T1548: T1548
Essential information
- MITRE technique ID
T1548- Confidence
- 100/100
- Revoked
- No
- Published
- 30/01/2020 14:58
- Modified
- 14/04/2026 11:20
- Author / Source
- The MITRE Corporation
Aliases
Abuse Elevation Control Mechanism
Platforms
windows macos linux IaaS Office Suite Identity Provider
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
| mitre-attack | privilege-escalation |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (26)
-
The MITRE Corporation Confidence 100
[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Blackwood relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Goldoon relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HeptaX relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Intelbroker relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Larva-26001 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lazarus relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mirai relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Sidewinder](https://attack.mitre.org/groups/G0121) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Silver Fox relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (80)
-
Win.Dropper.Scar usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Amadey usesFamily The MITRE Corporation Confidence 100
[Amadey](https://attack.mitre.org/software/S1025) is a Trojan bot that has been used since at least October 2018.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)
First seen 01/01/1970 · Last seen 16/11/5138 · -
SHA-256 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BumbleeBee usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
gh0st RAT - S0032 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BlackCat usesFamily The MITRE Corporation Confidence 100
[BlackCat](https://attack.mitre.org/software/S1068) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://attack.mitre.org/software/S1068) has been used to target multiple sectors and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ModuleInstaller usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
POISONPLUG.SHADOW usesThe MITRE Corporation Confidence 100
[ShadowPad](https://attack.mitre.org/software/S0596) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Qilin usesThe MITRE Corporation Confidence 100
[Qilin](https://attack.mitre.org/software/S1242) ransomware is a Ransomware-as-a-Service (RaaS) that has been active since at least 2022 with versions written in Golang and Rust that are capable of targeting Windows or…
First seen 01/01/1970 · Last seen 16/11/5138 · -
PLASMAGRID usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Raspberry Robin usesFamily The MITRE Corporation Confidence 100
[Raspberry Robin](https://attack.mitre.org/software/S1130) is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a…
First seen 01/01/1970 · Last seen 16/11/5138 · -
HrServ usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (43)
-
AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
-
AlienVault Confidence 100 21 MITREs 1 Malware 7 IOCs
-
1 CVE 10 MITREs 1 Observable
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
-
AlienVault Confidence 100 17 MITREs 1 Malware 53 IOCs 53 Observables
-
AlienVault Confidence 100 17 MITREs 1 Malware 1 IOC 1 Observable
-
AlienVault Confidence 100 1 CVE 15 MITREs 6 Malwares 1 IOC 1 Observable 1 APT
-
AlienVault Confidence 100 23 CVEs 20 MITREs 5 Malwares 2 IOCs 2 Observables 1 APT
-
Vgod RANSOMWARE related30 MITREs 1 Malware 1 Observable
-
6 MITREs 5 Observables
-
7 CVEs 13 MITREs 28 Observables
-
Raspberry Robin Analysis related2 CVEs 20 MITREs 2 Malwares 126 Observables
Vulnerabilities (CVE) (63)
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …
- Attack vector
- Network
- Published
- 31/01/2024
- Modified
- 27/05/2026
Remote Desktop Protocol Remote Code Execution Vulnerability
- Attack vector
- NETWORK
- Published
- 11/01/2022
- Modified
- 20/12/2025
Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain …
- Attack vector
- NETWORK
- Complexity
- LOW
- EPSS
- 0.9410 (P99.9%)
- Published
- 06/05/2017
- Modified
- 22/04/2026
Attack patterns (MITRE) (3)
-
TCC Manipulation subtechnique-of
-
Temporary Elevated Cloud Access subtechnique-of
-
T1548.003 subtechnique-ofSudo and Sudo Caching MITRE
Course Of Action (5)
-
Audit mitigates
-
Restrict File and Directory Permissions mitigates
-
Update Software mitigates
-
Operating System Configuration mitigates
-
User Account Management mitigates