One of the most dangerous phases of a cyberattack is privilege escalation, which involves a bad actor getting access to network resources via compromised user accounts and then elevating the privilege level of those compromised accounts in the network so the attackers can more easily access and control important infrastructure resources.

Privilege escalation is often a key part of many Active Directory attack methods and understanding how attackers use privilege escalation to support other cyberattack methods is important. Let’s start by discussing the two flavors of privilege escalation: horizontal privilege escalation and vertical privilege escalation.
Types of Privilege Escalation
Partner with Microsoft experts you can trust
If it’s time to take that first step toward leveling up your organization’s security, get in touch with Ravenswood to start the conversation.
- Horizontal Privilege Escalation: Once a bad actor has initial access to a user account within a compromised system, they can then engage in horizontal privilege escalation, which involves moving between user accounts with the same or similar privilege levels. This can be used to gain access laterally across the organization, but without necessarily using elevated privilege levels.
- Vertical Privilege Escalation: While horizontal privilege escalation can be dangerous, it becomes even more so when combined with vertical privilege escalation, which involves promoting a compromised account to higher levels of access, such as promoting a standard user role account to one that has administrative privileges in Active Directory. The newly privileged account then gives the attacker much greater control over the network and can provide elevated access to sensitive information.
Common Privilege Escalation Scenarios
Privilege escalation attacks may happen because an attacker exploits software vulnerabilities, system misconfigurations or other resource-related defects or errors. That said, research seems to show that human error and social engineering attack methods are the overwhelming causes for most cyberattacks, with an IBM study indicating that 95% of cyber breaches were caused by human error, while a recent report from researchers at Stanford found that human mistakes cause 88% of data breaches. Needless to say, educating employees about cybersecurity best-practices is a must for any organization, and we’ll cover that topic in more detail towards the end of this article.
The Risk and Impact of a Privilege Escalation Attack
Like all cyberattacks, the risk and impact of privilege escalation attacks can be wide-reaching and severe, including data loss and corruption, leaked data from customer accounts, and reputational and business loss.
Privilege escalation attacks are widespread and still actively being used, with Symantec recently reporting (in April 2025) that attackers affiliated with the Play ransomware operation used “…a zero-day privilege escalation exploit during an attempted attack against an organization in the U.S. The attack occurred prior to the disclosure and patching of a Windows elevation of privilege zero-day vulnerability (CVE-2025-29824) in the Common Log File System Driver (clfs.sys)…[the] attackers elevated privileges by exploiting a vulnerability in the Common Log File System (CLFS) kernel driver.”
Identifying Vulnerabilities That Lead to Privilege Escalation
System vulnerabilities that give attackers the ability to use privilege escalation attacks are common, and most can be addressed by having detailed and updated privileged access management policies and keeping users educate and trained about common cyberattack methods. Here are some of the most common vulnerabilities that attackers rely on for their attacks, followed by a list of some tools and privilege escalation techniques that attackers commonly use in these attacks.
Common Vulnerabilities
- Weak Passwords and Credentials: One of the most common system vulnerabilities is system users relying on weak or widely reused passwords, which can easily be exploited by attackers in a privilege escalation attempt.
- Unpatched Software and Systems: Many attacks exploit outdated and poorly supported systems and software, which then leave gaps and unpatched vulnerabilities that can be exploited.
- Misconfigured or Weak Access Controls: While it’s important to keep the software in your IT infrastructure properly updated, it’s just as important to make sure that your infrastructure is configured properly to defend against attacks, as system and network misconfigurations are often leveraged by attackers to gain system access. Implementing Active Directory tiering makes privilege escalation substantially more difficult.
Tools and Privileged Escalation Techniques Attackers Use
- Rootkits and Trojans: Some of the more insidious methods attackers use to gain access to user accounts is via malware, that is often installed via phishing emails and other methods. The malware often provides a command and control infrastructure that the attacker can leverage to steal credentials and move laterally and/or escalate privileges.
- Kernel and Application Exploits: Kernel exploits involve attacking IT infrastructure via flaws in foundational software and technologies, while application exploits are designed to use the unpatched vulnerabilities in other software in a system to gain access.
