Esc
Abuse Elevation Control Mechanism - T1548
(ATT&CK® Technique)
Definition
Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1548["Abuse Elevation Control Mechanism"] --> |creates| SystemConfigurationDatabase["System Configuration Database"]; class T1548 OffensiveTechniqueNode; class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; click T1548 href "/offensive-technique/attack/T1548/"; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; T1548["Abuse Elevation Control Mechanism"] --> |invokes| SystemCall["System Call"]; class T1548 OffensiveTechniqueNode; class SystemCall ArtifactNode; click SystemCall href "/dao/artifact/d3f:SystemCall"; click T1548 href "/offensive-technique/attack/T1548/"; click SystemCall href "/dao/artifact/d3f:SystemCall"; T1548["Abuse Elevation Control Mechanism"] --> |invokes| CreateProcess["Create Process"]; class T1548 OffensiveTechniqueNode; class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; click T1548 href "/offensive-technique/attack/T1548/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1548["Abuse Elevation Control Mechanism"] --> |may-modify| EventLog["Event Log"]; class T1548 OffensiveTechniqueNode; class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog"; click T1548 href "/offensive-technique/attack/T1548/"; click EventLog href "/dao/artifact/d3f:EventLog"; T1548["Abuse Elevation Control Mechanism"] --> |executes| ExecutableFile["Executable File"]; class T1548 OffensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; click T1548 href "/offensive-technique/attack/T1548/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1548["Abuse Elevation Control Mechanism"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1548 OffensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; click T1548 href "/offensive-technique/attack/T1548/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1548["Abuse Elevation Control Mechanism"] --> |modifies| AccessControlConfiguration["Access Control Configuration"]; class T1548 OffensiveTechniqueNode; class AccessControlConfiguration ArtifactNode; click AccessControlConfiguration href "/dao/artifact/d3f:AccessControlConfiguration"; click T1548 href "/offensive-technique/attack/T1548/"; click AccessControlConfiguration href "/dao/artifact/d3f:AccessControlConfiguration"; T1548["Abuse Elevation Control Mechanism"] --> |modifies| OperatingSystemConfigurationFile["Operating System Configuration File"]; class T1548 OffensiveTechniqueNode; class OperatingSystemConfigurationFile ArtifactNode; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile"; click T1548 href "/offensive-technique/attack/T1548/"; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile"; DecoyFile["Decoy File"] --> | spoofs | OperatingSystemConfigurationFile["Operating System Configuration File"]; DecoyFile["Decoy File"] -.-> | may-deceive | T1548["Abuse Elevation Control Mechanism"] ; class DecoyFile DefensiveTechniqueNode; class OperatingSystemConfigurationFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | ExecutableFile["Executable File"]; class DecoyFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableFile["Executable File"]; DynamicAnalysis["Dynamic Analysis"] -.-> | may-detect | T1548["Abuse Elevation Control Mechanism"] ; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | may-detect | T1548["Abuse Elevation Control Mechanism"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | CreateProcess["Create Process"]; SystemCallAnalysis["System Call Analysis"] -.-> | may-detect | T1548["Abuse Elevation Control Mechanism"] ; class SystemCallAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | SystemCall["System Call"]; class SystemCallAnalysis DefensiveTechniqueNode; class SystemCall ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | CreateProcess["Create Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | may-detect | T1548["Abuse Elevation Control Mechanism"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableFile["Executable File"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | may-detect | T1548["Abuse Elevation Control Mechanism"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class OperatingSystemConfigurationFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] --> | deletes | ExecutableFile["Executable File"]; FileEviction["File Eviction"] -.-> | may-evict | T1548["Abuse Elevation Control Mechanism"] ; class FileEviction DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] --> | deletes | OperatingSystemConfigurationFile["Operating System Configuration File"]; class FileEviction DefensiveTechniqueNode; class OperatingSystemConfigurationFile ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] --> | encrypts | OperatingSystemConfigurationFile["Operating System Configuration File"]; FileEncryption["File Encryption"] -.