T1548: T1548

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 14/04/2026 11:20

Essential information

MITRE technique ID: T1548
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 14/04/2026 11:20
Author / Source: The MITRE Corporation

Aliases

Abuse Elevation Control Mechanism

Platforms

windows macos linux IaaS Office Suite Identity Provider

Description

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	privilege-escalation

Marking (TLP)

External references

mitre-attack (T1548)
TechNet How UAC Works
OSX Keydnap malware
sudo man page 2018
Fortinet Fareit

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (27)

UNC4466 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cuba uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-8099 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Anatsa uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Interlock Ransomware Group uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CoralRaider uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
NullBulge uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ping3r and Rodrigo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Unfading Sea Haze uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Metamorfo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Baku uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
KONNI uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 27

Nestdoor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
QuasarRAT uses

Family
SharpJSHandler uses

Family
BPFDoor uses

Family
DBatLoader uses

Family
GODZILLA uses

Family
DARKSIDE uses
Cobalt Strike uses

Family
RedSun.exe uses

Family
Goldoon uses

Family
Bumblebee uses
AresLoader uses

Family

← Previous

Page / 10

1–12 of 112

Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst … related

AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
Threat Actors Weaponizing RAR Archives to Target Thailand's … related

AlienVault Confidence 100 21 MITREs 1 Malware 7 IOCs
How to defend ARM64 cloud infrastructure related

1 CVE 10 MITREs 1 Observable
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Cato CTRL Threat Research: Suspected China-Linked Threat Actor … related

AlienVault Confidence 100 17 MITREs 1 Malware 53 IOCs 53 Observables
Zero-Day Local Privilege Escalation Exploit related

AlienVault Confidence 100 17 MITREs 1 Malware 1 IOC 1 Observable
Q1 2026 malware statistics report for Windows web … related

AlienVault Confidence 100 1 CVE 15 MITREs 6 Malwares 1 IOC 1 Observable 1 APT
March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, … related

AlienVault Confidence 100 23 CVEs 20 MITREs 5 Malwares 2 IOCs 2 Observables 1 APT
Vgod RANSOMWARE related

30 MITREs 1 Malware 1 Observable
Changing the narrative on pig butchering scams related

6 MITREs 5 Observables
Threat Actors Chained Vulnerabilities in Ivanti Cloud Service … related

7 CVEs 13 MITREs 28 Observables
Raspberry Robin Analysis related

2 CVEs 20 MITREs 2 Malwares 126 Observables

← Previous

Page / 4

1–12 of 43

Vulnerabilities (CVE) (60)

CVE-2024-23897 KEV targets

9.8 Critical

Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead …

Attack vector: Network
Published: 19/08/2024
Modified: 21/12/2025

CVE-2017-0213 KEV targets

7.3 High

Microsoft Windows COM Aggregate Marshaler allows for privilege escalation when an attacker runs a specially crafted application.

Attack vector: LOCAL
Complexity: LOW
Published: 12/05/2017
Modified: 22/04/2026

CVE-2025-0283 targets

7.0 High

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: LOCAL
Published: 09/01/2025
Modified: 21/12/2025

Analyzed

CVE-2026-46316 targets

9.3 Critical

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased …

Attack vector: LOCAL
Complexity: LOW
EPSS: 0.0002 (P4.8%)
Published: 09/06/2026
Modified: 09/06/2026

Received

CVE-2020-0696

targets

CVE-2014-4113 KEV targets

7.8 High

Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.

Attack vector: LOCAL
Complexity: LOW
Published: 15/10/2014
Modified: 22/04/2026

CVE-2021-27877 KEV targets

Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via …

Published: 07/04/2023
Modified: 21/12/2025

CVE-2026-27483 targets

8.8 High

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.9.1.1, there is a path traversal vulnerability in …

Attack vector: NETWORK
Published: 24/02/2026
Modified: 14/04/2026

Undergoing Analysis

CVE-2021-4034 KEV targets

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2026-3055 KEV targets

9.3 Critical

Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability …

Attack vector: Network
Complexity: Low
Published: 23/03/2026
Modified: 14/04/2026

CWE-125 Awaiting Analysis

CVE-2026-26127 targets

7.5 High

Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.

Attack vector: NETWORK
Complexity: Low
Published: 10/03/2026
Modified: 14/04/2026

CWE-125 Awaiting Analysis

CVE-2025-26399 KEV targets

9.8 Critical

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would …

Attack vector: Network
Published: 23/09/2025
Modified: 12/03/2026

Awaiting Analysis

← Previous

Page / 5

1–12 of 60

TCC Manipulation subtechnique-of

MITRE
Temporary Elevated Cloud Access subtechnique-of

MITRE
T1548.003 subtechnique-of

Sudo and Sudo Caching MITRE
T1548.001 subtechnique-of

Setuid and Setgid MITRE

Course Of Action (6)

Audit mitigates
Restrict File and Directory Permissions mitigates
Update Software mitigates
Operating System Configuration mitigates
User Account Management mitigates
Execution Prevention mitigates

Contact About Legal notice Privacy policy Terms of use

T1548: T1548

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (27)

Malware (112)

Reports (43)

Vulnerabilities (CVE) (60)

Attack patterns (MITRE) (4)

Course Of Action (6)