Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.
Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via Ingress Tool Transfer or Lateral Tool Transfer.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-02 | Account Management | Protects | T1068 | Exploitation for Privilege Escalation | |
| AC-04 | Information Flow Enforcement | Protects | T1068 | Exploitation for Privilege Escalation | |
| AC-06 | Least Privilege | Protects | T1068 | Exploitation for Privilege Escalation | |
| CA-07 | Continuous Monitoring | Protects | T1068 | Exploitation for Privilege Escalation | |
| CA-08 | Penetration Testing | Protects | T1068 | Exploitation for Privilege Escalation | |
| CM-02 | Baseline Configuration | Protects | T1068 | Exploitation for Privilege Escalation | |
| CM-06 | Configuration Settings | Protects | T1068 | Exploitation for Privilege Escalation | |
| CM-07 | Least Functionality | Protects | T1068 | Exploitation for Privilege Escalation | |
| CM-08 | System Component Inventory | Protects | T1068 | Exploitation for Privilege Escalation | |
| RA-10 | Threat Hunting | Protects | T1068 | Exploitation for Privilege Escalation | |
| RA-05 | Vulnerability Monitoring and Scanning | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-18 | Mobile Code | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-02 | Separation of System and User Functionality | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-03 | Security Function Isolation | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-30 | Concealment and Misdirection | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-39 | Process Isolation | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-07 | Boundary Protection | Protects | T1068 | Exploitation for Privilege Escalation | |
| SI-02 | Flaw Remediation | Protects | T1068 | Exploitation for Privilege Escalation | |
| SI-03 | Malicious Code Protection | Protects | T1068 | Exploitation for Privilege Escalation | |
| SI-04 | System Monitoring | Protects | T1068 | Exploitation for Privilege Escalation | |
| SI-05 | Security Alerts, Advisories, and Directives | Protects | T1068 | Exploitation for Privilege Escalation | |
| SI-07 | Software, Firmware, and Information Integrity | Protects | T1068 | Exploitation for Privilege Escalation | |
| DEF-SECA-E3 | Security Alerts | Technique Scores | T1068 | Exploitation for Privilege Escalation |
Comments
Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
Reconnaissance and discovery alerts
Persistence and privilege escalation alerts
Credential access alerts
Lateral movement alerts
Other alerts
License: A Microsoft 365 security product license entitles customer use
of Microsoft Defender XDR.
References
|
| DEF-LM-E5 | Lateral Movements | Technique Scores | T1068 | Exploitation for Privilege Escalation |
Comments
Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.
References
|