1. Home
  2. ATT&CK Techniques
  3. T1068 Exploitation for Privilege Escalation

T1068 Exploitation for Privilege Escalation Mappings

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.

Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via Ingress Tool Transfer or Lateral Tool Transfer.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1068 Exploitation for Privilege Escalation
AC-4 Information Flow Enforcement Protects T1068 Exploitation for Privilege Escalation
AC-6 Least Privilege Protects T1068 Exploitation for Privilege Escalation
CA-7 Continuous Monitoring Protects T1068 Exploitation for Privilege Escalation
CA-8 Penetration Testing Protects T1068 Exploitation for Privilege Escalation
CM-2 Baseline Configuration Protects T1068 Exploitation for Privilege Escalation
CM-6 Configuration Settings Protects T1068 Exploitation for Privilege Escalation
CM-7 Least Functionality Protects T1068 Exploitation for Privilege Escalation
CM-8 System Component Inventory Protects T1068 Exploitation for Privilege Escalation
RA-10 Threat Hunting Protects T1068 Exploitation for Privilege Escalation
RA-5 Vulnerability Monitoring and Scanning Protects T1068 Exploitation for Privilege Escalation
SC-18 Mobile Code Protects T1068 Exploitation for Privilege Escalation
SC-2 Separation of System and User Functionality Protects T1068 Exploitation for Privilege Escalation
SC-26 Decoys Protects T1068 Exploitation for Privilege Escalation
SC-29 Heterogeneity Protects T1068 Exploitation for Privilege Escalation
SC-3 Security Function Isolation Protects T1068 Exploitation for Privilege Escalation
SC-30 Concealment and Misdirection Protects T1068 Exploitation for Privilege Escalation
SC-35 External Malicious Code Identification Protects T1068 Exploitation for Privilege Escalation
SC-39 Process Isolation Protects T1068 Exploitation for Privilege Escalation
SC-7 Boundary Protection Protects T1068 Exploitation for Privilege Escalation
SI-2 Flaw Remediation Protects T1068 Exploitation for Privilege Escalation
SI-3 Malicious Code Protection Protects T1068 Exploitation for Privilege Escalation
SI-4 System Monitoring Protects T1068 Exploitation for Privilege Escalation
SI-5 Security Alerts, Advisories, and Directives Protects T1068 Exploitation for Privilege Escalation
SI-7 Software, Firmware, and Information Integrity Protects T1068 Exploitation for Privilege Escalation
CVE-2019-15976 Cisco Data Center Network Manager primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1753 Cisco IOS XE Software primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1879 Cisco Unified Computing System (Management Software) primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1863 Cisco Unified Computing System E-Series Software (UCSE) primary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-3403 Cisco IOS XE Software primary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-3216 Cisco IOS XE SD-WAN Software primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1889 Cisco Application Policy Infrastructure Controller (APIC) primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1764 Cisco Wireless IP Phone 8821 and 8821-EX primary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-3387 Cisco SD-WAN vManage primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1876 Cisco Wide Area Application Services (WAAS) secondary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1612 Nexus 3000 Series Switches secondary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1609 MDS 9000 Series Multilayer Switches secondary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1611 Firepower 4100 Series Next-Generation Firewalls secondary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1915 Cisco Unified Communications Manager primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1790 Cisco NX-OS Software secondary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-3735 Dell SupportAssist for Business PCs primary_impact T1068 Exploitation for Privilege Escalation
CVE-2018-15782 RSA Authentication Manager primary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-5326 Dell Client Consumer and Commercial Platforms primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-3727 RecoverPoint secondary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-3704 VNX Control Station in Dell EMC VNX2 OE for File secondary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-5358 Dell Encryption Enterprise primary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-5371 Isilon OneFS primary_impact T1068 Exploitation for Privilege Escalation
CVE-2018-15761 UAA primary_impact T1068 Exploitation for Privilege Escalation
CVE-2018-15797 NFS Volume Release primary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-5362 Dell Client Consumer and Commercial platforms primary_impact T1068 Exploitation for Privilege Escalation
CVE-2018-11088 Application Service secondary_impact T1068 Exploitation for Privilege Escalation
CVE-2018-15758 Spring Security OAuth primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-3780 Cloud Foundry Container Runtime (CFCR) secondary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-5369 Isilon OneFS primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-3798 CAPI-release primary_impact T1068 Exploitation for Privilege Escalation
CVE-2018-11060 RSA Archer primary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-5328 Isilon OneFS secondary_impact T1068 Exploitation for Privilege Escalation
CVE-2018-15774 iDRAC primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-16784 PyInstaller primary_impact T1068 Exploitation for Privilege Escalation
CVE-2018-10636 CNCSoft with ScreenEditor secondary_impact T1068 Exploitation for Privilege Escalation
CVE-2018-7500 OSIsoft PI Web API primary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-6964 GE CARESCAPE Telemetry Server,ApexPro Telemetry Server,CARESCAPE Central Station,Clinical Information Center systems,CARESCAPE B450,B650,B850 Monitors primary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-14510 GateManager secondary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-7004 VBASE Editor primary_impact T1068 Exploitation for Privilege Escalation
CVE-2018-17908 WebAccess Versions 8.3.2 and prior. primary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-1111 Windows primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1087 Windows primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1086 Windows primary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-1347 Windows 10 Version 2004 for 32-bit Systems primary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-0758 Team Foundation Server 2018 primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1021 Windows primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1423 Windows 10 Version 1903 for 32-bit Systems secondary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-1190 Windows primary_impact T1068 Exploitation for Privilege Escalation
CVE-2018-8575 Microsoft Project primary_impact T1068 Exploitation for Privilege Escalation
CVE-2019-1402 Microsoft Office primary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-0981 Windows 10 Version 1909 for 32-bit Systems secondary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-1471 Windows 10 Version 1803 primary_impact T1068 Exploitation for Privilege Escalation
