T1548: T1548

Search IOCs, vulnerabilities, APT…

216.73.216.36

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 30/01/2020 14:58 · Modified 14/04/2026 11:20

Essential information

MITRE technique ID: T1548
Confidence: 100/100
Revoked: No
Published: 30/01/2020 14:58
Modified: 14/04/2026 11:20
Author / Source: The MITRE Corporation

Aliases

Abuse Elevation Control Mechanism

Platforms

windows macos linux IaaS Office Suite Identity Provider

Description

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	privilege-escalation

Marking (TLP)

External references

mitre-attack (T1548)
TechNet How UAC Works
OSX Keydnap malware
sudo man page 2018
Fortinet Fareit

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (26)

UNC4466 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cuba uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-8099 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Anatsa uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Interlock Ransomware Group uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CoralRaider uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
NullBulge uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ping3r and Rodrigo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Unfading Sea Haze uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Metamorfo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Baku uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
KONNI uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 26

Backdoor:Win32/Dora uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Redsip uses
GHOSTBLADE uses

Family
RftRAT uses

Family
GHOSTKNIFE uses

Family
JuicyPotato uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TranslucentGh0st uses

Family
BlackLotus uses
Meterpreter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Warp AV Killer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rakshasa uses

Family
Hodur uses

← Previous

Page / 7

25–36 of 80

Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst … related

AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
Threat Actors Weaponizing RAR Archives to Target Thailand's … related

AlienVault Confidence 100 21 MITREs 1 Malware 7 IOCs
How to defend ARM64 cloud infrastructure related

1 CVE 10 MITREs 1 Observable
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Cato CTRL Threat Research: Suspected China-Linked Threat Actor … related

AlienVault Confidence 100 17 MITREs 1 Malware 53 IOCs 53 Observables
Zero-Day Local Privilege Escalation Exploit related

AlienVault Confidence 100 17 MITREs 1 Malware 1 IOC 1 Observable
Q1 2026 malware statistics report for Windows web … related

AlienVault Confidence 100 1 CVE 15 MITREs 6 Malwares 1 IOC 1 Observable 1 APT
March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, … related

AlienVault Confidence 100 23 CVEs 20 MITREs 5 Malwares 2 IOCs 2 Observables 1 APT
Vgod RANSOMWARE related

30 MITREs 1 Malware 1 Observable
Changing the narrative on pig butchering scams related

6 MITREs 5 Observables
Threat Actors Chained Vulnerabilities in Ivanti Cloud Service … related

7 CVEs 13 MITREs 28 Observables
Raspberry Robin Analysis related

2 CVEs 20 MITREs 2 Malwares 126 Observables

← Previous

Page / 4

1–12 of 43

Vulnerabilities (CVE) (63)

CVE-2024-9380 KEV targets

7.2 High

Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with …

Attack vector: Network
Published: 09/10/2024
Modified: 21/12/2025

Analyzed

CVE-2026-20127 KEV targets

10.0 Critical

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, …

Attack vector: NETWORK
Complexity: LOW
Published: 25/02/2026
Modified: 18/06/2026

CWE-287 Analyzed

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2026-27944 targets

9.8 Critical

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without …

Attack vector: Network
Published: 05/03/2026
Modified: 14/04/2026

Undergoing Analysis

CVE-2026-20131 KEV targets

10.0 Critical

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to …

Attack vector: NETWORK
Complexity: Low
Published: 04/03/2026
Modified: 14/04/2026

CWE-502 Awaiting Analysis

CVE-2026-33017 KEV targets

9.3 Critical

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows …

Attack vector: Network
Complexity: Low
Published: 20/03/2026
Modified: 23/05/2026

CWE-94 Awaiting Analysis

CVE-2026-3909 KEV targets

8.8 High

Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a …

Attack vector: Network
EPSS: 0.0007 (P20.7%)
Published: 13/03/2026
Modified: 14/04/2026

Analyzed

CVE-2023-33246 targets

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2024-3094 targets

10.0 Critical

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma …

Attack vector: NETWORK
Published: 29/03/2024
Modified: 21/12/2025

CVE-2024-5806 targets

9.1 Critical

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass in limited scenarios.This issue affects MOVEit Transfer: from …

Attack vector: NETWORK
Published: 25/06/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-0282 KEV targets

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: Network
Published: 08/01/2025
Modified: 21/12/2025

Analyzed

← Previous

Page / 6

25–36 of 63

TCC Manipulation subtechnique-of

MITRE
Temporary Elevated Cloud Access subtechnique-of

MITRE
T1548.003 subtechnique-of

Sudo and Sudo Caching MITRE

Course Of Action (5)

Audit mitigates
Restrict File and Directory Permissions mitigates
Update Software mitigates
Operating System Configuration mitigates
User Account Management mitigates

Contact About Legal notice Privacy policy Terms of use

T1548: T1548

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (26)

Malware (80)

Reports (43)

Vulnerabilities (CVE) (63)

Attack patterns (MITRE) (3)

Course Of Action (5)