T1068 Exploitation for Privilege Escalation Mappings

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.

Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via Ingress Tool Transfer or Lateral Tool Transfer.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1068 Exploitation for Privilege Escalation
AC-4 Information Flow Enforcement Protects T1068 Exploitation for Privilege Escalation
AC-6 Least Privilege Protects T1068 Exploitation for Privilege Escalation
CA-7 Continuous Monitoring Protects T1068 Exploitation for Privilege Escalation
CA-8 Penetration Testing Protects T1068 Exploitation for Privilege Escalation
CM-2 Baseline Configuration Protects T1068 Exploitation for Privilege Escalation
CM-6 Configuration Settings Protects T1068 Exploitation for Privilege Escalation
CM-7 Least Functionality Protects T1068 Exploitation for Privilege Escalation
CM-8 System Component Inventory Protects T1068 Exploitation for Privilege Escalation
RA-10 Threat Hunting Protects T1068 Exploitation for Privilege Escalation
RA-5 Vulnerability Monitoring and Scanning Protects T1068 Exploitation for Privilege Escalation
SC-18 Mobile Code Protects T1068 Exploitation for Privilege Escalation
SC-2 Separation of System and User Functionality Protects T1068 Exploitation for Privilege Escalation
SC-26 Decoys Protects T1068 Exploitation for Privilege Escalation
SC-29 Heterogeneity Protects T1068 Exploitation for Privilege Escalation
SC-3 Security Function Isolation Protects T1068 Exploitation for Privilege Escalation
SC-30 Concealment and Misdirection Protects T1068 Exploitation for Privilege Escalation
SC-35 External Malicious Code Identification Protects T1068 Exploitation for Privilege Escalation
SC-39 Process Isolation Protects T1068 Exploitation for Privilege Escalation
SC-7 Boundary Protection Protects T1068 Exploitation for Privilege Escalation
SI-2 Flaw Remediation Protects T1068 Exploitation for Privilege Escalation
SI-3 Malicious Code Protection Protects T1068 Exploitation for Privilege Escalation
SI-4 System Monitoring Protects T1068 Exploitation for Privilege Escalation
SI-5 Security Alerts, Advisories, and Directives Protects T1068 Exploitation for Privilege Escalation
SI-7 Software, Firmware, and Information Integrity Protects T1068 Exploitation for Privilege Escalation
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Format string attack Format string attack. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Fuzz testing Fuzz testing. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Insecure deserialization iterating over sequential or obvious values. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Integer overflows Integer overflows. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.LDAP injection LDAP injection. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1068 Exploitation for Privilege Escalation