How can an attacker use ACL modification for local privilege escalation backdoor?

After gaining administrator privileges, an attacker can modify the ACL of system directories (e.g., using icacls or PowerShell) to grant full control to a regular user. This enables the regular user to exploit techniques like DLL hijacking or file replacement for privilege escalation. This scenario is covered in the exploitation section of the ACL article.