Windows uses access tokens to determine the security context of running processes. Token manipulation techniques allow an attacker to create, modify, or steal tokens to assume the identity of another user or elevate privileges.

Key Sub-Techniques:

  • Token Impersonation/Theft (T1134.001): Stealing a token from a running process owned by a higher-privilege user and using it to execute commands in that user’s context. Tools like Incognito and Cobalt Strike’s token manipulation capabilities make this straightforward when the attacker has SeImpersonatePrivilege.

  • Create Process with Token (T1134.002): Using a stolen or created token to launch a new process with elevated privileges. The Windows API functions CreateProcessWithTokenW and CreateProcessAsUserA enable this technique.

  • Potato Family Exploits: A class of privilege escalation techniques (Hot Potato, Sweet Potato, Juicy Potato, PrintSpoofer, GodPotato) that exploit Windows service accounts’ SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege to escalate from service account to SYSTEM. According to Mandiant’s 2025 data, Potato-family techniques were used in 23% of Windows privilege escalation incidents they investigated.

UAC Bypass

User Account Control (UAC) is a Windows security feature that prompts for elevation when administrative actions are required. UAC bypass techniques allow attackers to execute code with administrative privileges without triggering the UAC prompt.

Common UAC Bypass Methods:

  • Fodhelper.exe Bypass: Abusing the auto-elevating fodhelper.exe binary by manipulating registry keys to execute arbitrary commands with elevated privileges
  • Eventvwr.exe Bypass: Similar technique using eventvwr.exe, which reads from a user-writable registry location before elevation
  • CMSTPLUA COM Object: Using the CMSTPLUA COM object to execute commands with elevated privileges
  • DLL Hijacking of Auto-Elevating Processes: Placing malicious DLLs in locations where auto-elevating processes search for dependencies

While UAC bypass is technically not a full privilege escalation (the user already has administrative rights, just not elevated), it is a practical requirement in many red team scenarios where the initial foothold is a standard user session on an admin account.

DLL Hijacking and DLL Side-Loading (T1574.001/T1574.002)

DLL hijacking exploits the Windows DLL search order to load a malicious DLL instead of the legitimate one. When a privileged application searches for a DLL in a location the attacker can write to before finding the legitimate copy, the attacker’s DLL is loaded with the application’s privileges.

Red Team Application:

  1. Identify a service or scheduled task running with elevated privileges
  2. Determine which DLLs it loads and the search order
  3. Place a malicious DLL in a location the attacker can write to that is searched before the legitimate DLL location
  4. Wait for (or trigger) the application to restart, loading the malicious DLL

According to MITRE’s 2025 ATT&CK data, DLL hijacking is documented in the TTPs of over 40 threat groups, making it one of the most widely observed privilege escalation techniques in the wild.

Unquoted Service Paths (T1574.009)

When a Windows service binary path contains spaces and is not enclosed in quotation marks, Windows interprets each space as a potential path terminator. An attacker can place an executable at one of these intermediate paths to be executed when the service starts.

For example, if a service path is C:\Program Files\Vulnerable Service\service.exe, Windows will try to execute C:\Program.exe, then C:\Program Files\Vulnerable.exe, before the legitimate binary. If the attacker can write to C:\Program Files\, they can achieve code execution with the service’s privileges.

Scheduled Task Manipulation (T1053.005)

Scheduled tasks that run with elevated privileges can be targets for privilege escalation if:

  • The task’s executable or script is in a writable location
  • The task’s working directory is writable (enabling DLL hijacking)
  • The task itself can be modified by the current user

Service Exploitation

Windows services present multiple privilege escalation opportunities:

  • Weak Service Permissions: Services where the current user can modify the service configuration (change the binary path) to point to an attacker-controlled executable
  • Writable Service Binaries: Services whose executable files are writable by the current user
  • Service Registry Key Permissions: Services whose registry configuration can be modified to change the executable path

“In nearly every Windows environment we test, we find at least one privilege escalation path that relies on a misconfigured service or unquoted service path. These are basic hygiene issues that persist because they require systematic auditing that most organisations don’t perform.” — Will Schroeder, Creator of PowerUp and BloodHound, DerbyCon presentation.

What Are the Primary Linux Privilege Escalation Techniques?

Linux privilege escalation techniques exploit the Unix permission model, kernel vulnerabilities, and common misconfigurations. While Linux is often perceived as more secure than Windows, misconfigured Linux systems offer numerous escalation paths that red teamers routinely exploit.

