Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1548 | Abuse Elevation Control Mechanism | |
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1548 | Abuse Elevation Control Mechanism |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1548.002 | Bypass User Account Control | 3 |
| T1548.003 | Sudo and Sudo Caching | 3 |
| T1548.001 | Setuid and Setgid | 1 |
| T1548.005 | Temporary Elevated Cloud Access | 2 |
| T1548.004 | Elevated Execution with Prompt | 2 |
| T1548.006 | TCC Manipulation | 3 |