Privilege Escalation
HOME Reconnaissance(10) Resource Development(7) Initial Access(9) Execution(13) Persistence(19) Privilege Escalation(13) Defense Evasion(42) Credential Access(17) Discovery(30) Lateral Movement(9) Collection(17) Command and Control(16) Exfiltration(9) Impact(13)
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:
SYSTEM/root level
local administrator
user account with
admin-like access
user accounts with access to specific system or perform
specific function
These techniques often overlap with Persistence techniques,
as OS features that let an adversary persist can execute in an elevated context.
Techniques
| ID | Name | Description | |
| T1548 | Abuse Elevation Control Mechanism | Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. | |
| .001 | Setuid and Setgid | An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively. Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges. | |
| .002 | Bypass User Account Control | Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. | |
| .003 | Sudo and Sudo Caching | Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges. | |
| .004 | Elevated Execution with Prompt |
Adversaries may leverage the AuthorizationExecuteWithPrivileges API
to escalate privileges by prompting the user for credentials. The
purpose of this API is to give application developers an easy way to
perform operations with root privileges, such as for application
installation or updating. This API does not validate that the
program requesting root privileges comes from a reputable source or
has been maliciously modified. | |
| .005 | Temporary Elevated Cloud Access | Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. | |
| T1134 | Access Token Manipulation | Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. | |
| .001 | Token Impersonation/Theft |
Adversaries may duplicate then impersonate
another user's existing token to escalate privileges and bypass access
controls. For example, an adversary can duplicate an existing token
using DuplicateToken or DuplicateTokenEx.
The token can then be used with ImpersonateLoggedOnUser to
allow the calling thread to impersonate a logged on user's security
context, or with SetThreadToken to
assign the impersonated token to a thread. | |
| .002 | Create Process with Token |
Adversaries may create a new process
with an existing token to escalate privileges and bypass access
controls. Processes can be created with the token and resulting
security context of another user using features such as CreateProcessWithTokenW and runas. | |
| .003 | Make and Impersonate Token |
Adversaries may make new tokens and
impersonate users to escalate privileges and bypass access controls.
For example, if an adversary has a username and password but the
user is not logged onto the system the adversary can then create a
logon session for the user using the LogonUser function.
The function will return a copy of the new session's access token
and the adversary can use SetThreadToken to
assign the token to a thread. | |
| .004 | Parent PID Spoofing |
Adversaries may spoof the parent
process identifier (PPID) of a new process to evade
process-monitoring defenses or to elevate privileges. New processes
are typically spawned directly from their parent, or calling,
process unless explicitly specified. One way of explicitly assigning
the PPID of a new process is via the CreateProcess API
call, which supports a parameter that defines the PPID to use. This
functionality is used by Windows features such as User Account
Control (UAC) to correctly set the PPID after a requested elevated
process is spawned by SYSTEM (typically via svchost.exe or consent.exe)
rather than the current user context. | |
| .005 | SID-History Injection | Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute , allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens). | |
| T1098 | Account Manipulation | Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. | |
| .001 | Additional Cloud Credentials | Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. | |
| .002 | Additional Email Delegate Permissions | Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. | |
| .003 | Additional Cloud Roles | An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins). | |
| .004 | SSH Authorized Keys |
Adversaries may modify the SSH authorized_keys file
to maintain persistence on a victim host. Linux distributions and
macOS commonly use key-based authentication to secure the
authentication process of SSH sessions for remote management. The authorized_keys file
in SSH specifies the SSH keys that can be used for logging into the
user account for which the file is configured. This file is usually
found in the user's home directory under <user-home>/.ssh/authorized_keys.
Users may edit the system’s SSH config file to modify the directives
PubkeyAuthentication and RSAAuthentication to the value "yes" to
ensure public key and RSA authentication are enabled. The SSH config
file is usually located under /etc/ssh/sshd_config. | |
| .005 | Device Registration | Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance. | |
| .006 | Additional Container Cluster Roles | An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account. Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions. | |
| T1547 | Boot or Logon Autostart Execution | Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. | |
| .001 | Registry Run Keys / Startup Folder | Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. | |
| .002 | Authentication Package | Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. | |
| .003 | Time Providers | Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. | |
| .004 | Winlogon Helper DLL |
Adversaries may abuse features of
Winlogon to execute DLLs and/or executables when a user logs in.
