Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.
Tactic Overview
Tactic ID: TA0004 — Matrix: Enterprise — Techniques: 14
The Privilege Escalation tactic represents a phase in the adversary lifecycle where the adversary is trying to gain higher-level permissions. This tactic is part of the MITRE ATT&CK Enterprise matrix and encompasses 14 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (14)
The following techniques are categorized under the Privilege Escalation tactic in the MITRE ATT&CK Enterprise matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1548 | Abuse Elevation Control Mechanism (5 sub-techniques) | Adversaries bypass UAC, sudo caching, or setuid/setgid mechanisms to escalate privileges on compromised systems. | T1548 |
T1134 | Access Token Manipulation (5 sub-techniques) | Adversaries manipulate access tokens to operate under different user or system security contexts for privilege escalation. | T1134 |
T1098 | Account Manipulation (6 sub-techniques) | Adversaries manipulate accounts to maintain and elevate access, including modifying permissions, adding credentials, and modifying MFA settings. | T1098 |
T1547 | Boot or Logon Autostart Execution (14 sub-techniques) | Adversaries configure programs to run at system boot or user logon via Registry Run keys, startup folders, kernel modules, and login items. Used by APT42, Dtrack, and many others for persistence. | T1547 |
T1037 | Boot or Logon Initialization Scripts (5 sub-techniques) | Adversaries use boot or logon initialization scripts to execute malicious code at startup, including logon scripts and RC scripts. | T1037 |
T1543 | Create or Modify System Process (4 sub-techniques) | Adversaries create or modify system-level processes such as Windows services, systemd services, and launch daemons for persistence. | T1543 |
T1484 | Domain or Tenant Policy Modification (2 sub-techniques) | Adversaries modify domain-level or tenant-level policies (Group Policy, trust modifications) to escalate privileges across an environment. | T1484 |
T1611 | Escape to Host | Adversaries break out of containers or virtual machines to gain access to the underlying host system. | T1611 |
T1546 | Event Triggered Execution (16 sub-techniques) | Adversaries establish persistence by creating or modifying system mechanisms that execute code in response to specific events. | T1546 |
T1068 | Exploitation for Privilege Escalation | Adversaries exploit software vulnerabilities to escalate privileges, including kernel exploits, BYOVD attacks, and container escapes. Used extensively by APT28, APT29, Sandworm, and ransomware groups. | T1068 |
T1574 | Hijack Execution Flow (12 sub-techniques) | Adversaries hijack the way programs load code (DLL search order, PATH, dylib) to execute malicious payloads when legitimate programs run. | T1574 |
T1055 | Process Injection (12 sub-techniques) | Adversaries inject code into running processes to evade detection and escalate privileges. Includes DLL injection, process hollowing, APC injection, and thread hijacking. Used by APT32, APT37, APT38, Cobalt Strike, and many RATs. | T1055 |
T1053 | Scheduled Task/Job (5 sub-techniques) | Adversaries abuse task scheduling (schtasks, cron, systemd timers) to execute malicious code at system startup or on recurring schedules for persistence and privilege escalation. | T1053 |
T1078 | Valid Accounts (4 sub-techniques) | Adversaries obtain and abuse credentials of existing accounts for initial access, persistence, and privilege escalation. Extensively used by APT28, APT29, Lazarus Group, Volt Typhoon, and ransomware groups like Akira and BlackByte. | T1078 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Least privilege principle
- UAC enforcement
- Patch management
- Credential guard
- Application control policies
Detection Strategies
Effective detection of Privilege Escalation techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Privilege Escalation tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Privilege Escalation Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026