T1548: T1548
Essential information
- MITRE technique ID
T1548- Confidence
- 100/100
- Revoked
- No
- Published
- 30/01/2020 14:58
- Modified
- 14/04/2026 11:20
- Author / Source
- The MITRE Corporation
Aliases
Abuse Elevation Control Mechanism
Platforms
windows macos linux IaaS Office Suite Identity Provider
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
| mitre-attack | privilege-escalation |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (26)
-
UNC4466 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cuba usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UAT-8099 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Anatsa usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CoralRaider usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
NullBulge usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Ping3r and Rodrigo usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Unfading Sea Haze usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Metamorfo usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Earth Baku usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
KONNI usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (80)
-
Backdoor:Win32/Dora usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Redsip uses
-
GHOSTBLADE usesFamily
-
RftRAT usesFamily
-
GHOSTKNIFE usesFamily
-
JuicyPotato usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TranslucentGh0st usesFamily
-
BlackLotus uses
-
Meterpreter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Warp AV Killer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rakshasa usesFamily
-
Hodur uses
Reports (43)
-
AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
-
AlienVault Confidence 100 21 MITREs 1 Malware 7 IOCs
-
1 CVE 10 MITREs 1 Observable
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
-
AlienVault Confidence 100 17 MITREs 1 Malware 53 IOCs 53 Observables
-
AlienVault Confidence 100 17 MITREs 1 Malware 1 IOC 1 Observable
-
AlienVault Confidence 100 1 CVE 15 MITREs 6 Malwares 1 IOC 1 Observable 1 APT
-
AlienVault Confidence 100 23 CVEs 20 MITREs 5 Malwares 2 IOCs 2 Observables 1 APT
-
Vgod RANSOMWARE related30 MITREs 1 Malware 1 Observable
-
6 MITREs 5 Observables
-
7 CVEs 13 MITREs 28 Observables
-
Raspberry Robin Analysis related2 CVEs 20 MITREs 2 Malwares 126 Observables
Vulnerabilities (CVE) (63)
Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 17/07/2025
- Modified
- 27/03/2026
Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
- Attack vector
- NETWORK
- Published
- 10/03/2026
- Modified
- 14/04/2026
D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.
- Attack vector
- Adjacent
- Complexity
- LOW
- Published
- 23/02/2015
- Modified
- 22/04/2026
Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within …
- Attack vector
- Network
- Published
- 22/08/2023
- Modified
- 27/05/2026
Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.
- Attack vector
- NETWORK
- Published
- 08/10/2024
- Modified
- 21/12/2025
Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges.
- Attack vector
- LOCAL
- Published
- 10/01/2024
- Modified
- 15/03/2026
A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including …
- Attack vector
- Network
- Published
- 17/03/2026
- Modified
- 14/04/2026
Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command …
- Published
- 07/04/2023
- Modified
- 21/12/2025
An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to …
- Attack vector
- Network
- Published
- 13/09/2024
- Modified
- 21/12/2025
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position …
- Attack vector
- NETWORK
- Published
- 28/11/2023
- Modified
- 21/12/2025
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 25/04/2025
- Modified
- 27/03/2026
Attack patterns (MITRE) (3)
-
TCC Manipulation subtechnique-of
-
Temporary Elevated Cloud Access subtechnique-of
-
T1548.003 subtechnique-ofSudo and Sudo Caching MITRE
Course Of Action (5)
-
Audit mitigates
-
Restrict File and Directory Permissions mitigates
-
Update Software mitigates
-
Operating System Configuration mitigates
-
User Account Management mitigates