Winlogon.exe is a Windows component responsible for actions at
logon/logoff as well as the secure attention sequence (SAS)
triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows
NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ are
used to manage additional helper programs and functionalities that
support Winlogon. | |
| .005 | Security Support Provider | Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. | |
| .006 | Kernel Modules and Extensions | Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. | |
| .007 | Re-opened Applications |
Adversaries may modify plist files to
automatically run an application when a user logs in. When a user
logs out or restarts via the macOS Graphical User Interface (GUI), a
prompt is provided to the user with a checkbox to "Reopen windows
when logging back in". When selected, all applications currently
open are added to a property list file named com.apple.loginwindow.[UUID].plist within
the ~/Library/Preferences/ByHost directory.
Applications listed in this file are automatically reopened upon the
user’s next logon. | |
| .008 | LSASS Driver | Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. | |
| .009 | Shortcut Modification | Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. | |
| .010 | Port Monitors |
Adversaries may use port monitors to
run an adversary supplied DLL during system boot for persistence or
privilege escalation. A port monitor can be set through the AddMonitor API
call to set a DLL to be loaded at startup. This DLL can be located
in C:\Windows\System32 and
will be loaded by the print spooler service, spoolsv.exe, on boot.
The spoolsv.exe process also runs under SYSTEM level permissions.
Alternatively, an arbitrary DLL can be loaded if permissions allow
writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. | |
| .012 | Print Processors |
Adversaries may abuse print processors
to run malicious DLLs during system boot for persistence and/or
privilege escalation. Print processors are DLLs that are loaded by
the print spooler service, spoolsv.exe,
during boot. | |
| .013 | XDG Autostart Entries |
Adversaries may add or modify XDG
Autostart Entries to execute malicious programs or commands when a
user’s desktop environment is loaded at login. XDG Autostart entries
are available for any XDG-compliant Linux system. XDG Autostart
entries use Desktop Entry files (.desktop)
to configure the user’s desktop environment upon user login. These
configuration files determine what applications launch upon user
login, define associated applications to open specific file types,
and define applications used to open removable media. | |
| .014 | Active Setup | Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer. These programs will be executed under the context of the user and will have the account's associated permissions level. | |
| .015 | Login Items |
Adversaries may add login items to
execute upon user login to gain persistence or escalate privileges.
Login items are applications, documents, folders, or server
connections that are automatically launched when a user logs in.
Login items can be added via a shared file list or Service
Management Framework. Shared file list login items can be set using
scripting languages such as AppleScript,
whereas the Service Management Framework uses the API call SMLoginItemSetEnabled. | |
| T1037 | Boot or Logon Initialization Scripts | Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. | |
| .001 | Logon Script (Windows) |
Adversaries may use Windows logon
scripts automatically executed at logon initialization to establish
persistence. Windows allows logon scripts to be run whenever a
specific user or group of users log into a system. This is done via
adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry
key. | |
| .002 | Login Hook |
Adversaries may use a Login Hook to
establish persistence executed upon user logon. A login hook is a
plist file that points to a specific script to execute with root
privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file
and can be modified using the defaults command-line
utility. This behavior is the same for logout hooks where a script
can be executed upon user logout. All hooks require administrator
permissions to modify or create hooks. | |
| .003 | Network Logon Script | Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. | |
| .004 | RC Scripts | Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. | |
| .005 | Startup Items | Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. | |
| T1543 | Create or Modify System Process | Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters. | |
| .001 | Launch Agent |
Adversaries may create or modify launch
agents to repeatedly execute malicious payloads as part of persistence.
When a user logs in, a per-user launchd process is started which loads
the parameters for each launch-on-demand user agent from the property
list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents,
and ~/Library/LaunchAgents.
Property list files use the Label, ProgramArguments ,
and RunAtLoad keys
to identify the Launch Agent's name, executable location, and execution
time. Launch Agents are often installed to perform updates to programs,
launch user specified programs at login, or to conduct other developer
tasks. | |
| .002 | Systemd Service | Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. | |
| .003 | Windows Service | Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. | |
| .004 | Launch Daemon |
Adversaries may create or modify
Launch Daemons to execute malicious payloads as part of persistence.
Launch Daemons are plist files used to interact with Launchd, the
service management framework used by macOS. Launch Daemons require
elevated privileges to install, are executed for every user on a
system prior to login, and run in the background without the need
for user interaction. During the macOS initialization startup, the
launchd process loads the parameters for launch-on-demand
system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/.
