Initial access rarely lands an attacker exactly where they want to be. They start as a low-privilege user, on a regular workstation, with a single foothold. The interesting work begins when they start climbing. Privilege escalation is the bread and butter of post-exploitation, and the techniques have changed remarkably little even as defensive tooling has grown more sophisticated. Knowing what attackers reach for first lets you close those doors before they get tested.
Local Privilege Escalation on Windows
Once an attacker has a shell on a Windows host, they begin enumerating. They look for unquoted service paths, services running as SYSTEM with weak permissions on their executables, scheduled tasks pointing to writable directories, and credentials sitting in registry keys, scripts, or memory. Tools such as PrivescCheck or WinPEAS automate the search and routinely find one or more paths to local admin. internal network penetration testing that includes a workstation review will surface the same findings, except the resulting report goes to your IT team rather than to a criminal.
Linux Misconfigurations Mirror Their Windows Cousins
Linux servers fall to the same family of issues. SUID binaries with parent paths an attacker can write to, sudo rules that quietly allow command injection, cron jobs running as root that load files from world-writable directories, and Docker socket exposures all appear regularly. Public exploit collections such as GTFOBins document the patterns extensively. Engineers building servers from base images often skip the hardening guides that would catch these issues, and the resulting boxes inherit known weaknesses out of the box.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
Comments: The privilege escalation paths I find most often involve cached credentials. Someone logged into a workstation with a privileged account at some point, the credentials sat in memory or on disk, and now anyone who compromises that workstation inherits them. The fix is well known, the tools to enforce it exist, and yet the pattern repeats.
Domain Privilege Escalation Is Where the Real Damage Happens
Local admin on a single machine is just the start. From there, an attacker pivots to harvest credentials from other users who have logged into that machine, pivots to other machines using those credentials, and eventually finds someone with elevated rights in Active Directory. Tools such as BloodHound visualise these paths and make the attack route alarmingly obvious once an attacker has a single foothold. Defenders can use the same tools to find the same paths first, which changes the conversation considerably.
Cloud Privilege Escalation Has Joined the Party
In cloud environments, privilege escalation often happens through identity rather than software flaws. A user with permission to assume another role, attach policies, or modify a service principal quickly turns limited access into broad access. The principal of least privilege is widely recommended and rarely implemented. Auditing every elevated path in your IAM configuration is tedious but rewarding work.
Closing the Doors
Disable LLMNR and NetBIOS, enforce SMB signing, harden local admin passwords with LAPS, restrict who can log into which tier of host, and audit your privileged group memberships frequently. None of this is novel advice, yet very few networks implement all of it consistently. The best penetration testing company you engage should demonstrate the actual paths an attacker would take in your environment, not just hand you a generic set of recommendations.
