Local Privilege Escalation
Once an attacker has remote code execution on a device, the next step is privilege escalation. How can an attacker who has access to a machine go from a standard user account to a local administrator? The truth is that completely preventing local privilege escalation is very difficult, but one can at least close the easiest pathways an attacker might use. We assess the workstation's hardening against the moves a real attacker makes once they have a foothold. This includes looking for misconfigurations, vulnerable services, weak permissions, and unpatched components. A general guide we follow is the principle of least authority: privilege escalation becomes harder the less a system assigns more authority to programs and processes than they need. We look for ambient authority in application permissions and execution policy, testing whether unauthorised executables, scripts, and living-off-the-land techniques using legitimate built-in tools are constrained or run freely.