Required Launch Daemons parameters include a Label to
identify the task, Program to
provide a path to the executable, and RunAtLoad to
specify when the task is run. Launch Daemons are often used to
provide access to shared resources, updates to software, or conduct
automation tasks. | |
| T1484 | Domain Policy Modification | Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts. | |
| .001 | Group Policy Modification |
Adversaries may modify Group Policy
Objects (GPOs) to subvert the intended discretionary access controls
for a domain, usually with the intention of escalating privileges on
the domain. Group policy allows for centralized management of user
and computer settings in Active Directory (AD). GPOs are containers
for group policy settings made up of files stored within a
predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\. | |
| .002 | Domain Trust Modification | Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources. These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. | |
| T1611 | Escape to Host | Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment. | |
| T1546 | Event Triggered Execution | Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events. | |
| .001 | Change Default File Association | Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. | |
| .002 | Screensaver |
Adversaries may establish persistence
by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of
user inactivity and consist of Portable Executable (PE) files with a
.scr file extension. The Windows screensaver application
scrnsave.scr is located in C:\Windows\System32\,
and C:\Windows\sysWOW64\ on
64-bit Windows systems, along with screensavers included with base
Windows installations. | |
| .003 | Windows Management Instrumentation Event Subscription | Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. | |
| .004 | Unix Shell Configuration Modification |
Adversaries may establish persistence
through executing malicious commands triggered by a user’s shell.
User Unix
Shells execute several configuration scripts at different points
throughout the session based on events. For example, when a user
opens a command-line interface or remotely logs in (such as via SSH)
a login shell is initiated. The login shell executes scripts from
the system (/etc)
and the user’s home directory (~/)
to configure the environment. All login shells on a system use
/etc/profile when initiated. These configuration scripts run at the
permission level of their directory and are often used to set
environment variables, create aliases, and customize the user’s
environment. When the shell exits or terminates, additional shell
scripts are executed to ensure the shell exits appropriately. | |
| .005 | Trap |
Adversaries may establish persistence
by executing malicious content triggered by an interrupt signal.
The trap command
allows programs and shells to specify commands that will be executed
upon receiving interrupt signals. A common situation is a script
allowing for graceful termination and handling of common keyboard
interrupts like ctrl+c and ctrl+d. | |
| .006 | LC_LOAD_DYLIB Addition | Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes. | |
| .007 | Netsh Helper DLL |
Adversaries may establish persistence
by executing malicious content triggered by Netsh Helper DLLs.
Netsh.exe (also referred to as Netshell) is a command-line scripting
utility used to interact with the network configuration of a system.
It contains functionality to add helper DLLs for extending
functionality of the utility. The paths to registered netsh.exe
helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. | |
| .008 | Accessibility Features | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. | |
| .009 | AppCert DLLs |
Adversaries may establish persistence
and/or elevate privileges by executing malicious content triggered
by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs)
that are specified in the AppCertDLLs Registry
key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager\ are loaded into
every process that calls the ubiquitously used application
programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW,
or WinExec. | |
| .010 | AppInit DLLs |
Adversaries may establish persistence
and/or elevate privileges by executing malicious content triggered
by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs)
that are specified in the AppInit_DLLs value
in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows
NT\CurrentVersion\Windows are
loaded by user32.dll into every process that loads user32.dll. In
practice this is nearly every program, since user32.dll is a very
common library. | |
| .011 | Application Shimming | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. | |
| .012 | Image File Execution Options Injection |
Adversaries may establish persistence
and/or elevate privileges by executing malicious content triggered
by Image File Execution Options (IFEO) debuggers. IFEOs enable a
developer to attach a debugger to an application. When a process is
created, a debugger present in an application’s IFEO will be
prepended to the application’s name, effectively launching the new
process under the debugger (e.g., C:\dbg\ntsd.exe
-g notepad.exe). | |
| .013 | PowerShell Profile |
Adversaries may gain persistence and
elevate privileges by executing malicious content triggered by
PowerShell profiles. A PowerShell profile (profile.ps1)
is a script that runs when PowerShell starts
and can be used as a logon script to customize user environments. | |
| .014 | Emond |
Adversaries may gain persistence and
elevate privileges by executing malicious content triggered by the
Event Monitor Daemon (emond). Emond is a Launch
Daemon that accepts events from various services, runs them
through a simple rules engine, and takes action. The emond binary
at /sbin/emond will
load any rules from the /etc/emond.d/rules/ directory
and take action once an explicitly defined event takes place. | |
| .015 | Component Object Model Hijacking | Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry. | |
| .016 | Installer Packages | Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation. | |
| T1068 | Exploitation for Privilege Escalation | Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. | |
| T1574 | Hijack Execution Flow | Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. | |
| .001 | DLL Search Order Hijacking | Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. | |
| .002 | DLL Side-Loading | Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). | |
| .004 | Dylib Hijacking |
Adversaries may execute their own
payloads by placing a malicious dynamic library (dylib) with an
expected name in a path a victim application searches at runtime.
