The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: * SYSTEM/root level * local administrator * user account with admin-like access * user accounts with access to specific system or perform specific function These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.
View in MITRE ATT&CK®| Technique ID | Technique Name | Number of Mappings | Number of Subtechniques |
|---|---|---|---|
| T1037 | Boot or Logon Initialization Scripts | 20 | 5 |
| T1543 | Create or Modify System Process | 56 | 5 |
| T1547 | Boot or Logon Autostart Execution | 20 | 14 |
| T1053 | Scheduled Task/Job | 32 | 5 |
| T1055 | Process Injection | 38 | 12 |
| T1611 | Escape to Host | 33 | 0 |
| T1548 | Abuse Elevation Control Mechanism | 54 | 6 |
| T1098 | Account Manipulation | 69 | 7 |
| T1574 | Hijack Execution Flow | 51 | 13 |
| T1078 | Valid Accounts | 144 | 4 |
| T1068 | Exploitation for Privilege Escalation | 127 | 0 |
| T1546 | Event Triggered Execution | 32 | 17 |
| T1134 | Access Token Manipulation | 23 | 4 |
| T1484 | Domain or Tenant Policy Modification | 27 | 2 |