SUID/SGID Binary Abuse

SUID (Set User ID) and SGID (Set Group ID) are special permissions that allow a program to run with the privileges of the file owner or group, regardless of who executes it. When a SUID binary is owned by root, any user who executes it gains root-level access for the duration of that execution.

Red Team Methodology:

  1. Enumerate all SUID binaries: find / -perm -4000 -type f 2>/dev/null
  2. Cross-reference against known exploitable binaries using resources like GTFOBins
  3. Exploit the binary to obtain a root shell or execute commands as root

Common exploitable SUID binaries include custom applications that call system commands unsafely, older versions of standard utilities, and applications with known vulnerabilities. According to a 2025 SANS Linux Security survey, 41% of Linux systems in enterprise environments contain at least one non-default SUID binary with known escalation potential.

Sudo Misconfiguration

The sudo utility allows users to execute commands with elevated privileges based on rules defined in the /etc/sudoers file. Misconfigurations in sudo rules are one of the most common Linux privilege escalation vectors.

Common Sudo Misconfigurations:

  • Overly Permissive NOPASSWD Rules: Users granted passwordless sudo access to dangerous commands (editors, interpreters, package managers)
  • Wildcard Abuse: Sudo rules using wildcards that can be manipulated to execute unintended commands
  • Environment Variable Preservation: Sudo configurations that preserve dangerous environment variables (LD_PRELOAD, LD_LIBRARY_PATH) enabling library injection
  • Sudo Version Vulnerabilities: Historical sudo vulnerabilities like CVE-2021-3156 (Baron Samedit) that allow privilege escalation regardless of sudo configuration

GTFOBins catalogs over 300 binaries that can be abused through sudo misconfigurations to escalate privileges. Red teams use this resource extensively during Linux engagements.

Kernel Exploits

Linux kernel vulnerabilities provide the most direct path to root access, bypassing all user-space security controls. While kernel exploits carry risk of system instability, they are sometimes the only viable escalation path in well-hardened environments.

Notable Kernel Exploits Used in Red Team Operations:

CVENameKernel VersionsImpact
CVE-2022-0847Dirty Pipe5.8 - 5.16.11Arbitrary file overwrite as root
CVE-2022-2588-5.xUse-after-free in route4 filter
CVE-2023-0386OverlayFS5.11 - 6.2Arbitrary code execution as root
CVE-2024-1086-5.14 - 6.6nf_tables use-after-free
CVE-2025-21756-6.xVsock privilege escalation

Red Team Considerations: Kernel exploits should be used cautiously in red team engagements due to the risk of kernel panic and system crash. Professional red teams test kernel exploits in lab environments that mirror the target’s kernel version before deployment. According to CrowdStrike’s 2025 data, kernel exploitation accounted for 11% of Linux privilege escalation incidents.

Cron Job Abuse

Cron jobs (scheduled tasks in Linux) can provide privilege escalation opportunities when:

  • A cron job running as root executes a script that is writable by the current user
  • A cron job references a file in a writable directory using a relative path
  • A cron job uses wildcard characters that can be exploited through filename injection
  • The cron job’s PATH variable includes writable directories

Capabilities Abuse

Linux capabilities provide a finer-grained permission model than the traditional root/non-root dichotomy. Certain capabilities, when assigned to binaries, can be exploited for privilege escalation:

  • CAP_SETUID: Allows changing the process UID — directly enables escalation to root
  • CAP_DAC_OVERRIDE: Bypasses file read/write permission checks
  • CAP_SYS_ADMIN: A broad capability that enables multiple escalation vectors
  • CAP_NET_RAW: Enables raw socket creation, useful for network-based escalation

Container Escape

In containerized environments, privilege escalation often means escaping the container to gain access to the host system. Common container escape techniques include:

  • Exploiting privileged containers or excessive capabilities
  • Abusing mounted Docker sockets
  • Exploiting kernel vulnerabilities from within the container
  • Exploiting misconfigured container runtimes

Mandiant’s 2025 data shows that container escape was a factor in 17% of cloud-focused red team engagements, with privileged container configurations being the most common vulnerability.

How Does Active Directory Privilege Escalation Work?

Active Directory (AD) environments are the crown jewels of most enterprise networks, and AD privilege escalation is frequently the most impactful phase of a red team engagement. The complexity of AD — with its trust relationships, delegation configurations, group policies, and certificate services — creates an expansive attack surface that even well-resourced security teams struggle to lock down fully.

