EXPLORE
Sign In
← Back to Explore
T1068

Exploitation for Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include...

ContainersLinuxmacOSWindows
91
Detections
4
Sources
22
Threat Actors

BY SOURCE

57elastic18splunk_escu15sigma1crowdstrike_cql

PROCEDURES (52)

Privilege12 detections

Auto-extracted: 12 detections for privilege

Driver5 detections

Auto-extracted: 5 detections for driver

Unusual5 detections

Auto-extracted: 5 detections for unusual

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Service3 detections

Auto-extracted: 3 detections for service

Inject2 detections

Auto-extracted: 2 detections for inject

Kernel2 detections

Auto-extracted: 2 detections for kernel

Privilege2 detections

Auto-extracted: 2 detections for privilege

Lateral2 detections

Auto-extracted: 2 detections for lateral

Inject2 detections

Auto-extracted: 2 detections for inject

Remote2 detections

Auto-extracted: 2 detections for remote

Service2 detections

Auto-extracted: 2 detections for service

Child Process2 detections

Auto-extracted: 2 detections for child process

Api2 detections

Auto-extracted: 2 detections for api

Persist2 detections

Auto-extracted: 2 detections for persist

Privilege2 detections

Auto-extracted: 2 detections for privilege

Privilege2 detections

Auto-extracted: 2 detections for privilege

Azure2 detections

Auto-extracted: 2 detections for azure

Bypass1 detections

Auto-extracted: 1 detections for bypass

Driver1 detections

Auto-extracted: 1 detections for driver

Dns1 detections

Auto-extracted: 1 detections for dns

Inject1 detections

Auto-extracted: 1 detections for inject

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Unusual1 detections

Auto-extracted: 1 detections for unusual

Service1 detections

Auto-extracted: 1 detections for service

Dns1 detections

Auto-extracted: 1 detections for dns

Remote1 detections

Auto-extracted: 1 detections for remote

Credential1 detections

Auto-extracted: 1 detections for credential

Http1 detections

Auto-extracted: 1 detections for http

Bypass1 detections

Auto-extracted: 1 detections for bypass

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Bypass1 detections

Auto-extracted: 1 detections for bypass

Lateral1 detections

Auto-extracted: 1 detections for lateral

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Child Process1 detections

Auto-extracted: 1 detections for child process

Kernel1 detections

Auto-extracted: 1 detections for kernel

Kernel1 detections

Auto-extracted: 1 detections for kernel

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Persist1 detections

Auto-extracted: 1 detections for persist

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Child Process1 detections

Auto-extracted: 1 detections for child process

Bypass1 detections

Auto-extracted: 1 detections for bypass

Credential1 detections

Auto-extracted: 1 detections for credential

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (22)

APT28APT29APT32APT33BITTERBlackByteCobalt GroupFIN6FIN8HAFNIUMLAPSUS$MoustachedBouncerOilRigPLATINUMScattered SpiderThreat Group-3390Tonto TeamTurlaUNC3886Volt TyphoonWhiteflyZIRCONIUM

DETECTIONS (91)

