T1548: T1548

Search IOCs, vulnerabilities, APT…

216.73.216.36

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 30/01/2020 14:58 · Modified 14/04/2026 11:20

Essential information

MITRE technique ID: T1548
Confidence: 100/100
Revoked: No
Published: 30/01/2020 14:58
Modified: 14/04/2026 11:20
Author / Source: The MITRE Corporation

Aliases

Abuse Elevation Control Mechanism

Platforms

windows macos linux IaaS Office Suite Identity Provider

Description

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	privilege-escalation

Marking (TLP)

External references

mitre-attack (T1548)
TechNet How UAC Works
OSX Keydnap malware
sudo man page 2018
Fortinet Fareit

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (26)

UNC4466 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cuba uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-8099 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Anatsa uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Interlock Ransomware Group uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CoralRaider uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
NullBulge uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ping3r and Rodrigo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Unfading Sea Haze uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Metamorfo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Baku uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
KONNI uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 26

Backdoor:Win32/Dora uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Redsip uses
GHOSTBLADE uses

Family
RftRAT uses

Family
GHOSTKNIFE uses

Family
JuicyPotato uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TranslucentGh0st uses

Family
BlackLotus uses
Meterpreter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Warp AV Killer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rakshasa uses

Family
Hodur uses

← Previous

Page / 7

25–36 of 80

Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst … related

AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
Threat Actors Weaponizing RAR Archives to Target Thailand's … related

AlienVault Confidence 100 21 MITREs 1 Malware 7 IOCs
How to defend ARM64 cloud infrastructure related

1 CVE 10 MITREs 1 Observable
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Cato CTRL Threat Research: Suspected China-Linked Threat Actor … related

AlienVault Confidence 100 17 MITREs 1 Malware 53 IOCs 53 Observables
Zero-Day Local Privilege Escalation Exploit related

AlienVault Confidence 100 17 MITREs 1 Malware 1 IOC 1 Observable
Q1 2026 malware statistics report for Windows web … related

AlienVault Confidence 100 1 CVE 15 MITREs 6 Malwares 1 IOC 1 Observable 1 APT
March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, … related

AlienVault Confidence 100 23 CVEs 20 MITREs 5 Malwares 2 IOCs 2 Observables 1 APT
Vgod RANSOMWARE related

30 MITREs 1 Malware 1 Observable
Changing the narrative on pig butchering scams related

6 MITREs 5 Observables
Threat Actors Chained Vulnerabilities in Ivanti Cloud Service … related

7 CVEs 13 MITREs 28 Observables
Raspberry Robin Analysis related

2 CVEs 20 MITREs 2 Malwares 126 Observables

← Previous

Page / 4

1–12 of 43

Vulnerabilities (CVE) (63)

CVE-2026-20963 KEV targets

9.8 Critical

Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network.

Attack vector: NETWORK
Complexity: LOW
Published: 13/01/2026
Modified: 02/04/2026

CWE-502 Analyzed

CVE-2022-21894 targets

4.4 Medium

Secure Boot Security Feature Bypass Vulnerability

Attack vector: LOCAL
Published: 11/01/2022
Modified: 20/12/2025

CVE-2024-8963 KEV targets

9.4 Critical

Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If …

Attack vector: Network
Published: 19/09/2024
Modified: 21/12/2025

Analyzed

CVE-2026-20245 KEV targets

7.8 High

A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary …

Attack vector: LOCAL
Complexity: LOW
Published: 05/06/2026
Modified: 25/06/2026

CWE-116 Awaiting Analysis

CVE-2026-3910 KEV targets

8.8 High

Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote …

Attack vector: Network
EPSS: 0.0008 (P23.4%)
Published: 13/03/2026
Modified: 14/04/2026

Analyzed

CVE-2021-27876 KEV targets

Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a …

Published: 07/04/2023
Modified: 21/12/2025

CVE-2021-30952 KEV targets

7.8 High

Apple tvOS, macOS, Safari, iPadOS and watchOS contain an integer overflow or wraparound vulnerability due to the processing of maliciously crafted web …

Attack vector: LOCAL
Published: 24/08/2021
Modified: 10/03/2026

CVE-2025-53521 KEV targets

8.7 High

When a BIG-IP APM Access Policy is configured on a virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions …

Attack vector: Network
Complexity: Low
Published: 15/10/2025
Modified: 04/04/2026

CWE-770 CWE-121 Received

CVE-2024-4978 targets

8.4 High

Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, …

Published: 23/05/2024
Modified: 23/05/2024

Received

CVE-2024-26229 targets

CVE-2026-21385 KEV targets

7.8 High

Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation.

Attack vector: LOCAL
Published: 02/03/2026
Modified: 14/04/2026

Undergoing Analysis

CVE-2021-4043 targets

← Previous

Page / 6

37–48 of 63

TCC Manipulation subtechnique-of

MITRE
Temporary Elevated Cloud Access subtechnique-of

MITRE
T1548.003 subtechnique-of

Sudo and Sudo Caching MITRE

Course Of Action (5)

Audit mitigates
Restrict File and Directory Permissions mitigates
Update Software mitigates
Operating System Configuration mitigates
User Account Management mitigates

Contact About Legal notice Privacy policy Terms of use

T1548: T1548

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (26)

Malware (80)

Reports (43)

Vulnerabilities (CVE) (63)

Attack patterns (MITRE) (3)

Course Of Action (5)