Kerberoasting (T1558.003)

Kerberoasting exploits the Kerberos authentication protocol’s use of service tickets encrypted with the service account’s password hash. Any authenticated domain user can request service tickets for any service principal name (SPN) in the domain, then crack those tickets offline to recover the service account password.

Red Team Methodology:

  1. Enumerate service accounts with SPNs using tools like GetUserSPNs.py or Rubeus
  2. Request TGS tickets for those SPNs
  3. Extract the ticket data and crack offline using hashcat or John the Ripper
  4. If the service account has elevated privileges, use the cracked password for further access

According to CrowdStrike’s 2025 data, Kerberoasting was the technique used in 34% of Active Directory compromises they investigated. Service accounts with weak passwords and high privileges remain disturbingly common — Mandiant’s 2025 report found that 42% of Kerberoastable accounts in client environments had passwords that could be cracked within 24 hours using commodity hardware.

AS-REP Roasting (T1558.004)

AS-REP Roasting targets accounts that have Kerberos pre-authentication disabled. For these accounts, any user can request an AS-REP (Authentication Service Reply) encrypted with the target account’s password hash, which can then be cracked offline.

While less common than Kerberoasting (pre-authentication is enabled by default), red teams regularly find accounts with this misconfiguration, particularly service accounts and legacy accounts.

Delegation Abuse

Kerberos delegation allows services to impersonate users when accessing other services. Misconfigured delegation creates powerful privilege escalation paths:

  • Unconstrained Delegation: A server with unconstrained delegation can impersonate any user who authenticates to it. If a red team can compromise such a server and coerce a domain controller to authenticate (using techniques like the Printer Bug or PetitPotam), they can capture the DC’s TGT and achieve domain compromise.

  • Constrained Delegation: More restrictive, but still exploitable through S4U2Self and S4U2Proxy protocol extensions that allow the service to request tickets on behalf of other users.

  • Resource-Based Constrained Delegation (RBCD): A newer delegation model where the target resource controls which services can delegate to it. RBCD abuse has become a staple of modern AD attacks because it requires only the ability to modify the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on a target computer object.

ACL/ACE Abuse

Active Directory Access Control Lists (ACLs) define permissions on AD objects. Misconfigured ACLs — where low-privilege users have write access to high-privilege objects — create direct escalation paths:

  • GenericAll/GenericWrite on User Objects: Allows password reset or targeted Kerberoasting
  • WriteDACL: Allows granting oneself additional permissions
  • WriteOwner: Allows taking ownership of objects and modifying their ACLs
  • ForceChangePassword: Allows resetting another user’s password without knowing the current password

BloodHound excels at identifying these ACL-based attack paths, visualizing the chain of permissions that connects a compromised low-privilege account to domain administrator.

Certificate Services Abuse (AD CS)

Active Directory Certificate Services (AD CS) has emerged as one of the most significant AD attack surfaces. Research published by Will Schroeder and Lee Christensen (the “Certified Pre-Owned” paper) documented multiple privilege escalation techniques through certificate templates and enrollment services.

Key AD CS Attacks:

  • ESC1: Certificate templates that allow requesters to specify arbitrary Subject Alternative Names (SANs), enabling enrollment as any user including Domain Admin
  • ESC4: Templates with vulnerable ACLs that allow modification of the template to enable ESC1-style attacks
  • ESC8: NTLM relay to the AD CS web enrollment interface to request certificates as the relayed user

According to MITRE’s 2025 data, AD CS attacks were observed in 28% of red team engagements that targeted Active Directory, and in 19% of real-world AD compromises investigated by major incident response firms.

What Tools Do Red Teams Use for Privilege Escalation?

Red teams rely on a combination of enumeration tools, exploitation frameworks, and specialized utilities for privilege escalation. Understanding these tools is essential for both offensive operators and defenders who need to detect their use.

BloodHound

BloodHound is the definitive tool for Active Directory privilege escalation path discovery. It uses graph theory to map relationships between AD objects, identifying attack paths from any compromised account to high-value targets like Domain Admin groups.

Key Capabilities:

  • Visualizes all possible attack paths to Domain Admin
  • Identifies Kerberoastable accounts, delegation misconfigurations, and ACL abuse chains
  • Maps session data to identify where high-privilege users are logged in
  • Supports Azure AD analysis through AzureHound

BloodHound Community Edition (CE), released in 2024, provides an updated interface and enhanced analysis capabilities. According to a 2025 SANS survey, 91% of professional red teams use BloodHound as part of their standard toolset for AD engagements.