- Attack Techniques: In addition to some of the privilege escalation attacks methods described above—which rely on flaws in or bugs in elements of the infrastructure stack, or leverage kernel and application exploits—attackers also rely on social engineering to fool and mislead users into unknowingly giving up sensitive user and account information, with phishing attempts being a leading social engineering-powered attack vector.
- Specialized Tools: Attackers that establish a foothold often rely on tools like Mimikatz to access credentials and reuse them to move across the network.
Preventing Privilege Escalation
Now that we’ve covered some of the ways that attackers can get access to infrastructure to carry out privilege escalation attacks, let’s discuss some of the security measures that can help increase the odds that your organization won’t be a victim of privilege escalation attacks.
- Identity and Access Management (IAM): Strong IAM policies are a must for any organization, as multi-factor authentication (MFA) and regular access control reviews can help make unauthorized access more difficult and spot gaps in your processes, respectively.
- Regular Updates and Patches: Keeping your systems and software up to date with the most current versions goes a long way to mitigate risk, as most IT vendors routinely update and patch their offerings to minimize security risks. Microsoft provides a number of services to help with regular updates and patches, including Windows Update for Business and their regular ‘Patch Tuesday’ updates, which are usually on the second Tuesday of each month.
- Security Audits and Assessments: Planning and scheduling regular security audits to identify and rectify vulnerabilities is a vital part of every security strategy. There are several good resources available online to help you create your own security audits, including security checks for Active Directory. In addition, creating and conducting red team exercises—where a security team simulates a cyberattack to test targeted systems—can be useful to assess how successful security policies are.
- Least Privilege Access Controls: Implementing the principle of least privilege—which limits individual user account access to the absolute minimum resources that specific users should be allowed to access—can be a powerful tool to prevent privilege escalation attacks. Ravenswood Technology Group founder Brian Desmond discusses this approach in a presentation on Securing Privileged Access On-Premises and in the Cloud, which covers techniques like “…tiered security models, just-in-time administration, privileged access workstations (PAWs), and administrative forests.”
- Use a Tiered Access Model: Another method to manage privilege escalation is to use a tiered access model. Desmond discussed that model in more detail in a blog post on the topic, but the essence of this approach is that it introduces a number of controls that reduce the risk of privileged credentials becoming exposed to lower assurance systems.
- Implement Privileged Access Workstations: Preventing attackers from coming into contact with privileged credentials makes their job much harder. PAWs isolate privileged credentials to highly controlled devices that should ideally not be able to access the Internet or run malware.
The Importance of Employee Training
As I mentioned earlier in this post, the most common way that most cyberattacks achieve success is by taking advantage of human error. Creating, updating, and regularly communicating security best practices to all employees and managers of an organization is a must, as attackers might need only one successful email-based phishing attempt to successfully gain access to an otherwise well-defended IT infrastructure.
In addition to having current and regularly updated security best practices procedures, it’s also vitally important to have ongoing cybersecurity training programs that educate employees about the latest cyberattack methods and how they can effectively help the organization defend against them. If you don’t have a training or phishing awareness program, you can use the Attack Simulation Training capabilities included with Defender for Office 365.
Mitigating Privilege Escalation Attacks
Like any cyberattack, the most important part of your mitigation approach is having a well-defined, tested incident response plan. Attempting to build your plan on-the-fly during an incident is a recipe for disaster. Understanding the scope and impact of the breach is one of the first steps you must take. With respect to privilege escalation, you need to quickly develop an understanding of what level of access the attacker has achieved and where they are operating.
Once you understand the scope of the breach, you can begin regaining control and removing the adversary from the environment. Depending on the level of access achieved, this task may be complicated and having a true understanding of whether you have completely evicted the adversary may be impossible.
As you work through evicting the adversary, you must also undertake short-term hardening activities to make sure they cannot re-establish a foothold. This step could involve tasks as drastic as resetting every password in your organization or making the decision to recover critical systems like Active Directory from a backup.
Following the initial recovery, you will also need to identify larger tasks and projects necessary to prevent a future successful attack. This could involve more extensive hardening tasks, re-designs or upgrades to critical systems, and process improvements.
Wrap-Up
Privilege escalation is an important part of an attacker’s playbook. As the attack gains a foothold, they continuously work to gain additional access until they can achieve control of their target. The outcomes can be disastrous. You should be continuously working to protect critical systems so that an adversary cannot engage in a successful attack.