Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.
Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via Ingress Tool Transfer or Lateral Tool Transfer.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.
References
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of software vulnerabilities to elevate privileges.
References
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can exploit known system vulnerabilities, but does not explicitly address other procedures.
References
|
| docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control may provide recommendations on how to reduce the surface area and mechanisms by which an attacker could escalate privileges.
References
|
| ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control's "Container with privilege escalation should be avoided", "Least privileged Linux capabilities should be enforced for containers", "Privileged containers should be avoided", "Running containers as root user should be avoided" and "Containers sharing sensitive host namespaces should be avoided" recommendations can make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities. Because this is a recommendation, the assessed score has been capped at Partial.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on suspicious arguments used to exploit Xorg vulnerabilities for privilege escalation.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
| azure_policy | Azure Policy | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
|
| azure_update_manager | Azure Update Manager | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control provides significant coverage of methods that leverage vulnerabilities in unpatched software since it enables automated updates of software and rapid configuration change management
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
|
| defender_for_azure_sql_databases | Microsoft Defender for Azure SQL Databases | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control may scan for users with unnecessary permissions and if SQL Server is out of date.
References
|
| defender_for_containers | Microsoft Defender for Containers | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control may provide recommendations to avoid privileged containers and running containers as root.
References
|
| defender_for_containers | Microsoft Defender for Containers | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on detection of new privileged containers and high privilege roles.
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on escalation attempts from Azure AD to Azure accounts by specific exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score. The following alerts may be generated: "PowerZure exploitation toolkit used to elevate access from Azure AD to Azure".
References
|
| vulnerability_management | Microsoft Defender for Cloud: Vulnerability Management | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| artifact_analysis | Artifact Analysis | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known Linux OS package vulnerabilities in various containers (e.g., Debian, Ubuntu, Alpine, RHEL, CentOS).
References
|
| artifact_analysis | Artifact Analysis | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
Artifact Analysis scans container images uploaded to Artifact Registry or Container Registry (deprecated) for known software vulnerabilities and various system artifacts that could potentially be used to execute adversary-controlled code. Due to the medium threat protection coverage and temporal factor, this control was scored as partial.
References
|
| google_secops | Google Security Operations | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
Google Security Ops is able to trigger alert based on suspicious command line behavior that could indicate remote code exploitation attempts (e.g., detect exploits using child processes spawned by Windows DNS processes).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/process_creation/cve_2020_1350_dns_remote_code_exploit__sigred___via_cmdline.yaral
References
|
| policy_intelligence | Policy Intelligence | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to perform privilege escalation via permission levels and software exploitation.
References
|
| vm_manager | VM Manager | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_inspector | Amazon Inspector | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
| aws_config | AWS Config | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
The "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The "ec2-managedinstance-platform-check" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation, including for privilege escalation.
The "ecs-task-definition-user-for-host-mode-check" managed rule can identify Amazon Elastic Container Service (ECS) task definitions for containers with host networking mode and 'privileged' or 'user' container definitions, which may enable adversaries to break out of containers and gain access to the underlying host, increasing their access and privileges.
All of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.
EC2 instances that have missing security patches for important vulnerabilities
This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-SECA-E3 | Security Alerts | Technique Scores | T1068 | Exploitation for Privilege Escalation |
Comments
Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
Reconnaissance and discovery alerts
Persistence and privilege escalation alerts
Credential access alerts
Lateral movement alerts
Other alerts
License: A Microsoft 365 security product license entitles customer use
of Microsoft Defender XDR.
References
|
| DEF-LM-E5 | Lateral Movements | Technique Scores | T1068 | Exploitation for Privilege Escalation |
Comments
Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.
References
|