Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.
Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via Ingress Tool Transfer or Lateral Tool Transfer.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| TVM-05 | Detection Updates | mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
This control requires both CSP and CSC to independently define, implement, and regularly update detection tools, threat signatures, and indicators of compromise based from a threat intelligence platform/program ensuring effective and timely detection of threats across all cloud service models.
A centralized threat intelligence platform or program enables organizations to proactively identify, analyze, and act on cyber threats by leveraging internal and external data sources. As it applies to mitigable techniques, developing a robust cyber threat intelligence capability to mitigate and determine what types and levels of threat may use software exploits and 0-days or N-days against a particular organization. For the impersonation, threat intelligence helps defenders and users be aware of and defend against common lures and active campaigns that have been used for impersonation.
References
|
| AIS-06 | Automated Secure Application Deployment | mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. The automated patch‑management system could ensure OS, runtime, and application vulnerabilities are remediated quickly, removing the exploitable footholds attackers use to elevate privileges after a compromised deployment.
References
|
| AIS-05 | Automated Application Security Testing | mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may attempt to bypass access controls and elevate privileges to gain unauthorized access. Therefore, testing for improper privilege escalation, such as scenarios where a user can act without authentication or gain administrative rights while logged in as a standard user, can help mitigate these risks.
References
|