-> | may-harden | T1548["Abuse Elevation Control Mechanism"] ; class FileEncryption DefensiveTechniqueNode; class OperatingSystemConfigurationFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; SystemConfigurationPermissions["System Configuration Permissions"] --> | restricts | SystemConfigurationDatabase["System Configuration Database"]; SystemConfigurationPermissions["System Configuration Permissions"] -.-> | may-harden | T1548["Abuse Elevation Control Mechanism"] ; class SystemConfigurationPermissions DefensiveTechniqueNode; class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationPermissions href "/technique/d3f:SystemConfigurationPermissions"; FileEncryption["File Encryption"] --> | encrypts | ExecutableFile["Executable File"]; class FileEncryption DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; ExecutableDenylisting["Executable Denylisting"] --> | filters | CreateProcess["Create Process"]; ExecutableDenylisting["Executable Denylisting"] -.-> | may-isolate | T1548["Abuse Elevation Control Mechanism"] ; class ExecutableDenylisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableFile["Executable File"]; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | restricts | CreateProcess["Create Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | may-isolate | T1548["Abuse Elevation Control Mechanism"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class CreateProcess ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] --> | filters | CreateProcess["Create Process"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | may-isolate | T1548["Abuse Elevation Control Mechanism"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableFile["Executable File"]; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableFile["Executable File"]; LocalFilePermissions["Local File Permissions"] -.-> | may-isolate | T1548["Abuse Elevation Control Mechanism"] ; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | OperatingSystemConfigurationFile["Operating System Configuration File"]; class LocalFilePermissions DefensiveTechniqueNode; class OperatingSystemConfigurationFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; SystemCallFiltering["System Call Filtering"] --> | filters | SystemCall["System Call"]; SystemCallFiltering["System Call Filtering"] -.-> | may-isolate | T1548["Abuse Elevation Control Mechanism"] ; class SystemCallFiltering DefensiveTechniqueNode; class SystemCall ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] --> | filters | CreateProcess["Create Process"]; class SystemCallFiltering DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; RestoreFile["Restore File"] --> | restores | ExecutableFile["Executable File"]; RestoreFile["Restore File"] -.-> | may-restore | T1548["Abuse Elevation Control Mechanism"] ; class RestoreFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | OperatingSystemConfigurationFile["Operating System Configuration File"]; class RestoreFile DefensiveTechniqueNode; class OperatingSystemConfigurationFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreDatabase["Restore Database"] --> | restores | SystemConfigurationDatabase["System Configuration Database"]; RestoreDatabase["Restore Database"] -.-> | may-restore | T1548["Abuse Elevation Control Mechanism"] ; class RestoreDatabase DefensiveTechniqueNode; class SystemConfigurationDatabase ArtifactNode; click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreConfiguration["Restore Configuration"] --> | restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"]; RestoreConfiguration["Restore Configuration"] -.-> | may-restore | T1548["Abuse Elevation Control Mechanism"] ; class RestoreConfiguration DefensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] --> | restores | AccessControlConfiguration["Access Control Configuration"]; class RestoreConfiguration DefensiveTechniqueNode; class AccessControlConfiguration ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; FileAnalysis["File Analysis"] --> | analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"]; FileAnalysis["File Analysis"] -.-> | may-detect | T1548["Abuse Elevation Control Mechanism"] ; class FileAnalysis DefensiveTechniqueNode; class OperatingSystemConfigurationFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; class FileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemFileAnalysis["System File Analysis"] --> | analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"]; SystemFileAnalysis["System File Analysis"] -.-> | may-detect | T1548["Abuse Elevation Control Mechanism"] ; class SystemFileAnalysis DefensiveTechniqueNode; class OperatingSystemConfigurationFile ArtifactNode; click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | OperatingSystemConfigurationFile["Operating System Configuration File"]; RemoteFileAccessMediation["Remote File Access Mediation"] -.-> | may-isolate | T1548["Abuse Elevation Control Mechanism"] ; class RemoteFileAccessMediation DefensiveTechniqueNode; class OperatingSystemConfigurationFile ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | ExecutableFile["Executable File"]; class RemoteFileAccessMediation DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";