Privilege_escalation

SysGauge Pro 4.6.12 is vulnerable to a local buffer overflow in the Register function, allowing local attackers to overwrite the structured exception handler and execute arbitrary code by supplying a crafted unlock key during registration.

An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface of a device, leading to full compromise and root access on the underlying Linux-based OS, as described in CVE-2026-3587.

Modification of the issuer URL of a federated identity credential in Entra ID can allow an attacker to authenticate as the application's service principal, granting persistent access to Azure resources by pointing to an attacker-controlled identity provider and bypassing normal authentication.

Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM, using services.exe as the parent process of the shell.

This detection identifies the creation of new Windows services with suspicious command values, often used for privilege escalation and persistence by malicious actors.

This detection identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn child processes, potentially indicating code injection or exploitation.

Detection of an excessive number of Global Administrator accounts assigned within an Azure tenant, indicating potential privilege escalation or compromised accounts.

Adversaries may add a user to a privileged group in Active Directory, such as Domain Admins, to maintain persistent access and elevate privileges within the domain.

Detection of cmd.exe being spawned by svchost.exe, which is an unusual behavior indicative of potential masquerading or privilege escalation attempts on Windows systems.