Esc

Elevated Execution with Prompt - T1548.004

(ATT&CK® Technique)

Definition

Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials. The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1548004["Elevated Execution with Prompt"] --> |creates| SystemConfigurationDatabase["System Configuration Database"]; class T1548004 OffensiveTechniqueNode;
        class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase";
        click T1548004 href "/offensive-technique/attack/T1548.004/"; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; T1548004["Elevated Execution with Prompt"] --> |invokes| SystemCall["System Call"]; class T1548004 OffensiveTechniqueNode;
        class SystemCall ArtifactNode; click SystemCall href "/dao/artifact/d3f:SystemCall";
        click T1548004 href "/offensive-technique/attack/T1548.004/"; click SystemCall href "/dao/artifact/d3f:SystemCall";                           RestoreDatabase["Restore Database"] -->
          | restores | SystemConfigurationDatabase["System Configuration Database"];

          RestoreDatabase["Restore Database"] -.->
            | may-restore | T1548004["Elevated Execution with Prompt"] ;
          class RestoreDatabase DefensiveTechniqueNode;
          class SystemConfigurationDatabase ArtifactNode;
          click RestoreDatabase href "/technique/d3f:RestoreDatabase";                           SystemConfigurationPermissions["System Configuration Permissions"] -->
          | restricts | SystemConfigurationDatabase["System Configuration Database"];

          SystemConfigurationPermissions["System Configuration Permissions"] -.->
            | may-harden | T1548004["Elevated Execution with Prompt"] ;
          class SystemConfigurationPermissions DefensiveTechniqueNode;
          class SystemConfigurationDatabase ArtifactNode;
          click SystemConfigurationPermissions href "/technique/d3f:SystemConfigurationPermissions"; SystemCallFiltering["System Call Filtering"] -->
          | filters | SystemCall["System Call"];

          SystemCallFiltering["System Call Filtering"] -.->
            | may-isolate | T1548004["Elevated Execution with Prompt"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class SystemCall ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";                           SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | SystemCall["System Call"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | may-detect | T1548004["Elevated Execution with Prompt"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class SystemCall ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis";

json