Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1068 | Exploitation for Privilege Escalation | |
| AC-4 | Information Flow Enforcement | Protects | T1068 | Exploitation for Privilege Escalation | |
| AC-6 | Least Privilege | Protects | T1068 | Exploitation for Privilege Escalation | |
| CA-7 | Continuous Monitoring | Protects | T1068 | Exploitation for Privilege Escalation | |
| CA-8 | Penetration Testing | Protects | T1068 | Exploitation for Privilege Escalation | |
| CM-2 | Baseline Configuration | Protects | T1068 | Exploitation for Privilege Escalation | |
| CM-6 | Configuration Settings | Protects | T1068 | Exploitation for Privilege Escalation | |
| CM-8 | System Component Inventory | Protects | T1068 | Exploitation for Privilege Escalation | |
| RA-10 | Threat Hunting | Protects | T1068 | Exploitation for Privilege Escalation | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-18 | Mobile Code | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-2 | Separation of System and User Functionality | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-26 | Decoys | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-29 | Heterogeneity | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-3 | Security Function Isolation | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-30 | Concealment and Misdirection | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-35 | External Malicious Code Identification | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-39 | Process Isolation | Protects | T1068 | Exploitation for Privilege Escalation | |
| SC-7 | Boundary Protection | Protects | T1068 | Exploitation for Privilege Escalation | |
| SI-2 | Flaw Remediation | Protects | T1068 | Exploitation for Privilege Escalation | |
| SI-3 | Malicious Code Protection | Protects | T1068 | Exploitation for Privilege Escalation | |
| SI-4 | System Monitoring | Protects | T1068 | Exploitation for Privilege Escalation | |
| SI-5 | Security Alerts, Advisories, and Directives | Protects | T1068 | Exploitation for Privilege Escalation | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1068 | Exploitation for Privilege Escalation | |
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control's "Container with privilege escalation should be avoided", "Least privileged Linux capabilities should be enforced for containers", "Privileged containers should be avoided", "Running containers as root user should be avoided" and "Containers sharing sensitive host namespaces should be avoided" recommendations can make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities. Because this is a recommendation, the assessed score has been capped at Partial.
References
|
| linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on suspicious arguments used to exploit Xorg vulnerabilities for privilege escalation.
References
|
| azure_defender_for_resource_manager | Azure Defender for Resource Manager | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on escalation attempts from Azure AD to Azure accounts by specific exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score. The following alerts may be generated: "PowerZure exploitation toolkit used to elevate access from Azure AD to Azure".
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can exploit known system vulnerabilities, but does not explicitly address other procedures.
References
|
| azure_defender_for_kubernetes | Azure Defender for Kubernetes | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on detection of new privileged containers and high privilege roles.
References
|
| azure_automation_update_management | Azure Automation Update Management | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control provides significant coverage of methods that leverage vulnerabilities in unpatched software since it enables automated updates of software and rapid configuration change management
References
|
| azure_policy | Azure Policy | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
|
| azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
|
| azure_defender_for_container_registries | Azure Defender for Container Registries | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control may provide recommendations to avoid privileged containers and running containers as root.
References
|
| sql_vulnerability_assessment | SQL Vulnerability Assessment | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control may scan for users with unnecessary permissions and if SQL Server is out of date.
References
|
| integrated_vulnerability_scanner_powered_by_qualys | Integrated Vulnerability Scanner Powered by Qualys | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
| docker_host_hardening | Docker Host Hardening | technique_scores | T1068 | Exploitation for Privilege Escalation |
Comments
This control may provide recommendations on how to reduce the surface area and mechanisms by which an attacker could escalate privileges.
References
|