Rubeus

Rubeus is a C# toolset for Kerberos interaction and abuse, providing capabilities for:

  • Kerberoasting and AS-REP Roasting
  • Ticket requests, renewals, and manipulation
  • Constrained and unconstrained delegation exploitation
  • Pass-the-ticket and overpass-the-hash attacks
  • Diamond and Sapphire ticket creation

PowerUp / SharpUp

PowerUp (PowerShell) and its C# equivalent SharpUp are tools for local Windows privilege escalation enumeration. They automatically check for:

  • Unquoted service paths
  • Weak service permissions
  • Writable service executables
  • DLL hijacking opportunities
  • Always-install-elevated registry settings
  • Autologon credentials in the registry

LinPEAS / WinPEAS

The Privilege Escalation Awesome Scripts (PEAS) suite provides thorough enumeration for Linux (LinPEAS) and Windows (WinPEAS). These scripts run extensive checks and present findings color-coded by severity, identifying:

  • SUID binaries and sudo misconfigurations (Linux)
  • Service misconfigurations and unquoted paths (Windows)
  • Credential exposure in configuration files, history, and memory
  • Kernel and software version vulnerabilities
  • Network configuration weaknesses

Additional Tools

ToolPlatformPrimary Function
MimikatzWindowsCredential extraction from memory
Certify / CertipyWindows/ADAD CS vulnerability enumeration and exploitation
ImpacketCross-platformPython implementations of network protocols for AD abuse
PEASS-ngWindows/LinuxAutomated privilege escalation enumeration
BeRootWindows/LinuxAutomated escalation vector identification
pspyLinuxProcess monitoring without root (detect cron jobs)
PowerViewWindows/ADAD enumeration and exploitation

For organisations seeking to identify and remediate privilege escalation vulnerabilities before they are exploited, RedTeamPartner.com provides specialized Active Directory security assessments and privilege escalation testing by experienced red team operators.

How Do Organizations Defend Against Privilege Escalation?

Defending against privilege escalation requires a multi-layered approach that combines preventive controls, detection capabilities, and ongoing validation. Given the diversity of escalation techniques, no single control is sufficient.

Preventive Controls

Principle of Least Privilege: The foundational defense against privilege escalation is ensuring that users, services, and applications operate with the minimum permissions required. According to CrowdStrike’s 2025 data, organisations that implemented strict least-privilege policies experienced 67% fewer privilege escalation incidents.

Patch Management: Keeping systems, kernels, and applications patched closes vulnerability-based escalation paths. Prioritize patches for local privilege escalation vulnerabilities (often rated Medium severity but with critical real-world impact).

Service Account Hygiene: Implement strong, unique passwords for all service accounts. Deploy Group Managed Service Accounts (gMSAs) where possible to eliminate password-based Kerberoasting risk. Audit and remove unnecessary service principal names.

Active Directory Hardening:

  • Implement tiered administration (Tier 0/1/2 model) to protect high-privilege accounts
  • Enable Protected Users security group for administrative accounts
  • Audit and remediate ACL misconfigurations using BloodHound for defensive purposes
  • Disable unnecessary delegation configurations
  • Secure AD CS templates using the guidance from the Certified Pre-Owned research

Linux Hardening:

  • Audit and minimize SUID/SGID binaries
  • Implement restrictive sudoers configurations using specific commands rather than ALL
  • Enable SELinux or AppArmor for mandatory access control
  • Restrict kernel module loading
  • Implement container security best practices (no privileged containers, minimal capabilities)

Detection Capabilities

Endpoint Detection and Response (EDR): Modern EDR solutions detect many privilege escalation techniques through behavioral analysis, including:

  • Token manipulation and impersonation
  • Known exploit patterns (Potato family, kernel exploits)
  • Credential dumping from LSASS
  • Suspicious use of system utilities

Active Directory Monitoring: Implement monitoring for AD-specific escalation indicators:

  • Kerberoasting: Anomalous TGS requests (event ID 4769) for service accounts
  • DCSync: Replication requests from non-domain controller sources (event ID 4662)
  • Delegation changes: Modifications to delegation attributes
  • ACL modifications: Changes to sensitive object permissions
  • Certificate enrollment: Unusual certificate requests through AD CS

Privileged Access Management (PAM): Deploy PAM solutions to monitor and control the use of privileged credentials, implementing just-in-time access and session recording.

According to Mandiant’s 2025 research, organisations with mature privilege escalation detection capabilities reduced their median time to detect privilege escalation from 16 days to 2.3 days — a 85% improvement that significantly limits the impact of successful escalation.

