Everything that starts with a methodology offers an approach to a problem solution. In this section, we will go through the common escalation methodology utilized by attackers during a red teaming exercise, or penetration testing. The following diagram depicts the methodology that can be used:

In line with the kill-chain methodology, the action of the objective includes escalation of privilege to maintain persistence to the target environment.

The following are the types of user accounts that are found in any target system:

• Normal user: Typical access through a backdoor runs at the level of the user who executes the backdoor. These are the normal users of the system (Windows or Unix) and are either local users or domain users with limited access on the system to perform only tasks that are allowed for them.
• Local administrator: Local administrators are system account holders that have the privilege to run system configuration changes.
• Delegated administrator: Delegated administrators are local user accounts with administrator privileges. Example account operators or backup operators are typical groups used in Active Directory environments to delegate administrative tasks.
• Domain administrator: Domain administrators are users who can administer the domains that they are a member of.
• Enterprise administrator: Enterprise administrators are accounts that have the most privileges for maintaining the entire forest in an Active Directory.
• Schema administrator: Schema administrators are users who can configure the schema of the forest. The reason schema admins are not included as the most privileged account is because attackers cannot add users to any other groups: that would limit the access level to modifying the Active Directory forest.