Privilege Escalation Through Identity Misconfiguration

KeenSafe Research | Threat Research | Identity Operations Series

---

Overview

Privilege escalation in modern enterprise environments rarely depends on software vulnerabilities. It depends predominantly on identity misconfiguration — the accumulated permissions, group nesting patterns, federation policies, and consent grants that produce unintended privilege relationships across hybrid infrastructure. The category exists at the intersection of identity governance discipline and operational reality: privileges accumulate continuously through normal operational activity, and the systematic rationalization required to prevent escalation chains exceeds the disciplined practice of most enterprise programs.

Across the chains KeenSafe Research has analyzed during the current reporting window, identity misconfiguration produced exploitable privilege escalation in 41 percent of multi-stage chains. The percentage is sector-stable, suggesting the pattern is structural rather than sector-specific. The dominant misconfiguration categories include over-privileged service principals, nested group permission propagation, conditional access policy gaps, OAuth consent over-grants, federation policy misconfigurations, and lifecycle-anomalous identities retaining permissions.

This research article documents privilege escalation through identity misconfiguration as it operates in 2026. It analyzes the recurring misconfiguration patterns, the adversary tradecraft exploiting them, the chain progressions they produce, the detection landscape, and the defensive countermeasures.

---

1. The Misconfiguration Surface

Structural Drivers of Identity Misconfiguration

Identity misconfiguration emerges from operational dynamics rather than from explicit design decisions:

Permission additivity. Permissions accumulate through additive grants. Each grant addresses a specific operational need at the moment it is made. Revocations are rare; the cumulative permission state of any given identity typically exceeds its original operational scope.

Group nesting complexity. Active Directory group nesting and analogous structures in Entra ID, Okta, and cloud IAM produce permission propagation that exceeds operational understanding. Nested groups can grant unintended access through paths that no single individual has reasoned through.

Lifecycle dynamics. Identities transition through operational states (active, on-leave, transferred, offboarded). Permission states do not consistently track lifecycle transitions. Identities accumulate permissions through their operational history that persist beyond the role contexts that originally justified them.

Multi-domain inheritance. In hybrid environments, identities exist across multiple domains (on-prem AD, Entra ID, SaaS, cloud IAM) with permission relationships that span domain boundaries. The cumulative permissions of any identity across all domains typically exceed the permissions visible in any single domain.

Configuration debt. Configurations made under earlier circumstances (different security models, different operational requirements, different organizational structures) persist into current environments. The current configuration state reflects historical accumulation as much as current intent.

The Recurring Misconfiguration Categories

KeenSafe Research observes eight recurring misconfiguration categories that produce the majority of identity-driven privilege escalation chains.

Category 1: Over-Privileged Service Principals and Machine Identities

Workload identities — service principals in Entra ID, IAM roles in AWS, service accounts in cloud and on-prem — with permissions exceeding operational requirement. The single largest misconfiguration category, participating in 34 percent of validated chains.

Category 2: Nested Group Permission Propagation

Group nesting patterns that grant unintended permission inheritance. Particularly common in environments with substantial group structure complexity inherited from operational history.

Category 3: Conditional Access Policy Gaps

Conditional access policies with exception conditions (legacy authentication, specific device states, geographic exceptions, executive populations) that produce MFA bypass or privilege gaps.

Category 4: OAuth Consent Over-Grants

OAuth consent grants exceeding application functional requirements. The growing category documented in companion research; relevant to privilege escalation because consents frequently grant privileges that enable subsequent escalation.

Category 5: Federation Policy Misconfigurations

Federation policies between identity providers, between tenants, between forests, or between organizational boundaries with overly permissive trust relationships.

Category 6: Lifecycle-Anomalous Identity Permissions

Permissions retained on identities in atypical lifecycle states — offboarded but not removed, dormant but credentialed, transferred but retaining prior role permissions.

Category 7: Privilege Escalation Primitives in Cloud IAM

Cloud IAM configurations that enable specific privilege escalation primitives — iam:PassRole, iam:CreateAccessKey, role assumption chains, attached policy modifications.

Category 8: Delegated Permissions on Critical Identity Objects

Delegated permissions on AD groups, Entra ID administrative units, or cloud organizational structures that enable identity manipulation by identities not nominally authorized for it.

---

2. Adversary Exploitation Patterns

Pattern 1: Service Principal Permission Chain

The dominant pattern observed in cloud-mediated chains.

Step 1 — Service principal foothold. Adversary acquires credentials or token for a service principal. Mechanisms include credential exposure in repositories, OAuth consent abuse, or compromise of identities with access to credential stores. Mapped to T1552.001 or T1528.

