Privilege Escalation Indicators

A Debian-first guide to spotting signs that a low-privilege user or process gained elevated access, and reviewing the system changes that followed.

What this is

Privilege escalation is the process of gaining more access than was originally intended, often moving from a low-privilege account, web service, or application context into root-level or administrative control.

On Debian systems, this often shows up through sudo abuse, service manipulation, new administrative accounts, modified configs, or suspicious access to sensitive files and commands.

What it looks like

Unexpected sudo activity or root shell access
New accounts added to privileged groups
Processes running as root that began in low-trust contexts
Changes to SSH, firewall, services, cron, or system configs without explanation

Detect

Review sudo-related activity in auth logs

sudo grep -Ei "sudo|COMMAND" /var/log/auth.log

Review successful logins and privileged sessions

sudo grep -Ei "Accepted|session opened" /var/log/auth.log

Review users with elevated access

getent group sudo
cut -d: -f1 /etc/passwd

Review running processes as root

ps -U root -u root u

Review system changes that often follow escalation

sudo ufw status numbered
sudo systemctl list-unit-files --type=service
sudo find /etc/cron* -type f

Contain

Lock or expire a suspicious account

sudo passwd -l <username>
sudo chage -E 0 <username>

Remove unexpected sudo access

sudo deluser <username> sudo

Stop suspicious privileged processes or services

sudo kill -TERM <PID>
sudo systemctl stop <service_name>

Recover

Review what changed after elevation

sudo ufw status numbered
sudo systemctl list-unit-files --type=service
sudo find /etc/cron* -type f
sudo find /var/www -type f -mtime -2 2>/dev/null

Review accounts, SSH keys, and auth artifacts

sudo find /home /root -name authorized_keys -type f -exec ls -lah {} \; -exec cat {} \;
sudo grep -Ei "Accepted|sudo|useradd|adduser" /var/log/auth.log

Inspect suspicious binaries or scripts run with elevated access

file /path/to/binary
sha256sum /path/to/binary
strings /path/to/binary | less

Recovery means understanding not only how elevated access was gained, but what was changed afterward to preserve or expand that access.

Prevent

Option 1 — Review sudo and auth activity regularly

sudo grep -Ei "sudo|COMMAND|Accepted" /var/log/auth.log

Option 2 — Keep SSH and admin exposure tightly restricted

sudo ufw allow from <trusted_ip> to any port 22
sudo ufw deny 22

Option 3 — Review privileged group membership

getent group sudo

Option 4 — Watch for post-escalation persistence paths

sudo systemctl list-unit-files --type=service
sudo find /etc/cron* -type f

Option 5 — Keep software and services updated

sudo apt update
sudo apt upgrade

Optional Tools & Hosting

Manual auth, process, and system review should come first. Future recommendations may include tooling that improves host visibility, but the core workflow remains tracing privilege gain to its source and reviewing what changed afterward.

Notes

Privilege escalation matters because it changes what the attacker can do next.
Unexpected sudo activity, new privileged users, and root-owned persistence are strong indicators.
Look for the chain: access gained, privilege elevated, persistence established.

Environment Note

All commands shown are based on Debian-based systems unless otherwise noted.