The dynamic loader will try to find the dylibs based on the
sequential order of the search paths. Paths to dylibs may be
prefixed with @rpath,
which allows developers to use relative paths to specify an array of
search paths used at runtime based on the location of the
executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function,
an application will still execute even if an expected dylib is not
present. Weak linking enables developers to run an application on
multiple macOS versions as new APIs are added. | |
| .005 | Executable Installer File Permissions Weakness | Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. | |
| .006 | Dynamic Linker Hijacking |
Adversaries may execute their own
malicious payloads by hijacking environment variables the dynamic
linker uses to load shared libraries. During the execution
preparation phase of a program, the dynamic linker loads specified
absolute paths of shared libraries from environment variables and
files, such as LD_PRELOAD on
Linux or DYLD_INSERT_LIBRARIES on
macOS. Libraries specified in environment variables are loaded
first, taking precedence over system libraries with the same
function name. These variables are often used by developers to debug
binaries without needing to recompile, deconflict mapped symbols,
and implement custom functions without changing the original
library. | |
| .007 | Path Interception by PATH Environment Variable | Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. | |
| .008 | Path Interception by Search Order Hijacking | Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. | |
| .009 | Path Interception by Unquoted Path | Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. | |
| .010 | Services File Permissions Weakness | Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. | |
| .011 | Services Registry Permissions Weakness |
Adversaries may execute their own
malicious payloads by hijacking the Registry entries used by
services. Adversaries may use flaws in the permissions for Registry
keys related to services to redirect from the originally specified
executable to one that they control, in order to launch their own
code when a service starts. Windows stores local service
configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services.
The information stored under a service's Registry keys can be
manipulated to modify a service's execution parameters through tools
such as the service controller, sc.exe, PowerShell,
or Reg.
Access to Registry keys is controlled through access control lists
and user permissions. | |
| .012 | COR_PROFILER | Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. | |
| .013 | KernelCallbackTable |
Adversaries may abuse the KernelCallbackTable of
a process to hijack its execution flow in order to run their own
payloads. The KernelCallbackTable can
be found in the Process Environment Block (PEB) and is initialized
to an array of graphic functions available to a GUI process once user32.dll is
loaded. | |
| T1055 | Process Injection | Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. | |
| .001 | Dynamic-link Library Injection | Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. | |
| .002 | Portable Executable Injection | Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. | |
| .003 | Thread Execution Hijacking | Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. | |
| .004 | Asynchronous Procedure Call | Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. | |
| .005 | Thread Local Storage | Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. | |
| .008 | Ptrace System Calls | Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. | |
| .009 | Proc Memory | Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. | |
| .011 | Extra Window Memory Injection | Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. | |
| .012 | Process Hollowing | Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. | |
| .013 | Process Doppelgänging | Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process. | |
| .014 | VDSO Hijacking | Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. | |
| .015 | ListPlanting | Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process. | |
| T1053 | Scheduled Task/Job | Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system. | |
| .002 | At | Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. | |
| .003 | Cron |
Adversaries may abuse the cron utility
to perform task scheduling for initial or recurring execution of
malicious code. The cron utility
is a time-based job scheduler for Unix-like operating systems. The crontab file
contains the schedule of cron entries to be run and the specified
times for execution. Any crontab files
are stored in operating system-specific file paths. | |
| .005 | Scheduled Task | Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task. | |
| .006 | Systemd Timers |
Adversaries may abuse systemd timers
to perform task scheduling for initial or recurring execution of
malicious code. Systemd timers are unit files with file extension .timer that
control services. Timers can be set to run on a calendar event or
after a time span relative to a starting point. They can be used as
an alternative to Cron in
Linux environments. Systemd timers may be activated remotely via
the systemctl command
line utility, which operates over SSH. | |
| .007 | Container Orchestration Job | Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. | |
| T1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. | |
| .001 | Default Accounts | Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes. | |
| .002 | Domain Accounts | Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. | |
| .003 | Local Accounts | Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. | |
| .004 | Cloud Accounts | Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. | |