Step 2 — Permission enumeration. Adversary enumerates the service principal's permissions through authorization simulation APIs. Mapped to T1526 (Cloud Service Discovery).

Step 3 — Permission identification. Adversary identifies specific permissions enabling privilege escalation. Common primitives include Application.ReadWrite.All (Microsoft Graph), iam:PassRole (AWS), iam.serviceAccounts.actAs (GCP), RoleAssignmentWrite (Azure RBAC).

Step 4 — Privilege manipulation. Adversary uses identified primitives to acquire higher privileges. Mapped to T1098.001 (Account Manipulation: Additional Cloud Credentials) or T1098.003 (Add Office 365 Global Administrator Role).

Step 5 — Elevated operations. Adversary operates with acquired privileges toward chain objective.

Pattern 2: Nested Group Exploitation

Common in environments with substantial on-prem AD presence and complex group structure.

Step 1 — Initial domain context. Adversary holds authenticated context as a low-privileged domain identity.

Step 2 — Group membership enumeration. Adversary enumerates the identity's group memberships and the resolved permissions including nested inheritance.

Step 3 — Unintended permission discovery. Adversary identifies permissions inherited through nested group relationships that the identity's nominal role does not warrant.

Step 4 — Exploitation. Adversary exercises the discovered permissions for privilege escalation or lateral movement.

Pattern 3: Conditional Access Bypass

Common in environments with mature MFA deployment.

Step 1 — Identity compromise. Adversary holds credentials or session for a target identity, frequently through AiTM phishing or session token theft.

Step 2 — Policy analysis. Adversary analyzes conditional access policies applying to the compromised identity. Analysis can occur through trial-and-error or through pre-operation reconnaissance.

Step 3 — Exception condition exploitation. Adversary configures the operation environment to match exception conditions — legacy authentication endpoints, specific device characteristics, network locations.

Step 4 — Privileged access. Adversary accesses privileged resources by operating within the exception condition.

Pattern 4: Federation-Mediated Privilege Acquisition

Common in environments with cross-tenant federation, multi-forest trust, or B2B federation.

Step 1 — Source-domain foothold. Adversary holds context in a source domain (acquired forest, partner tenant, smaller affiliated entity).

Step 2 — Federation path discovery. Adversary discovers federation paths from source to target domain.

Step 3 — Federation traversal. Adversary traverses the federation path under conditions that the policy permits. The traversed identity may inherit privileges in the target domain beyond what the source identity nominally holds.

Step 4 — Target domain operations. Adversary operates with acquired target-domain privileges.

Pattern 5: OAuth Application Privilege Escalation

Documented in detail in companion research; relevant here as a privilege escalation category.

Step 1 — Application identity acquisition. Adversary acquires control of an OAuth-authorized application through consent phishing, application compromise, or related techniques.

Step 2 — Application permission inventory. Adversary inventories the application's authorized permissions across tenants where it is consented.

Step 3 — Permission exercise. Adversary exercises the application's permissions for data access, identity manipulation, or persistence reinforcement.

Pattern 6: Lifecycle-Anomalous Identity Exploitation

Step 1 — Anomalous identity discovery. Adversary discovers identities in atypical lifecycle states — typically through enumeration and behavioral analysis. Recently-offboarded identities are particularly valuable because their permissions persist while their behavioral baselines have ceased.

Step 2 — Credential acquisition. Adversary acquires credentials for the anomalous identity through methods including stale credential reuse, password manager extraction from prior owner's compromised endpoint, or social engineering against IT staff for password reset.

Step 3 — Privilege exercise. Adversary exercises the identity's retained privileges with reduced behavioral detection risk.

---

3. Cloud-Specific Escalation Primitives

Cloud IAM environments produce specific privilege escalation primitives that warrant explicit treatment.

AWS Privilege Escalation Primitives

The dominant AWS privilege escalation primitives include:

• iam:PassRole + ec2:RunInstances: ability to pass a high-privilege role to a new EC2 instance
• iam:CreateAccessKey: ability to create access keys for arbitrary IAM users
• iam:AttachUserPolicy / iam:AttachRolePolicy: ability to attach administrator policies
• iam:PutUserPolicy / iam:PutRolePolicy: ability to inline-policy escalation
• iam:UpdateAssumeRolePolicy: ability to modify trust policies enabling role assumption
• sts:AssumeRole on permissive trust policies: ability to assume roles trusted with overly permissive principals
• lambda:UpdateFunctionConfiguration + iam:PassRole: ability to attach a privileged role to a Lambda function
• codebuild/codepipeline + iam:PassRole: similar escalation through CI/CD primitives

Mapped to MITRE ATT&CK: T1098.001 (Additional Cloud Credentials), T1078.004 (Cloud Accounts), T1548.005 (Temporary Elevated Cloud Access).

