T1548: T1548
View on MITRE ATT&CK
The MITRE Corporation
· Published 30/01/2020 14:58 · Modified 14/04/2026 11:20
Essential information
- MITRE technique ID
T1548- Confidence
- 100/100
- Revoked
- No
- Published
- 30/01/2020 14:58
- Modified
- 14/04/2026 11:20
- Author / Source
- The MITRE Corporation
Aliases
Abuse Elevation Control Mechanism
Platforms
windows macos linux IaaS Office Suite Identity Provider
Description
Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
| mitre-attack | privilege-escalation |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (26)
-
UNC4466 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cuba usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UAT-8099 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Anatsa usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CoralRaider usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
NullBulge usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Ping3r and Rodrigo usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Unfading Sea Haze usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Metamorfo usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Earth Baku usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
KONNI usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (80)
-
Backdoor:Win32/Dora usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Redsip uses
-
GHOSTBLADE usesFamily
-
RftRAT usesFamily
-
GHOSTKNIFE usesFamily
-
JuicyPotato usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TranslucentGh0st usesFamily
-
BlackLotus uses
-
Meterpreter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Warp AV Killer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rakshasa usesFamily
-
Hodur uses
Reports (43)
-
AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
-
AlienVault Confidence 100 21 MITREs 1 Malware 7 IOCs
-
1 CVE 10 MITREs 1 Observable
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
-
AlienVault Confidence 100 17 MITREs 1 Malware 53 IOCs 53 Observables
-
AlienVault Confidence 100 17 MITREs 1 Malware 1 IOC 1 Observable
-
AlienVault Confidence 100 1 CVE 15 MITREs 6 Malwares 1 IOC 1 Observable 1 APT
-
AlienVault Confidence 100 23 CVEs 20 MITREs 5 Malwares 2 IOCs 2 Observables 1 APT
-
Vgod RANSOMWARE related30 MITREs 1 Malware 1 Observable
-
6 MITREs 5 Observables
-
7 CVEs 13 MITREs 28 Observables
-
Raspberry Robin Analysis related2 CVEs 20 MITREs 2 Malwares 126 Observables
Vulnerabilities (CVE) (63)
8.2
High
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …
- Attack vector
- Network
- Published
- 31/01/2024
- Modified
- 27/05/2026
CVE-2022-21893
targets
8.0
High
Remote Desktop Protocol Remote Code Execution Vulnerability
- Attack vector
- NETWORK
- Published
- 11/01/2022
- Modified
- 20/12/2025
9.8
Critical
Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain …
- Attack vector
- NETWORK
- Complexity
- LOW
- EPSS
- 0.9410 (P99.9%)
- Published
- 06/05/2017
- Modified
- 22/04/2026
Attack patterns (MITRE) (3)
-
TCC Manipulation subtechnique-of
-
Temporary Elevated Cloud Access subtechnique-of
-
T1548.003 subtechnique-ofSudo and Sudo Caching MITRE
Course Of Action (5)
-
Audit mitigates
-
Restrict File and Directory Permissions mitigates
-
Update Software mitigates
-
Operating System Configuration mitigates
-
User Account Management mitigates