T1548.004 Elevated Execution with Prompt Mappings

Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.

Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.

Adversaries may abuse <code>AuthorizationExecuteWithPrivileges</code> to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with Masquerading to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-2 Baseline Configuration Protects T1548.004 Elevated Execution with Prompt
CM-6 Configuration Settings Protects T1548.004 Elevated Execution with Prompt
CM-7 Least Functionality Protects T1548.004 Elevated Execution with Prompt
CM-8 System Component Inventory Protects T1548.004 Elevated Execution with Prompt
SC-18 Mobile Code Protects T1548.004 Elevated Execution with Prompt
SC-34 Non-modifiable Executable Programs Protects T1548.004 Elevated Execution with Prompt
SI-12 Information Management and Retention Protects T1548.004 Elevated Execution with Prompt
SI-16 Memory Protection Protects T1548.004 Elevated Execution with Prompt
SI-3 Malicious Code Protection Protects T1548.004 Elevated Execution with Prompt
SI-4 System Monitoring Protects T1548.004 Elevated Execution with Prompt
SI-7 Software, Firmware, and Information Integrity Protects T1548.004 Elevated Execution with Prompt
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1548.004 Abuse Elevation Control Mechanism: Elevated Execution with Prompt
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.004 Abuse Elevation Control Mechanism: Elevated Execution with Prompt