Azure Privilege Escalation Primitives

The dominant Azure privilege escalation primitives include:

• Microsoft.Authorization/roleAssignments/write: ability to create role assignments
• Microsoft.Authorization/roleDefinitions/write: ability to modify custom role definitions
• Application.ReadWrite.All in Microsoft Graph: ability to add credentials to applications
• RoleManagement.ReadWrite.Directory: ability to manage directory role assignments
• Owner role on subscriptions: implicit ability to perform any action
• User Access Administrator + scope: explicit ability to assign roles

GCP Privilege Escalation Primitives

The dominant GCP privilege escalation primitives include:

• iam.serviceAccounts.actAs + service account impersonation: ability to impersonate higher-privileged service accounts
• iam.serviceAccounts.getAccessToken: ability to obtain access tokens
• iam.serviceAccountKeys.create: ability to create keys for service accounts
• iam.roles.create + binding modifications: ability to define and bind custom roles
• compute.instances.setServiceAccount: ability to attach service accounts to compute resources

Detection of Cloud Escalation

Detection of cloud privilege escalation operations focuses on:

• IAM modification event monitoring
• Anomalous permission grants
• Role assumption pattern analysis
• Identity manipulation event correlation
• Application credential addition monitoring

Empirical detection efficacy for cloud privilege escalation across the corpus averaged 41 percent.

---

4. Operational Chain Example

A representative chain combining multiple misconfiguration categories:

Initial Access (T1566.002 + T1557). AiTM phishing produces authenticated cloud identity as a developer.

Discovery (T1087.004). Tenant enumeration reveals that the developer identity holds an unusually broad set of permissions — a delegated permission grant on a privileged group's membership, granted three years prior for a project that has long since concluded (Category 6 — Lifecycle-Anomalous Permissions).

Discovery (T1526). The developer identity has access to a key vault holding credentials for a service principal with Application.ReadWrite.All (Category 1 — Over-Privileged Service Principals).

Credential Access (T1555). Adversary retrieves the service principal credential from the key vault.

Privilege Escalation (T1098.001). Operating as the service principal, adversary uses Application.ReadWrite.All to add credentials to a higher-privileged application identity.

Lateral Movement (T1199, T1078.004). The higher-privileged application identity holds federation permissions enabling traversal to an acquired-entity tenant. Adversary traverses the federation (Category 5 — Federation Policy Misconfigurations).

Privilege Escalation in Target Tenant (T1098.003). In the acquired-entity tenant, the federated identity holds permissions enabling addition of Global Administrator role assignment. Adversary uses these permissions to acquire Global Administrator.

Categorical Tenant Compromise. With Global Administrator in the acquired tenant, the adversary holds categorical access. Cross-tenant trust extends consequences back into the primary tenant.

The chain composed eight techniques and exploited four misconfiguration categories. None of the individual misconfigurations was severe in isolation. The composition produced categorical compromise.

---

5. Detection and Validation

Detection Surfaces

Detection of identity misconfiguration-driven escalation operates across multiple surfaces:

• IAM modification event monitoring in cloud platforms
• Application credential addition monitoring in Entra ID, AWS, GCP
• Role assignment change monitoring across cloud platforms
• Federated authentication pattern analysis
• Permission inheritance change monitoring in directory services
• Lifecycle-anomalous activity detection for identities in atypical states

Empirical Detection Gaps

Across the corpus, empirical detection efficacy for identity privilege escalation chain stages averaged:

• Cloud privilege escalation primitives: 41 percent
• Account manipulation (T1098 family): 38 percent
• Federation traversal: 32 percent
• Lifecycle-anomalous identity activity: 26 percent

The gaps reflect detection content tuning that has not kept pace with current adversary procedures, log ingestion gaps for identity-specific events, and behavioral baseline models that struggle with low-frequency events.

Continuous Validation Contribution

Continuous attack path validation surfaces identity misconfiguration-driven chains as integrated artifacts. The validation:

• Maps the cumulative permission state of each identity across domains
• Identifies chain-participating misconfigurations explicitly
• Produces evidence packages mapped to MITRE ATT&CK
• Validates remediation empirically through re-validation

The contribution is particularly significant for misconfiguration categories that produce chain participation through subtle composition rather than through obvious individual severity.

