T1548 Abuse Elevation Control Mechanism Mappings

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1548 Abuse Elevation Control Mechanism
CM-06 Configuration Settings mitigates T1548 Abuse Elevation Control Mechanism
CM-05 Access Restrictions for Change mitigates T1548 Abuse Elevation Control Mechanism
SC-18 Mobile Code mitigates T1548 Abuse Elevation Control Mechanism
SI-12 Information Management and Retention mitigates T1548 Abuse Elevation Control Mechanism
SC-34 Non-modifiable Executable Programs mitigates T1548 Abuse Elevation Control Mechanism
SI-16 Memory Protection mitigates T1548 Abuse Elevation Control Mechanism
SI-02 Flaw Remediation mitigates T1548 Abuse Elevation Control Mechanism
RA-05 Vulnerability Monitoring and Scanning mitigates T1548 Abuse Elevation Control Mechanism
CM-08 System Component Inventory mitigates T1548 Abuse Elevation Control Mechanism
SI-03 Malicious Code Protection mitigates T1548 Abuse Elevation Control Mechanism
SI-07 Software, Firmware, and Information Integrity mitigates T1548 Abuse Elevation Control Mechanism
AC-16 Security and Privacy Attributes mitigates T1548 Abuse Elevation Control Mechanism
CM-02 Baseline Configuration mitigates T1548 Abuse Elevation Control Mechanism
CM-02 Baseline Configuration mitigates T1548 Abuse Elevation Control Mechanism
IA-02 Identification and Authentication (Organizational Users) mitigates T1548 Abuse Elevation Control Mechanism
CM-07 Least Functionality mitigates T1548 Abuse Elevation Control Mechanism
SI-04 System Monitoring mitigates T1548 Abuse Elevation Control Mechanism
AC-02 Account Management mitigates T1548 Abuse Elevation Control Mechanism
AC-03 Access Enforcement mitigates T1548 Abuse Elevation Control Mechanism
AC-05 Separation of Duties mitigates T1548 Abuse Elevation Control Mechanism
AC-06 Least Privilege mitigates T1548 Abuse Elevation Control Mechanism
CM-03 Configuration Change Control mitigates T1548 Abuse Elevation Control Mechanism

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1548 Abuse Elevation Control Mechanism
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548 Abuse Elevation Control Mechanism

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1548 Abuse Elevation Control Mechanism
Comments
Google Security Ops is able to trigger an alert based on Custom Role changes. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_custom_role_changes.yaral
References

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_inspector Amazon Inspector technique_scores T1548 Abuse Elevation Control Mechanism
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal.
References

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1548.002 Bypass User Account Control 17
T1548.003 Sudo and Sudo Caching 17
T1548.001 Setuid and Setgid 4
T1548.005 Temporary Elevated Cloud Access 8
T1548.004 Elevated Execution with Prompt 13
T1548.006 TCC Manipulation 21