VulnTech Privilege Escalation

Privilege escalation occurs when an attacker gains higher-level permissions than they were originally allowed to have.
In SOC operations, detecting privilege escalation is critical because it usually happens after initial access and right before lateral movement, persistence, credential dumping, or ransomware deployment.
This chapter explains privilege escalation detection in full-length, SOC-grade depth, including log sources, detection techniques, SIEM queries, EDR patterns, Windows/Linux indicators, and full use-case workflows.

What Privilege Escalation Means in SOC

Privilege escalation has two forms:

Vertical Privilege Escalation

Low-privileged user → admin/root
Example:

User “john” → Local Administrator

Horizontal Privilege Escalation

User gains access to another user’s resources at same privilege level.
Example:

user1 accessing user2’s file shares

SOC mainly focuses on vertical escalation, because it indicates compromise.

Why Attackers Escalate Privileges

Privilege escalation is used to:

Dump credentials from LSASS
Install persistence
Disable security tools
Deploy ransomware
Move laterally
Access sensitive files
Execute system-level commands

Stopping privilege escalation early stops the attack chain.

Data Sources Required for Detection

SOC analysts need visibility from:

Windows Logs

Security Log (Event IDs)
Sysmon
PowerShell logs
EDR telemetry

Linux Logs

auth.log
sudo logs
systemd logs

Network Logs

SMB access
WinRM/SSH activity

EDR + SIEM correlation is mandatory for accurate detection.

Windows Privilege Escalation Indicators

Key Event IDs

Event ID 4672 — Special Privileges Assigned
Occurs when a user receives admin-level privileges.
Suspicious when triggered by:

Normal user account
Service accounts
New login pattern

Example:

Account: user123
Privileges: SeDebugPrivilege, SeTcbPrivilege

Event ID 4624 (Logon) with Admin Rights
Check for:

LogonType 2 (interactive)
LogonType 10 (RDP)
LogonType 3 (network)

Suspicious when:

Non-admin logs in with admin-like privileges
Account logs in outside work hours

Event ID 4728 / 4732 — User Added to Admin Group
Indicates privilege escalation via group modification.

Example:

User john added to Domain Admins

Event ID 4648 — Logon Attempt with Explicit Credentials
Used extensively in:

Pass-the-Hash
Credential dumping
Lateral movement

Unexpected spikes indicate escalation attempts.

Sysmon Event ID 1 — Process Creation
Used to detect privilege escalation tools:

powershell.exe -enc
whoami /priv
net localgroup administrators
runas /user:Administrator
psexec.exe
wmic process call create
dllhost injecting admin payloads

Common Privilege Escalation Tools (Detected via EDR)

Mimikatz
JuicyPotato / RottenPotato
PrintSpoofer
PsExec
runas.exe
SharpUp
SharpHound (BloodHound collectors)
PowerUp.ps1
winPEAS

EDR will show suspicious process trees.

Linux Privilege Escalation Indicators

Linux logs make escalation detection straightforward.

`/var/log/auth.log`

Sudo activity

sudo su
sudo -l
sudo /bin/bash

EDR/SIEM flag when:

Normal user executes sudo unexpectedly
User attempts privilege enumeration
Repeated sudo failures

Switching Users (su)
Logs:

su root
session opened for user root

Suspicious if:

Non-admin tries switching to root
Successful switch without prior approval

Setuid/Setgid Abuse
Attackers exploit binaries with improper permissions.

Cron-based escalation
Malicious cron entries show up in:

/etc/cron* files

Techniques Attackers Use for Privilege Escalation

1. Misconfigured Privileges

Users in local admin groups
Weak ACL permissions

2. Token Impersonation

PrintSpoofer
RottenPotato

3. Vulnerable Services

Unquoted service paths
Writable service binaries

4. Exploits

Kernel/privilege exploits:

CVE-2021-34527 (PrintNightmare)
CVE-2016-0099 (Token impersonation)

5. Credential Dumping

Leads to authenticated privilege escalation.

SIEM Detection Examples

1. Detect Admin Privileges Assigned

EventID=4672 AND AccountName NOT IN ("admins","service_accounts")

2. Detect User Added to Admin Group

EventID IN (4728,4732)

3. Detect Suspicious sudo Usage (Linux)

sudo AND (user != 'admin' AND user != 'root')

4. Detect PsExec Lateral Movement

process_name:psexec.exe OR service_name:psexecsvc

5. Detect PrintSpoofer/Token Impersonation

Look for:

SeImpersonatePrivilege
SeAssignPrimaryTokenPrivilege

EDR Detection Patterns

1. Unexpected Process Trees

WINWORD.exe → powershell.exe → whoami.exe

Or:

chrome.exe → cmd.exe → net.exe localgroup administrators

2. High Integrity Levels

EDR flags when a user process elevates without justification.

3. Credential Access → Escalation

If LSASS is accessed:

credential dumping → privilege escalation → lateral movement

4. Ransomware Pre-Execution Behavior

Ransomware operators escalate before encryption.

Full SOC Use Case Workflow

Step 1 — Alert Trigger

SIEM fires on EventID 4672 or suspicious sudo use.

Step 2 — Check Logs

User identity
Source host
Privilege level
Login type
Time of activity

Step 3 — EDR Investigation

Look at:

Parent-child process chain
Command-line arguments
Fileless scripts
Memory injections

Step 4 — Hunt for Related Indicators

LSASS access
C2 connections
New persistence
SMB lateral movement

Step 5 — Validate if Legitimate

Check with IT/HR if user had legitimate activity.

Step 6 — Escalate or Contain

If malicious:

Isolate host
Block user account
Reset credentials
Begin IR

Intel Dump

Privilege escalation is attackers gaining admin or root access.
Indicators include EventID 4672, 4728/4732, explicit logon attempts, sudo abuse, token impersonation, and suspicious process trees.
Windows and Linux logs, EDR telemetry, and SIEM rules work together for detection.
Tools such as Mimikatz, PrintSpoofer, PsExec, and PowerUp leave clear behavior traces.
SOC workflow includes log correlation, EDR analysis, threat hunting, validation, and containment.