---

6. Defensive Countermeasures

Permission Rationalization Programs

The foundational countermeasure is permission rationalization:

• Regular review of accumulated permissions across human and machine identities
• Chain-aware prioritization directing rationalization to permissions that participate in validated chains
• Least-privilege enforcement at provisioning and at periodic review cycles
• Permission usage analysis identifying granted permissions that are never exercised

Machine Identity Governance

Machine identity governance parity with human identity governance:

• Lifecycle ownership of machine identities
• Permission rationalization on machine identities matching the cadence applied to human identities
• Credential rotation discipline
• Decommissioning of machine identities whose operational requirement has ended

Conditional Access Hardening

Conditional access policy discipline:

• Systematic review of exception conditions
• Elimination of exceptions that have become unnecessary
• Testing of policy effective behavior against intended behavior
• Continuous validation of policy efficacy

Federation Policy Discipline

Federation policy governance:

• Inventory of all federation relationships
• Periodic review of federation scope and conditions
• Reduction of bidirectional trusts to unidirectional where operationally permissible
• Chain-aware impact assessment for proposed federation changes

Cloud IAM Hardening

Cloud IAM-specific hardening:

• Inventory of identities with privilege escalation primitives
• Reduction of privilege escalation primitives to operational minimums
• Service control policies (AWS) and analogous mechanisms preventing privilege escalation actions
• Identity activity monitoring tuned against escalation patterns

Lifecycle Discipline

Identity lifecycle discipline:

• Automated deprovisioning of offboarded identities
• Permission revocation on role transitions
• Dormant identity detection and remediation
• Break-glass account management with explicit rotation and review

Continuous Validation

Continuous attack path validation as the operational closure mechanism. Chain-aware prioritization directs rationalization to the misconfigurations that produce most chains, supporting systematic remediation that periodic review cannot match.

---

7. Enterprise Implications

Identity Governance is the Highest-Leverage Discipline

Across the corpus, identity governance maturity is the single largest predictor of chain density. Investment in identity governance — across human and machine identities, across cloud and on-prem, across permissions and lifecycle — produces disproportionate defensibility outcomes.

Machine Identity Governance is the Persistent Laggard

Machine identity governance consistently lags human identity governance. The asymmetry produces structural risk concentration. Strategic priority should reflect this.

Permission Inheritance Exceeds Operational Understanding

In most enterprises, the effective permission state of identities — accounting for direct grants, group nesting, federation inheritance, OAuth consent, and conditional access — exceeds operational understanding. Continuous validation that maps cumulative permission state is the closure mechanism.

Federation Discipline is Increasingly Important

As hybrid composition deepens, federation discipline becomes increasingly important. Federation policies inherited from acquisitions, established for temporary migration purposes, or configured under earlier security models persist into current environments as chain enablers.

Cloud Escalation Primitives Require Specialized Attention

Cloud IAM escalation primitives — iam:PassRole, Application.ReadWrite.All, Microsoft.Authorization/roleAssignments/write, and analogous mechanisms — require specialized governance disciplines. Generic cloud security posture management captures some but not all of the category.

---

8. Strategic Insights

Insight 1: Identity misconfiguration is the dominant privilege escalation category. Software vulnerabilities account for a shrinking share of privilege escalation. Strategic investment should reflect the dominant category.

Insight 2: Composition is what produces compromise. Individual misconfigurations are typically modest in severity. Their composition into chains produces categorical impact. Chain-aware reasoning is required.

Insight 3: Permission rationalization is a permanent program, not a project. Permission accumulation occurs continuously. The rationalization required must operate continuously.

Insight 4: Machine identity is the structural priority. The asymmetry between human and machine identity governance is the source of disproportionate chain participation.

Insight 5: Continuous validation surfaces what static analysis misses. Theoretical permission analysis identifies potential paths. Continuous validation confirms which paths are actually exploitable in the live environment.

Insight 6: Cross-domain reasoning is required. Identity misconfiguration-driven chains traverse domain boundaries. Single-domain reasoning misses the dominant chain class.

---

Conclusion

Privilege escalation through identity misconfiguration is the dominant escalation category in modern enterprise environments. The category reflects structural realities of identity governance at enterprise scale — permission accumulation, group nesting complexity, lifecycle dynamics, multi-domain inheritance, and configuration debt — rather than negligence in any specific area.

Defensive response operates across permission rationalization, machine identity governance, conditional access hardening, federation discipline, cloud IAM-specific hardening, lifecycle discipline, and continuous validation. The combination produces meaningful protection. The structural drivers ensure that the discipline must be permanent and continuous rather than episodic.

KeenSafe Research will continue to publish updated intelligence on identity-driven escalation evolution. Companion research in this series addresses adjacent topics: service account abuse, modern lateral movement patterns, cloud metadata exploitation, and the broader identity governance landscape.

---

KeenSafe Research is the threat intelligence and offensive security research arm of KeenSafe, an AI-powered attack path validation platform for continuous offensive security validation across hybrid enterprise infrastructure.