Intermediate System & Host Updated on Jun 25, 2025

Privilege Escalation — common techniques and detection on Linux and Windows

Privilege escalation (privesc) is the process by which an attacker — already holding limited access — obtains higher permissions (root, SYSTEM, Domain Admin). Understanding the techniques is essential for defending the system.

Context: the examples below apply to authorized lab environments such as CTF machines or pentests with a defined scope.

Linux — common vectors

Misconfigured SUID

SUID binaries run as the file owner (often root) regardless of who executes them:

# Enumerate SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Example: /usr/bin/find with SUID (lab)
/usr/bin/find . -exec /bin/sh -p \; -quit
# -p preserves EUID=0 — immediate escalation

Sudo misconfiguration

sudo -l   # list what the current user can run as root

# Dangerous output:
# (ALL) NOPASSWD: /usr/bin/vim
# vim can open a shell:
sudo vim -c ':!/bin/bash'

Cron jobs with unsafe paths

cat /etc/crontab
# If the script run as root is owned by a regular user
# or lives in a writable directory — replace its content
ls -la /opt/backup.sh   # owner: regular_user, cron: root

Kernel exploits

An outdated kernel may have known CVEs. Detection is straightforward:

uname -r                          # kernel version
searchsploit linux kernel 5.4    # search CVEs (lab tool)

Defense: keep the kernel updated; use unattended-upgrades.

Windows — common vectors

AlwaysInstallElevated

If this GPO policy is enabled, any user can install MSI packages as SYSTEM:

# Check (as a regular user)
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Value 0x1 in both = vulnerable

Defense: disable this policy via GPO.

Services with weak permissions

# Check ACL of a service binary
icacls "C:\Program Files\MyService\service.exe"
# If regular users have (W) — they can replace the binary

Token impersonation / SeImpersonatePrivilege

Service accounts often hold SeImpersonatePrivilege. With that token, escalation to SYSTEM is possible using techniques like PrintSpoofer (in a lab):

Service account (IIS, SQL Server) → SeImpersonatePrivilege → SYSTEM

Defense: apply least privilege. Service accounts must never hold administrative rights.

Detection

Linux:
  - auditd: monitor execve where effective UID differs from real UID
  - /var/log/auth.log: sudo usage, authentication failures
  - AIDE/Tripwire: detect changes to SUID binaries

Windows:
  - Event ID 4672: special privileges assigned at logon
  - Event ID 4688: new process created (monitor arguments)
  - Event ID 7045: new service installed
  - Sysmon: track process creation with full command line

Core defense principle

Least privilege. If a process or user does not need root/SYSTEM to function, do not grant that access.