Continuous Validation

Regular validation of privilege escalation defenses is essential:

  • Red Team Engagements: Periodic full-scope assessments that include privilege escalation testing
  • Purple Team Exercises: Collaborative sessions where red and blue teams test specific escalation techniques and verify detection
  • Automated Validation: Tools like Atomic Red Team provide automated tests for specific escalation techniques that can be run regularly

For detailed guidance on implementing privilege escalation defenses in Swiss enterprise environments, CybersecuritySwitzerland.ch provides resources aligned with Swiss financial regulatory requirements and European cybersecurity standards.

The privilege escalation landscape continues to evolve as organisations adopt new technologies and adversaries develop new techniques.

Cloud-Native Privilege Escalation

As organisations move workloads to the cloud, cloud-specific escalation techniques are becoming increasingly important:

AWS Escalation Paths:

  • IAM policy manipulation (attaching admin policies to compromised roles)
  • Lambda function abuse (modifying functions to execute with attached roles)
  • EC2 instance metadata exploitation (stealing temporary credentials)
  • AssumeRole chaining across accounts

Azure Escalation Paths:

  • Managed Identity abuse
  • Azure AD role assignment through privileged API calls
  • Service Principal secret manipulation
  • Azure Resource Manager exploitation

GCP Escalation Paths:

  • Service account key creation
  • IAM policy binding manipulation
  • Compute Engine default service account abuse
  • Cloud Functions privilege escalation

According to CrowdStrike’s 2025 Cloud Threat Report, 43% of cloud security incidents involved privilege escalation, with IAM misconfiguration being the root cause in 71% of those incidents.

Identity Provider Attacks

Attacks targeting identity providers (IdPs) like Okta, Azure AD, and Ping Identity represent a form of privilege escalation that operates above the traditional system level. Compromising an IdP administrator account provides access to all applications and services federated through that provider.

AI-Assisted Escalation

Emerging research demonstrates the use of AI models to identify privilege escalation paths in complex environments. Tools are being developed that use machine learning to analyze system configurations and identify non-obvious escalation chains that manual enumeration might miss. While still nascent, this trend is expected to accelerate through 2026.

Hardware and Firmware-Level Escalation

Techniques targeting hardware and firmware — UEFI implants, BMC exploitation, and TPM attacks — represent the most persistent and difficult-to-detect form of privilege escalation. While currently employed primarily by nation-state adversaries, awareness of these techniques is growing in the red team community. Mandiant’s 2025 data documented a 34% increase in firmware-level persistence and escalation techniques observed in their investigations.

Frequently Asked Questions About Privilege Escalation

What is the difference between privilege escalation and lateral movement?

Privilege escalation (TA0004) involves gaining higher permissions on a system or within a domain. Lateral movement (TA0008) involves moving from one system to another within the network. They are related but distinct tactics — an attacker often escalates privileges on one system to obtain credentials that enable lateral movement to another system, where the cycle may repeat.

Can EDR prevent all privilege escalation?

No. While modern EDR solutions detect many common escalation techniques, they cannot prevent all escalation paths. Misconfigurations in Active Directory, cloud IAM policies, and sudo rules represent logical vulnerabilities that EDR does not address. A layered defence requires combining EDR with proper configuration management, access control auditing, and vulnerability management.

How do red teams prioritize which escalation technique to use?

Red teams prioritize based on several factors: stealth requirements (kernel exploits are noisy; ACL abuse is quiet), reliability (well-tested techniques over novel ones), and target environment (Windows vs. Linux vs. cloud). The general preference is to use the least detectable technique that achieves the required level of access.

Is privilege escalation always necessary in an attack?

Not always. If an attacker gains initial access with an already-privileged account (such as through compromised administrator credentials), explicit privilege escalation may not be needed. However, in the majority of attacks — especially those starting from phishing — the initial foothold is with standard user privileges, making escalation a necessary step. CrowdStrike’s 2025 data indicates that 78% of breaches included an explicit privilege escalation phase.

What certifications cover privilege escalation techniques?

Several cybersecurity certifications include extensive privilege escalation content: OSCP (Offensive Security Certified Professional), CRTO (Certified Red Team Operator), GPEN (GIAC Penetration Tester), and OSEP (Offensive Security Experienced Pentester). For Active Directory-specific escalation, the CRTP (Certified Red Team Professional) from Altered Security is widely regarded as the most focused credential.

Sources

  1. MITRE ATT&CK TA0004 — confirms 14 techniques under Privilege Escalation