CAPEC-69: Target Programs with Elevated Privileges |
Description This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges. Likelihood Of Attack Typical Severity Relationships This table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.Nature | Type | ID | Name |
---|
ChildOf | Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises. | 233 | Privilege Escalation | CanPrecede | Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal. | 8 | Buffer Overflow in an API Call | CanPrecede | Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal. | 9 | Buffer Overflow in Local Command-Line Utilities | CanPrecede | Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal. | 10 | Buffer Overflow via Environment Variables | CanPrecede | Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal. | 67 | String Format Overflow in syslog() |
This table shows the views that this attack pattern belongs to and top level categories within that view. Execution Flow Explore Find programs with elevated priveleges: The adversary probes for programs running with elevated privileges. Techniques |
---|
Look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. |
Find vulnerability in running program: The adversary looks for a vulnerability in the running program that would allow for arbitrary code execution with the privilege of the running program. Techniques |
---|
Look for improper input validation | Look for improper failure safety. For instance when a program fails it may authorize restricted access to anyone. | Look for a buffer overflow which may be exploited if an adversary can inject unvalidated data. |
Exploit Execute arbitrary code: The adversary exploits the vulnerability that they have found. For instance, they can try to inject and execute arbitrary code or write to OS resources.
Prerequisites
The targeted program runs with elevated OS privileges. |
The targeted program accepts input data from the user or from another program. |
The targeted program is giving away information about itself. Before performing such attack, an eventual attacker may need to gather information about the services running on the host target. The more the host target is verbose about the services that are running (version number of application, etc.) the more information can be gather by an attacker. |
This attack often requires communicating with the host target services directly. For instance Telnet may be enough to communicate with the host target. |
Skills Required
[Level: Low] An attacker can use a tool to scan and automatically launch an attack against known issues. A tool can also repeat a sequence of instructions and try to brute force the service on the host target, an example of that would be the flooding technique. |
[Level: Medium] More advanced attack may require knowledge of the protocol spoken by the host service. |
Indicators
The log can have a trace of abnormal activity. Also if abnormal activity is detected on the host target. For instance flooding should be seen as abnormal activity and the target host may decide to take appropriate action in order to mitigate the attack (data filtering or blocking). Resource exhaustion is also a sign of abnormal activity. |
Consequences This table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.Scope | Impact | Likelihood |
---|
Confidentiality Integrity Availability | Execute Unauthorized Commands | | Confidentiality Access Control Authorization | Gain Privileges | | Availability | Resource Consumption | |
Mitigations
Apply the principle of least privilege. |
Validate all untrusted data. |
Apply the latest patches. |
Scan your services and disable the ones which are not needed and are exposed unnecessarily. Exposing programs increases the attack surface. Only expose the services which are needed and have security mechanisms such as authentication built around them. |
Avoid revealing information about your system (e.g., version of the program) to anonymous users. |
Make sure that your program or service fail safely. What happen if the communication protocol is interrupted suddenly? What happen if a parameter is missing? Does your system have resistance and resilience to attack? Fail safely when a resource exhaustion occurs. |
If possible use a sandbox model which limits the actions that programs can take. A sandbox restricts a program to a set of privileges and commands that make it difficult or impossible for the program to cause any damage. |
Check your program for buffer overflow and format String vulnerabilities which can lead to execution of malicious code. |
Monitor traffic and resource usage and pay attention if resource exhaustion occurs. |
Protect your log file from unauthorized modification and log forging. |
Taxonomy Mappings CAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.Relevant to the ATT&CK taxonomy mapping (see
parent
) References
[REF-1] G. Hoglund and
G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.
|
Content History Submissions |
---|
Submission Date | Submitter | Organization |
---|
2014-06-23 (Version 2.6) | CAPEC Content Team | The MITRE Corporation | | Modifications |
---|
Modification Date | Modifier | Organization |
---|
2015-11-09 (Version 2.7) | CAPEC Content Team | The MITRE Corporation | Updated References | 2017-01-09 (Version 2.9) | CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | 2018-07-31 (Version 2.12) | CAPEC Content Team | The MITRE Corporation | Updated Attacker_Skills_or_Knowledge_Required, References | 2020-07-30 (Version 3.3) | CAPEC Content Team | The MITRE Corporation | Updated Execution_Flow, Related_Attack_Patterns | 2021-06-24 (Version 3.5) | CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | 2021-10-21 (Version 3.6) | CAPEC Content Team | The MITRE Corporation | Updated Description, Execution_Flow, Prerequisites |
More information is available — Please select a different filter.
|