Privilege Escalation (TA0004) covers techniques adversaries use to gain higher-level permissions on a system or network so they can access protected resources, change configurations, or perform actions normally reserved for administrators. In practice it’s what attackers do when they’ve landed with low privileges but need more power to reach their goals.

🎯 High-level objective

Gain elevated permissions (local or domain) so the adversary can move laterally, access sensitive data, install services, or change security controls — often by exploiting vulnerabilities, abusing OS mechanisms, or hijacking credentials.

🧩 Core Privilege Escalation Techniques (with MITRE IDs & short descriptions)

Below are the main techniques you’ll see mapped to TA0004. I’ve included representative examples and what defenders should watch for.

• T1068 — Exploitation for Privilege Escalation Exploit a software vulnerability (application, service, OS/kernel) to execute code at a higher privilege level. Watch for unusual process launches tied to exploit behavior.

• T1134 — Access Token Manipulation (Token Impersonation / Theft) Duplicate, steal, or impersonate another process’s access token (Windows tokens) to act with higher privileges without credentials. Tools and APIs like Duplicate Token are commonly abused.

• T1548 (and sub-techniques) — Abuse Elevation Control Mechanism Abuse built-in elevation controls (UAC bypasses, setuid/setgid on Unix, sudo misconfigurations) to execute with elevated privileges. Sub-techniques include UAC bypass and abusing setuid binaries.

• T1136 / T1078 — Create Account & Use Valid Accounts Create new privileged accounts (or reuse compromised valid accounts) to obtain persistent elevated access that is hard to distinguish from legitimate administrator activity.

• T1543 — Create or Modify System Process / Services Install or modify services that run as SYSTEM/root so malicious code executes with high privileges on boot or on demand.

• T1055 — Process Injection Inject code into higher-privilege processes so the injected code inherits that process’s privileges (and can hide in legitimate process space).

• T1204.002 — Malicious File / Macro (User Execution → escalations) Trick a user to run a file or macro that drops an escalation exploit or launches code that abuses elevation mechanisms. User interaction is often the initial trigger.

• T1543.003 — Windows Service (specific service-based escalation) Create/alter Windows services to run payloads as SYSTEM or elevated service accounts.

• OS-specific abuses (sudo, setuid, SUID helpers, kernel exploits) On Unix-like systems, misconfigured sudo, setuid binaries, or kernel vulnerabilities are common escalation vectors (e.g., CVEs targeting sudo or kernel). Monitor for suspicious sudo usage and setuid manipulation.

🔎 Detection — what to log & hunt for

Focus on behavior, parent/child process anomalies, and artifacts that indicate elevation attempts:

1. Monitor process lineage & command-lines

   • Alerts when low-privilege apps spawn privileged tools (e.g., winword.exe → powershell.exe), or unusual sudo commands. Log full command-lines and parent process.

2. Watch for token manipulation and impersonation events

   • Audit calls or patterns consistent with DuplicateToken, ImpersonateLoggedOnUser, or similar API usage on Windows.

3. Detect changes to accounts & privilege grants

   • Alert on creation of new administrative accounts, group membership changes, or service accounts created outside change windows.

4. Look for service creation/modification and autorun additions

   • New/modified services, scheduled tasks, or startup entries referencing unusual paths (e.g., AppData, Temp).

5. Kernel/driver/modification indicators

   • Kernel exploit attempts often have unusual syscalls, driver loads, or UEFI/firmware changes. Those require EDR kernel telemetry.

6. Sudo/setuid anomalies on Linux/macOS

   • Log unexpected sudo invocations (especially with uncommon flags), setuid binary writes, or new setuid programs. Watch for commands that exploit known CVEs.
     

🛡️ Prevention & hardening — prioritized actions

These controls reduce the chance and impact of privilege escalation:

1. Enforce least privilege everywhere

   • Limit admin rights; use role-based access; separate admin workstations. Least privilege is the single most effective control.

2. Use MFA & strong authentication for high-privilege ops

   • Require multi-factor authentication and just-in-time elevation for administrative actions to reduce usefulness of stolen credentials.

3. Patch comprehensively (esp. kernel, sudo, services)

   • Timely patching mitigates exploitation vectors (T1068). Maintain an inventory and prioritize high-risk CVEs (kernel, privileged services).

4. Harden elevation mechanisms

   • Configure UAC tightly on Windows, disable or restrict interactive elevation prompts, and remove unnecessary setuid bits or tighten sudoers rules on Unix.

5. Application allow-listing & code signing

   • Block unsigned/unknown executables from running in sensitive contexts; only allow approved binaries and signed installers.

6. Protect privileged sessions & accounts

   • Use privileged access management (PAM) solutions, session recording, and ephemeral credentials for service accounts. Rotate credentials regularly.

7. Limit service account privileges & scope

   • Don’t run apps as SYSTEM/root unless absolutely required; use least-privilege service accounts and ACLs.

8. EDR + kernel-level telemetry

   • Deploy endpoint detection with capability to detect process injection, token theft, suspicious kernel calls, and service modifications.

9. Secure development & build pipelines

   • Prevent insecure artifacts or misconfigurations that could be exploited for local privilege elevation.
     

🧯 Incident response (quick playbook)

1. Isolate affected host(s) to prevent lateral escalation.

2. Collect artifact timeline — process trees, command lines, created services, account changes, and relevant logs.

3. Rotate credentials for affected accounts and service principals.

4. Remove persistence & revert unauthorized privilege changes (but only after thorough evidence capture).

5. If kernel/firmware compromise suspected, reimage and validate firmware — firmware/UEFI compromises often require full rebuilds.

6. Hunt across environment for lateral use of the technique (e.g., same exploit, same token theft patterns, reused service account).

7. Post-incident: patch the exploited vector, tighten elevation controls, and run focused hunts to ensure remediation.
   

✅ SOC Checklist (quick)

•  Ingest command-lines + parent process data to SIEM/EDR.

•  Monitor & alert for new privileged accounts and group membership changes.

•  Alert on service creation/modification and scheduled task additions.

•  Implement least privilege + remove local admin from users.

•  Harden UAC/sudo and remove unnecessary setuid bits.

•  Patch prioritized vulnerabilities (especially kernel, privilege-required services).

•  Deploy EDR rules for token impersonation, process injection, and suspicious privilege-related syscalls.

•  Use PAM and MFA for privileged sessions.
  

🔁 Final takeaways

Privilege escalation is a pivot point that turns limited access into full-control scenarios. Defenders win by reducing the attack surface (least privilege + patching), hardening elevation paths (UAC, sudo, setuid), and instrumenting visibility into the exact behaviors attackers use to gain elevation (token ops, service creation, process injection). Combining preventive controls with strong telemetry and rapid response gives you the best chance to stop attackers before they escalate and do real damage.