滥用权限提升控制机制

Sub-techniques (4)

ID	Name
T1548.001	可信服务配置隐蔽提权
T1548.002	动态库搜索劫持提权
T1548.003	环境变量注入提权
T1548.004	内存驻留型提权载荷

权限提升控制机制滥用是指攻击者利用操作系统原生权限管理机制的缺陷或特性，绕过安全策略获取更高权限级别的攻击行为。现代系统通过用户账户控制（UAC）、sudo机制、权限令牌验证等方式限制非授权提权，防御方通常采用进程行为监控、文件完整性校验、环境变量审计等手段进行检测。例如监控setuid/setgid文件变更、分析进程权限突变事件、检查注册表敏感项修改等。

为规避传统权限提升行为因直接调用特权API或修改系统关键文件而暴露的风险，攻击者转向开发基于合法机制滥用、内存化攻击链与环境特征篡改的隐蔽提权技术，通过深度融入系统信任体系实现"合法化越权"。

当前权限提升匿迹技术的核心共性体现为对系统信任机制的逆向利用与攻击痕迹的立体化消除。攻击者将提权操作分解到多个合法系统组件的交互过程中：可信服务配置提权通过寄生在系统服务管理框架内，利用服务启动的自动提权特性规避权限变更监控；动态库劫持提权将恶意代码植入合法进程加载链，借助数字签名验证的盲区实现隐蔽执行；环境变量注入提权通过篡改运行时配置间接影响特权进程行为，使得攻击路径分散在系统环境层面；内存驻留提权则彻底脱离持久化存储介质，利用进程内存的动态特性实现零痕迹攻击。这些技术的共同特征在于突破传统提权行为与恶意痕迹的强关联性，通过将攻击要素嵌入系统正常工作机制，使得权限升级过程呈现出"系统自升级"的合法表象。

隐蔽提权技术的发展导致传统基于行为特征匹配或文件变更检测的防御体系面临失效风险。防御方需构建跨层次行为关联分析能力，结合内存取证、环境配置基线比对与运行时进程血缘追踪，建立面向信任链异常检测的动态防护体系。同时应强化最小权限原则的应用粒度，限制高权限进程的依赖范围。

ID: T1548

Sub-techniques: T1548.001, T1548.002, T1548.003, T1548.004

ⓘ

Tactics: 权限提升, 防御规避

ⓘ

Platforms: IaaS, Identity Provider, Linux, Office Suite, Windows, macOS

ⓘ

Permissions Required: Administrator, User

Version: 1.4

Created: 30 January 2020

Last Modified: 15 October 2024

匿迹效应

效应类型	是否存在
特征伪装	✅
行为透明	✅
数据遮蔽	✅
时空释痕	❌

特征伪装

攻击者通过模拟合法权限管理操作实现提权行为伪装。例如动态库劫持提权严格复现原始库的导出函数特征，内存驻留提权维持宿主进程的正常行为画像，使得提权操作在进程监控中表现为合法功能调用。这种深度寄生策略使得攻击行为与正常权限变更难以区分。

行为透明

攻击者利用系统原生机制实现"无痕提权"，例如通过环境变量注入影响特权进程的运行时决策，或借助服务配置修改触发自动权限升级。这些手法完全遵循系统设计逻辑，使得提权过程不产生异常日志或安全事件，防御方难以感知权限状态的非法变更。

数据遮蔽

内存驻留型提权通过纯内存操作避免磁盘痕迹，动态库劫持提权使用反射加载技术规避文件扫描。攻击者采用内存加密、代码自毁等技术进一步隐藏提权载荷，使得传统基于静态分析的检测手段无法获取关键攻击指纹。

Procedure Examples

ID	Name	Description
S1130	Raspberry Robin	Raspberry Robin implements a variation of the `ucmDccwCOMMethod` technique abusing the Windows AutoElevate backdoor to bypass UAC while elevating privileges.^[1]

Mitigations

ID	Mitigation	Description
M1047	Audit	Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.^[2]
M1038	Execution Prevention	System settings can prevent applications from running that haven't been downloaded from legitimate repositories which may help mitigate some of these issues. Not allowing unsigned applications from being run may also mitigate some risk.
M1028	Operating System Configuration	Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system. Ensuring that the sudo tty_tickets setting is enabled will prevent this leakage across tty sessions.
M1026	Privileged Account Management	Remove users from the local administrator group on systems. By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed.
M1022	Restrict File and Directory Permissions	The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege.
M1051	Update Software	Perform regular software updates to mitigate exploitation risk.
M1052	User Account Control	Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking.
M1018	User Account Management	Limit the privileges of cloud accounts to assume, create, or impersonate additional roles, policies, and permissions to only those required. Where just-in-time access is enabled, consider requiring manual approval for temporary elevation of privileges.

Detection

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor executed commands and arguments that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions.
DS0022	File	File Metadata	Monitor the file system for files that have the setuid or setgid bits set. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).
		File Modification	On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the `LOG_INPUT` and `LOG_OUTPUT` directives in the `/etc/sudoers` file. Consider monitoring for `/usr/libexec/security_authtrampoline` executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called.
DS0009	Process	OS API Execution	Also look for any process API calls for behavior that may be indicative of Process Injection. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.
		Process Creation	Monitor for newly executed processes that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to "Get System", which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques. Analytic 1 - Get System Elevation `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")(ParentImage="C:\Windows\System32\services.exe" Image="C:\Windows\System32\cmd.exe" CommandLine="echo" CommandLine="\pipe") OR (Image="C:\Windows\System32\rundll32.exe" CommandLine=",a /p:")`
		Process Metadata	Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions.
DS0002	User Account	User Account Modification	Log cloud API calls to assume, create, or impersonate additional roles, policies, and permissions. Review uses of just-in-time access to ensure that any justifications provided are valid and only expected actions were taken.
DS0024	Windows Registry	Windows Registry Key Modification	There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.

References

Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.

UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.