Show T1548
Abuse Elevation Control Mechanism
Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on
a system.
.001
Setuid and Setgid
An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively. Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there
are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
.002
Bypass User Account Control
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and
click through the prompt or allowing them to enter an administrator password to complete the action.
.003
Sudo and Sudo Caching
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
.004
Elevated Execution with Prompt
Adversaries may leverage the What feature implemented in Windows 8.1 prevents the execution?In Windows 8, the SmartScreen feature is integrated with the Operating System. The integration of SmartScreen filtering with the base Operating System prevents the execution of applications, which are considered unsafe by the Windows OS.
What is the best method of preventing NetBIOS attacks?In addition to turning off the NetBIOS service, you can prevent misuse of the NetBIOS service by closing TCP & UDP port 137 in your Windows firewall.
Which Windows 10 feature uses virtualization to protect?Windows Defender Credential Guard uses virtualization-based security features that have to be enabled first on some operating systems.
What does NBT part of NBTscan stand for?What does the “NBT” part of “NBTscan” stand for? NetBIOS over TCP/IP. What enumeration tool is extremely useful when working with Windows NT, 2000, and Windows XP systems.
|