Privilege Escalation

When an attacker first gains their initial foothold on a network, they will most likely find themselves executing code as a low privileged user, perhaps an account used for general office work that has been phished with a malicious document or similar. To inflict maximum damage, find and exfiltrate lots data and encrypt the majority of systems, the attackers will need higher privileges unless they have been lucky and landed an administrator account from the get-go.

Privilege escalation happens in two places, firstly the endpoint, for example gaining root or administrative access and secondly at the network permission level, moving from a normal user, to workstation admin, to server admin and then to domain admin. The latter will be covered further in the next section on lateral movement.