- Tactics
- Privilege Escalation
- Platforms
- Linux, macOS, Windows, IaaS, Office Suite, Identity Provider
- Reference
- attack.mitre.org/techniques/T1548
Description
Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)
Sub-techniques
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Privilege Escalation tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1037 — Boot or Logon Initialization Scripts
- T1053 — Scheduled Task/Job
- T1055 — Process Injection
- T1068 — Exploitation for Privilege Escalation
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1134 — Access Token Manipulation
- T1484 — Domain or Tenant Policy Modification
- T1543 — Create or Modify System Process
- T1546 — Event Triggered Execution
- T1547 — Boot or Logon Autostart Execution
- T1611 — Escape to Host