- Tactics
- Privilege Escalation
- Platforms
- Linux, macOS, Windows, IaaS, Office Suite, Identity Provider
- Reference
- attack.mitre.org/techniques/T1548
Description
Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)
Sub-techniques
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Privilege Escalation tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1037 - Boot or Logon Initialization Scripts
- T1053 - Scheduled Task/Job
- T1055 - Process Injection
- T1068 - Exploitation for Privilege Escalation
- T1078 - Valid Accounts
- T1098 - Account Manipulation
- T1134 - Access Token Manipulation
- T1484 - Domain or Tenant Policy Modification
- T1543 - Create or Modify System Process
- T1546 - Event Triggered Execution
- T1547 - Boot or Logon Autostart Execution
- T1611 - Escape to Host