Objective:

Gain higher-level permissions to expand control over the system. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.

• ID: TA0004

  • https://attack.mitre.org/tactics/TA0004/

Linux Context:

• Privilege escalation on Linux targets its user/root dichotomy. Misconfigured sudo rights (e.g., user ALL=(ALL) NOPASSWD:ALL) allow instant root access, while setuid binaries (e.g., /usr/bin/find with chmod u+s) are abused to run commands as root. Kernel exploits like Dirty COW (CVE-2016-5195) or pkexec flaws (CVE-2021-4034) grant root via vulnerabilities. Attackers also manipulate LD_PRELOAD or PATH hijacking to escalate via trusted processes. In cloud setups, misconfigured IAM roles or Kubernetes RBAC provide escalated privileges.

Key Techniques:

• Abuse Elevation Control Mechanism (T1548): Exploiting setuid binaries.

• Exploitation for Privilege Escalation (T1068): Running a kernel exploit.

• Access Token Manipulation (T1134): Stealing sudo sessions.

Flow Example:

• Running sudo -l reveals an exploitable command (e.g., sudo vi), or an attacker uses a local exploit like CVE-2021-3156 to gain root from a low-privilege account.

Defender Strategies:

• Minimize sudo privileges, audit setuid binaries find / -perm -4000) and apply kernel patches promptly. Use a hardened kernel if possible. Use tools like checksec to know your binaries better.

The current list of corresponding EDRmetry test definitions includes:

• EDR-T6315 - Add SSH key via iptables-save

• EDR-T6360 - Dirty Pagetable Attack via huge pages Kernel UAF LPE

• EDR-T6359 - Dirty Pipe Kernel UAF LPE

• EDR-T6231 - DirtyPipe CVE-2022-0847 LPE

• EDR-T6216 - Docker BOTB Break out the Box

• EDR-T6215 - Docker Host Escape with Proc injection

• EDR-T6147 - Docker Host Escape with socket

• EDR-T6073 - Execute Trap signals

• EDR-T6049 - Exploit local suid binary

• EDR-T6232 - Linux Kernel CVE-2022-2588 LPE

• EDR-T6300 - K8S - Run a privileged pod

• EDR-T6301 - K8S - Writable hostPath mount

• EDR-T6183 - MySQL wsrep_provider CVE-2021-27928

• EDR-T6346 - Modify nftables via unprivileged namespace

• EDR-T6229 - Namespace manipulation with unshare

• EDR-T6187 - NFS SUID Escalation

• EDR-T6290 - Overwrite modprobe_path

• EDR-T6184 - PATH Hijacking

• EDR-T6230 - pkexec CVE-2021-4034 Exploitation

• EDR-T6100 - Register LKM Char Device + LPE

• EDR-T6109 - Socket Command Injection

• EDR-T6233 - XZ / liblzma backdoor CVE-2024-3094