New We plan on releasing bi-monthly edits and updates to the OS-CFDB project! Please check out the search function!

Standard User with Local Admin









Finding MITRE ATT&CK Corelation

Name Tactic ID Link
Bypass User Account Control Defense Evasion, Privilege Escalation T1088

Finding Metadata

Finding Service(s)

Internal Penetration Testing
External Penetration Testing

NIST 800-53 Control(s)


Finding Development

Author Name Twitter Handle Email Created Updated

Technical Information


The technical overview of a finding, not meant to be all-inclusive.

Following the least privileged model, standard users should have only enough rights to perform their task or duty. The assessment team discovered the following users contain the group permissions of Administrator. Resulting in the ability for the assessment team to execute a User Access Control (UAC) bypass to gain full SYSTEM privileges of the host.


How a finding result will affect an organization.

Over delegation of Local Admin rights to a “Standard” user account can result in unwanted, unauthorized or unnecessary software system access. If a system becomes compromised in a “Standard” user context, an attacker can use local administrator privileges to gain access to cached credentials, install persistence, or perform post exploitation attacks to further their access.


Current plan of action recomended.

The assessment team recommends that the least privileged model is followed when assessing if users should have the local “Administrator” group permission. In many cases, this privilege could be granted on a case-by-case basis for certain administrative functions. One method of employing this is using credential checkout systems or assigning the user a secondary account for administrator functions. These remediations reduce the overall attack surface of running at elevated privilege levels for day-to-day tasks.