CVE-2020-0636 Windows 10 Version 1903 for 32-bit Systems primary_impact T1068 Exploitation for Privilege Escalation
CVE-2015-2945 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2014-4114 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2020-8835 Linux kernel uncategorized T1068 Exploitation for Privilege Escalation
CVE-2020-8467 Trend Micro OfficeScan, Trend Micro Apex One uncategorized T1068 Exploitation for Privilege Escalation
CVE-2020-12659 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2020-10751 kernel uncategorized T1068 Exploitation for Privilege Escalation
CVE-2020-1027 Windows uncategorized T1068 Exploitation for Privilege Escalation
CVE-2019-1215 Windows uncategorized T1068 Exploitation for Privilege Escalation
CVE-2019-1214 Windows uncategorized T1068 Exploitation for Privilege Escalation
CVE-2019-0859 Windows uncategorized T1068 Exploitation for Privilege Escalation
CVE-2018-9862 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2018-9488 Android uncategorized T1068 Exploitation for Privilege Escalation
CVE-2018-8599 Microsoft Visual Studio uncategorized T1068 Exploitation for Privilege Escalation
CVE-2018-5463 LCDS - Leão Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA uncategorized T1068 Exploitation for Privilege Escalation
CVE-2018-11776 Apache Struts uncategorized T1068 Exploitation for Privilege Escalation
CVE-2017-1274 Domino uncategorized T1068 Exploitation for Privilege Escalation
CVE-2017-0263 Microsoft Windows uncategorized T1068 Exploitation for Privilege Escalation
CVE-2016-5195 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2015-7910 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2015-2387 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2015-2360 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2015-0016 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2014-4113 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2014-1807 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2014-0322 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2012-0181 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2010-2884 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2010-2743 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2009-1612 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2020-5539 GRANDIT uncategorized T1068 Exploitation for Privilege Escalation
CVE-2017-13289 Android uncategorized T1068 Exploitation for Privilege Escalation
CVE-2019-15821 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2013-0707 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2020-10817 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2019-5786 Chrome uncategorized T1068 Exploitation for Privilege Escalation
CVE-2017-0213 Windows COM uncategorized T1068 Exploitation for Privilege Escalation
CVE-2019-2215 Android uncategorized T1068 Exploitation for Privilege Escalation
CVE-2019-0808 Windows uncategorized T1068 Exploitation for Privilege Escalation
CVE-2017-7533 Linux kernel through 4.12.4 uncategorized T1068 Exploitation for Privilege Escalation
CVE-2020-8649 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2020-12652 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2014-6324 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2019-5954 JR East Japan train operation information push notification App for Android uncategorized T1068 Exploitation for Privilege Escalation
CVE-2008-4996 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2017-15211 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2010-1592 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2015-1769 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2016-6367 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2015-1701 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2012-4681 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2011-1331 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2013-0640 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2017-5638 Apache Struts uncategorized T1068 Exploitation for Privilege Escalation
CVE-2015-1494 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2015-1805 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2019-9081 uncategorized T1068 Exploitation for Privilege Escalation
CVE-2020-12653 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2020-11608 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2014-4148 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2020-11651 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2020-5300 hydra uncategorized T1068 Exploitation for Privilege Escalation
CVE-2013-5065 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2008-0655 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2020-0688 Microsoft Exchange Server 2013 uncategorized T1068 Exploitation for Privilege Escalation
CVE-2019-0708 Windows uncategorized T1068 Exploitation for Privilege Escalation
CVE-2018-19831 n/a uncategorized T1068 Exploitation for Privilege Escalation
CVE-2018-19830 n/a uncategorized T1068 Exploitation for Privilege Escalation
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Format string attack Format string attack. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Fuzz testing Fuzz testing. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Insecure deserialization iterating over sequential or obvious values. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Integer overflows Integer overflows. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.LDAP injection LDAP injection. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1068 Exploitation for Privilege Escalation
aws_config AWS Config technique_scores T1068 Exploitation for Privilege Escalation
Comments
The "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The "ec2-managedinstance-platform-check" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation, including for privilege escalation. The "ecs-task-definition-user-for-host-mode-check" managed rule can identify Amazon Elastic Container Service (ECS) task definitions for containers with host networking mode and 'privileged' or 'user' container definitions, which may enable adversaries to break out of containers and gain access to the underlying host, increasing their access and privileges. All of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.
References
  1. https://docs.aws.amazon.com/config
  2. https://docs.aws.amazon.com/config/latest/developerguide
  3. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
amazon_inspector Amazon Inspector technique_scores T1068 Exploitation for Privilege Escalation
Comments
Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
  1. https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html
aws_security_hub AWS Security Hub technique_scores T1068 Exploitation for Privilege Escalation
Comments
AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight. EC2 instances that have missing security patches for important vulnerabilities This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.
References
  1. https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html