Windows Privilege Abuse: Attackers' Path to Active Directory Compromise
The State of Identity Security in the AI Era — Read the Report here.
Back to blogs listing<br>Windows Privilege Abuse: How Attackers Escalate from Accounts with Dangerous Rights to Active Directory Compromise
Active Directory Security<br>Jul 06, 2026
Read 14 MIN
How privileges increase risk<br>What are Windows privileges?<br>What are Windows access tokens?<br>Targeted accounts<br>How attackers weaponize privileges<br>Targeted privileges<br>SeCreateTokenPrivilege<br>SeDebugPrivilege<br>SeBackupPrivilege and SeRestorePrivilege<br>SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege<br>SeLoadDriverPrivilege<br>SeManageVolumePrivilege<br>SeRelabelPrivilege<br>SeTakeOwnershipPrivilege<br>SeTCBPrivilege<br>How to reduce Windows privilege abuse risk<br>More expert research<br>Sources
Andrea Pierini<br>Senior Security Consultant
I’ve spent many years studying how cyber attackers abuse Windows privileges to escalate their access from low-privileged accounts all the way to NT AUTHORITY\SYSTEM. What started as curiosity about a handful of impersonation primitives gradually evolved into a systematic catalog of attack techniques centered around Windows privilege abuse. Many of these techniques remain relevant even in modern, patched environments.
In this post, I’ll walk you through the most attractive Windows privileges from an attacker’s perspective: those that permit a direct privilege escalation. Read on to learn:
Which privileges put your environment at the greatest risk
Why attackers target these privileges
How attackers can abuse these privileges to gain local SYSTEM privileges, often with surprisingly little effort
How Windows privileges can increase your cybersecurity risk
I’ve been talking with IT and cybersecurity practitioners about the dangers of Windows privilege abuse since 2018. From classic token manipulation to the Potato family of exploits, this topic has defined a large part of Windows local privilege escalation research over the past 10 years.
Yet the message remains as relevant as ever. Many still underestimate these privileges, how they work, and the level of control they can provide attackers. This risk persists for two reasons:
Privileges are not permissions. Organizations that carefully audit their ACLs and delegations often overlook the privileges assigned to non-privileged user accounts.
Microsoft does not patch privilege abuse. Abusing a privilege that you legitimately hold is not a security boundary violation. The techniques that I describe in this post, including Potato exploits, have survived many years and countless Windows versions because they rely on features, not bugs. Therefore, your defenses must be architectural.
Privilege abuse is usually associated with Local Privilege Escalation (LPE). But we all know that a full domain compromise often starts exactly there: a local privilege escalation that enables an attacker to gain the highest level of access on a single machine. From that point, attackers can often abuse elevated rights, credentials, tokens, or other exposed resources to move laterally and continue their escalation path within your environment.
The risk becomes even more critical in shared environments. Think about an RDP server, jump host, or any system where multiple users interact. Gaining local administrative control on such a machine can have consequences that go far beyond the host itself.
If you run whoami /priv and see more than a handful of entries, this blog is for you.
What are Windows privileges?
Microsoft defines a privilege as “the right of an account, such as a user or group account, to perform various system-related operations on the local computer, such as shutting down the system, loading device drivers, or changing the system time.”
In practice, privileges are a mechanism that sits alongside, and sometimes overrides, the traditional permission model based on ACLs. A few points are critical to understand from a security perspective:
Privileges are assigned via User Right Assignment in Local or Group Policy editor (Figure 1). But they can also be managed programmatically through the Windows API, using functions such as LsaOpenPolicy() and LsaAddAccountRights() .
Figure 1. User right assignments (privileges) via GPO editor
Privileges can be enabled or disabled. A default privilege is one that is enabled automatically whenever the system determines it is needed.
Some privileges explicitly override object permissions (ACLs). This is the root cause of most of the abuses discussed here.
Most privileges are accessible only inside a high integrity level (IL) process, meaning that they require an elevated shell to use. However, once you have that elevated shell, the privileges are yours to abuse.
The single most important command in this research is whoami /priv, which shows all privileges assigned to the current token, along with their enabled/disabled states. An enabled privilege is ready to use. A disabled one just...