T1068: Exploitation for Privilege Escalation

Data from MITRE ATT&CK®:

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.

Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via Ingress Tool Transfer or Lateral Tool Transfer.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Exploit Protection

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Update Software

Perform regular software updates to mitigate exploitation risk.

Threat Intelligence Program

A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.

Application Isolation and Sandboxing

Restrict execution of code to a virtual environment on or in transit to an endpoint system.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Driver Load (Driver)

Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

OMIGOD SCX RunAsProvider ExecuteShellCommand

linux process creation

Buffer Overflow Attempts

linux

HackTool - SysmonEOP Execution

windows process creation

Audit CVE Event

windows

Suspicious Spool Service Child Process

windows process creation

Process Monitor Driver Creation By Non-Sysinternals Binary

windows file event

OMIGOD SCX RunAsProvider ExecuteScript

linux process creation

OMIGOD HTTP No Authentication RCE

zeek

Malicious Driver Load

windows driver load

Vulnerable Driver Load

windows driver load

Malicious Driver Load By Name

windows driver load

Sudo Privilege Escalation CVE-2019-14287

linux process creation

Sudo Privilege Escalation CVE-2019-14287 - Builtin

linux

Vulnerable Driver Load By Name

windows driver load

Nimbuspwn Exploitation

linux

Process Explorer Driver Creation By Non-Sysinternals Binary

windows file event

OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd

linux

Possible Coin Miner CPU Priority Param

linux