Anomalous Linux Compiler Activity
elasticlow
Audit CVE Event
sigmacritical
Buffer Overflow Attempts
sigmahigh
BYOVD Driver Load with EDR/AV Process Termination (Medusa Ransomware)
crowdstrike_cql
Child Processes of Spoolsv exe
splunk_escu
Cisco Isovalent - Kprobe Spike
splunk_escu
Deprecated - Sudo Heap-Based Buffer Overflow Attempt
elastichigh
Deprecated - Suspicious PrintSpooler Service Executable File Creation
elasticlow
Detect Baron Samedit CVE-2021-3156
splunk_escu
Detect Baron Samedit CVE-2021-3156 Segfault
splunk_escu
Detect Baron Samedit CVE-2021-3156 via OSQuery
splunk_escu
Expired or Revoked Driver Loaded
elasticmedium
Exploit - Detected - Elastic Endgame
elastichigh
Exploit - Prevented - Elastic Endgame
elasticmedium
First Time Seen Child Process of Zoom
splunk_escu
First Time Seen Driver Loaded
elasticmedium
HackTool - SysmonEOP Execution
sigmacritical
HKTL - SharpSuccessor Privilege Escalation Tool Execution
sigmahigh
Linux pkexec Privilege Escalation
splunk_escu
Linux Sudo Chroot Execution
sigmalow
Malicious Driver Load
sigmahigh
Malicious Driver Load By Name
sigmamedium
Microsoft SharePoint Server Elevation of Privilege
splunk_escu
Modification of the msPKIAccountCredentials
elasticmedium
OMIGOD SCX RunAsProvider ExecuteScript
sigmahigh
OMIGOD SCX RunAsProvider ExecuteShellCommand
sigmahigh
Persistence via Update Orchestrator Service Hijack
elastichigh
Possible Coin Miner CPU Priority Param
sigmacritical
Potential Buffer Overflow Attack Detected
elasticlow
Potential CVE-2025-32463 Nsswitch File Creation
elastichigh
Potential CVE-2025-32463 Sudo Chroot Execution Attempt
elastichigh
Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt
elasticlow
Potential Escalation via Vulnerable MSI Repair
elastichigh
Potential privilege escalation via CVE-2022-38028
elastichigh
Potential Privilege Escalation via CVE-2023-4911
elastichigh
Potential Privilege Escalation via Enlightenment
elastichigh
Potential Privilege Escalation via InstallerFileTakeOver
elastichigh
Potential Privilege Escalation via Linux DAC permissions
elasticlow
Potential Privilege Escalation via OverlayFS
elastichigh
Potential Privilege Escalation via PKEXEC
elastichigh
Potential Privilege Escalation via Python cap_setuid
elastichigh
Potential Privilege Escalation via Recently Compiled Executable
elastichigh
Potential Privilege Escalation via SUID/SGID Proxy Execution
elasticmedium
Potential Privileged Escalation via SamAccountName Spoofing
elastichigh
Potential Shadow File Read via Command Line Utilities
elasticmedium
Potential Shell via Wildcard Injection Detected
elasticmedium
Potential snap-confine Privilege Escalation via CVE-2026-3888
elastichigh
Potential Sudo Privilege Escalation via CVE-2019-14287
elastichigh
Potential Telnet Authentication Bypass (CVE-2026-24061)
elasticcritical
Potential Unauthorized Access via Wildcard Injection Detected
elasticmedium
Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
elasticmedium
Privilege Escalation via CAP_SETUID/SETGID Capabilities
elasticmedium
Privilege Escalation via GDB CAP_SYS_PTRACE
elasticmedium
Privilege Escalation via SUID/SGID
elasticmedium
Process Explorer Driver Creation By Non-Sysinternals Binary
sigmahigh
Process Monitor Driver Creation By Non-Sysinternals Binary
sigmamedium
Remote Computer Account DnsHostName Update
elastichigh
Root Network Connection via GDB CAP_SYS_PTRACE
elasticmedium
Spike in Group Application Assignment Change Events
elasticlow
Spike in Group Lifecycle Change Events
elasticlow
Spike in Group Membership Events
elasticlow
Spike in Group Privilege Change Events
elasticlow
Spike in host-based traffic
elasticlow
Spike in Special Logon Events
elasticlow
Spike in Special Privilege Use Events
elasticlow
Spike in User Account Management Events
elasticlow
Spoolsv Suspicious Process Access
splunk_escu
Suspicious Child Process of Adobe Acrobat Reader Update Service
elastichigh
Suspicious Passwd File Event Action
elasticmedium
Suspicious Print Spooler File Deletion
elasticmedium
Suspicious Print Spooler Point and Print DLL
elastichigh
Suspicious Print Spooler SPL File Created
elasticlow
Suspicious Spool Service Child Process
sigmahigh
Telnet Authentication Bypass via User Environment Variable
elasticcritical
Unsigned DLL loaded by DNS Service
elasticmedium
Unusual Executable File Creation by a System Critical Process
elastichigh
Unusual Group Name Accessed by a User
elasticlow
Unusual Print Spooler Child Process
elasticmedium
Unusual Privilege Type assigned to a User
elasticlow
Unusual Spike in Concurrent Active Sessions by a User
elasticlow
VMWare Aria Operations Exploit Attempt
splunk_escu
Vulnerable Driver Load
sigmahigh
Vulnerable Driver Load By Name
sigmalow
Windows Driver Inventory
splunk_escu
Windows Driver Load Non-Standard Path
splunk_escu
Windows Drivers Loaded by Signature
splunk_escu
Windows Privilege Escalation Suspicious Process Elevation
splunk_escu
Windows Privilege Escalation System Process Without System Parent
splunk_escu
Windows Privilege Escalation User Process Spawn System Process
splunk_escu
Windows Service Create Kernel Mode Driver
splunk_escu
Windows System File on Disk
splunk_escu