From a foothold to admin via misconfiguration — and the audit rules that catch each step.
Module overview
Initial access rarely lands you as root or SYSTEM. Privilege escalation is the systematic search for a misconfiguration that bridges that gap: a writable service, an over-permissive sudo rule, a dangerous SUID binary, a capability, or a token. This module teaches enumeration-first methodology on intentionally vulnerable lab VMs, then — crucially — the audit and hardening that turns each technique into a detection. You only run these tools on machines you own.
Lesson 1
Linux: SUID, sudo, Capabilities & GTFOBins
Deep explanation
Linux escalation is mostly enumeration. Automated helpers (LinPEAS) collect signals, but you must read them: SUID binaries that shell out, sudo rules that allow a program with an escape, Linux capabilities like cap_setuid on an unexpected binary, writable cron jobs, and PATH abuses. GTFOBins catalogs how otherwise-normal binaries become escalation primitives when SUID/sudo-allowed.
Defenders flip this: minimize SUID, write precise sudoers, drop capabilities, and instrument with the kernel audit framework (auditd) and runtime monitoring (Falco) so the abuse generates an event.
Examples
find / -perm -4000 reveals an unusual SUID like /usr/bin/find — GTFOBins shows find can spawn a shell, yielding root.
sudo -l shows (ALL) NOPASSWD: /usr/bin/vim — vim has a shell escape, so this is effectively root.
Commands & tools
# Enumeration (run only on lab VMs you own)
id; sudo -l
find / -perm -4000 -type f 2>/dev/null # SUID binaries
getcap -r / 2>/dev/null # capabilities
crontab -l; ls -la /etc/cron.*
# or use a collector: ./linpeas.sh | tee linpeas.txt
# Defensive: detect SUID abuse with auditd
auditctl -a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -k privesc
# Hardening
chmod u-s /path/to/unneeded-suid # strip SUID
# sudoers: grant exact commands, never editors/interpreters with shell escapes
Boot a provided vulnerable Linux VM (e.g., a Vulnhub-style box) in the isolated range.
Enumerate: run id, sudo -l, find / -perm -4000, getcap -r /. Record candidate paths.
Cross-reference one finding with GTFOBins and escalate to root within the lab.
Now defend: enable the auditd rule above, repeat the escalation, and confirm the execve event is captured.
Harden the box so the path no longer works (strip SUID or fix sudoers) and re-test.
Expected output: Enumeration lists at least one abusable SUID/sudo/capability; exploitation yields a root shell in the lab; after the auditd rule, the same action produces a privesc-tagged audit event; after hardening, escalation fails.
What to observe: Escalation is a misconfiguration hunt. Every technique that works for an attacker is also an auditable kernel event for a defender.
How attackers exploit · how defenders respond
Exploit: Enumerate quickly, match findings to known escape primitives (GTFOBins), escalate to root, then persist.
Detect & respond: auditd execve with euid=0 from a non-system auid; Falco rules for shells spawned by SUID binaries or by service accounts; file-integrity monitoring on /etc/sudoers and cron dirs.
Red teamLinPEAS triage -> pick the cleanest primitive -> root -> establish persistence.
Blue teamMinimize SUID/sudo/caps, FIM on sudoers/cron, auditd+Falco detections shipped to the SIEM.
Real-world scenario
Many CTF and real engagements end on a single overly-broad sudo entry; a precise sudoers policy plus an auditd execve rule both prevents and detects it.
Lesson 2
Windows: Service Misconfig, Tokens & Detection
Deep explanation
Windows escalation centers on services and tokens. Common primitives: unquoted service paths with a writable directory, weak service binary/registry permissions, always-install-elevated policy, and token-impersonation abuse from a service account holding SeImpersonatePrivilege. The methodology mirrors Linux — enumerate, identify a writable/abusable object, leverage it.
Defensively, Windows is rich in telemetry. Sysmon (process creation 1, image load 7, named pipes 17/18) plus the Security log expose the abuse. LAPS rotates local admin passwords, least-privilege service accounts shrink the blast radius, and gMSA removes static secrets.
Examples
An unquoted path like C:\Program Files\My App\svc.exe lets a writable C:\Program.exe hijack startup as SYSTEM.
A service whose binary or registry key is writable by Users can be repointed to attacker-controlled content.
Commands & tools
# Enumeration on a lab Windows VM you own (PowerShell / standard tools)
whoami /priv
Get-CimInstance Win32_Service | ? { $_.PathName -notmatch '^\"' -and $_.PathName -match ' ' } # unquoted
accesschk.exe -uwcqv "Users" * # weak service perms (Sysinternals)
# collectors: winPEAS.exe / PowerUp Invoke-AllChecks (lab only)
# Defensive detections (Sysmon + Security log)
# Sysmon Event ID 1: process creation under unusual parent (service.exe spawning cmd)
# Security 4697/7045: new/!modified service install
# Hardening
Set quoted service ImagePath; remove write on service dir/registry; deploy LAPS; use gMSA
Diagram
foothold(user) --enumerate--> findings:
[ unquoted path + writable dir ] --> plant binary --> SYSTEM
[ weak service ACL ] --> repoint binary --> SYSTEM
[ SeImpersonate ] --> token abuse --> SYSTEM
detection: Sysmon 1 (odd parent), 4697/7045 (service change) -> SIEM
Hands-on lab
On a provided vulnerable Windows lab VM, run whoami /priv and enumerate services for unquoted paths and weak ACLs with accesschk.
Demonstrate one escalation path within the lab (e.g., the writable-service-directory scenario).
Enable Sysmon with a known-good config; repeat and locate the process-creation and service-change events.
Harden: quote the ImagePath / fix the ACL / apply least privilege; confirm the path is closed.
Expected output: Enumeration surfaces an unquoted-path or weak-ACL service; the lab escalation yields SYSTEM; Sysmon records the abnormal process creation and the service modification; hardening closes the path.
What to observe: Windows privesc is highly detectable with Sysmon + the Security log. Prevention (ACLs, quoting, LAPS, gMSA) and detection are complementary.
How attackers exploit · how defenders respond
Exploit: Enumerate service/token misconfigurations, leverage a writable object or impersonation primitive to reach SYSTEM, then persist via services or scheduled tasks.
Detect & respond: Sysmon EID 1 with anomalous parent/child (services spawning shells), EID 7045/Security 4697 for service installs/changes, 4672/4673 for sensitive privilege use; alert on accesschk/winPEAS-like enumeration bursts.
Red teamPowerUp/winPEAS triage -> abuse weakest service/token -> SYSTEM -> persistence.
Blue teamLAPS + gMSA + least-privilege services + quoted paths + strict ACLs, with Sysmon-based detections in the SIEM.
Real-world scenario
Unquoted service paths remain a perennial finding in AD environments; a single Sysmon rule for services spawning interpreters routinely catches both the test and the real intrusion.
End-of-module assessment
Tap an answer to check it.
1. The first phase of privilege escalation is:
Escalation is an enumeration-driven hunt for a bridging misconfiguration.
2. GTFOBins is useful because it shows:
It documents shell escapes and primitives in otherwise-legitimate binaries.
3. A strong Windows detection for service-based privesc is:
Sysmon and Security log events expose anomalous spawns and service changes.
Key takeaways
Escalation is enumeration first; tools like LinPEAS/winPEAS surface signals you must interpret.
Every primitive (SUID/sudo/caps, unquoted paths/tokens) has a matching audit event.
Prevent with least privilege (sudoers, ACLs, LAPS/gMSA) and detect with auditd/Falco/Sysmon.
