Trusted Design戦術「Privilege Escalation」に関連する攻撃手法(Technique)の一覧です。
| Technique ID | Name | Description |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnera… |
| T1166 | Setuid and Setgid | When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run wi… |
| T1169 | Sudo | The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This… |
| T1178 | SID-History Injection | The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Window… |
| T1183 | Image File Execution Options Injection | Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created… |
| T1206 | Sudo Caching | The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of u… |
| T1514 | Elevated Execution with Prompt | Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for cre… |
| T1546 | Event Triggered Execution | Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on … |
| T1546.001 | Change Default File Association | Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file i… |
| T1546.002 | Screensaver | Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are prog… |
| T1546.003 | Windows Management Instrumentation Event Subscription | Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Manag… |
| T1546.004 | Unix Shell Configuration Modification | Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell… |
| T1546.005 | Trap | Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</c… |
| T1546.006 | LC_LOAD_DYLIB Addition | Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mac… |
| T1546.007 | Netsh Helper DLL | Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also ref… |
| T1546.008 | Accessibility Features | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibilit… |
| T1546.009 | AppCert DLLs | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs… |
| T1546.010 | AppInit DLLs | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs… |
| T1546.011 | Application Shimming | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application … |
| T1546.012 | Image File Execution Options Injection | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File E… |
| T1546.013 | PowerShell Profile | Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.… |
| T1546.014 | Emond | Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Da… |
| T1546.015 | Component Object Model Hijacking | Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Objec… |
| T1546.016 | Installer Packages | Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious… |
| T1548 | Abuse Elevation Control Mechanism | Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most mod… |
| T1548.001 | Setuid and Setgid | An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code runnin… |
| T1548.002 | Bypass User Account Control | Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows… |
| T1548.003 | Sudo and Sudo Caching | Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execu… |
| T1548.004 | Elevated Execution with Prompt | Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the… |
| T1548.005 | Temporary Elevated Cloud Access | Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. … |
| T1548.006 | TCC Manipulation | Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious ex… |
| T1611 | Escape to Host | Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allo… |