The Mitre Att&ck Matrix has defined 13 techniques for Privilege Escalation.
Abuse Elevation Control Mechanism is when a threat actor utilizes a flaw in a mechanic used to elevate privileges to grant privileges. Exploiting sudo would be an example.
Access Token Manipulation is when a threat actor modifies an access token to become a different user. In a Windows environment, an access token of an application running as system, could be obtained to launch a backdoor with system privileges.
Boot or Logon Autostart execution is when a system runs commands from a location at boot time with a specific set of privileges that could be exploited by having a back door launch from such a location leading to privilege escalation.
Boot or Logon Initialization scripts are when a threat actor identifies that a script will run with elevated privileges at boot or login then the threat actor modifies such a script to launch a back door for elevated privileges.
Create or Modify System Process is when a threat actor can set up a system service to get a back door to work. These run at a higher level of privileges and thus is for privilege escalation and persistence.
Domain Policy Modification is when a threat actor gains access to a domain controller and can modify policies to allow a rogue domain controller to be in the system that grants privileges to users that would otherwise not have. Additionally, scheduled tasks, could be pushed to maintain privileges domain-wide.
Escape to Host is when a threat actor manages to break out of a container to gain access to the host system maintaining the elevated permissions of the container.
Event Triggered Execution is when a threat actor identifies a system that launches a process whenever a specific event occurs and has it launch a backdoor instead. This method can escalate privileges as well as serve as persistence.
Exploitation for privilege escalation is when a threat actor successfully exploits a service running with elevated privileges to obtain the permissions of the affected service.
Hijack Execution Flow is when a threat actor utilizes a flaw in how processes to launch to trick the Operating System into launching a back door application instead. Not wrapping a path in Quotes when folders contain a space makes you vulnerable. One example is the path, C:\Windows Vulnerability\legit.exe instead of “C:\Windows Vulnerability\legit.exe”, which would allow C:\Windows\exploit.exe to run instead. As you may have noticed, this can be for privilege escalation and persistence, as you may have guessed from a previous post.
Process Injection is when a threat actor uses a buffer overflow against a program running with elevated privileges to obtain privileges.
Scheduled Task/Job is when a threat actor modifies a scheduled task to obtain privileges. Switching, the binary used for a scheduled task with a back door, is one example.
Valid Accounts are when a threat actor uses credentials to log on as the account. Account credentials have gotten compromised. The threat actor found the admin password is one example.