The Attenuator acts as an intelligent filter that can analyze security events detected by Jibril and provide additional context.
New Feature!
Jibril
DiscordGarnet🐈‍⬛
  • Jibril
    • Jibril
      • New Era
      • Theory Behind
      • Architecture
      • Agent Dashboard
      • Compare
    • Install and Run
      • Requirements
      • Systemd Service
      • Command Line
      • Docker Container
      • Kubernetes
        • Kubernetes Script
      • Configuration File
      • Cache Configuration
      • Network Policy File
      • Systemd Config
    • Components
      • Features
      • Extensions
      • Plugins
      • Printers
      • Events
      • Alchemies
        • Overview
        • Enable Alchemies
        • Create Recipes
        • Recipes Reference
        • Builtin Recipes
      • Network Policy
      • Attenuator
    • Mechanisms
      • File Access
      • Execution
      • File Access And Execution
      • Network Peers
      • Network eBPF Logic
      • Probes and Traces
      • Bigger eBPF Logic
      • Loader Interception
    • Detections
      • File Access
        • Auth Logs Tamper
        • Binary Self Deletion
        • Capabilities Modification
        • Code Modification Through Procfs
        • Core Pattern Access
        • CPU Fingerprint
        • Credentials Files Access
        • Crypto Miner Files
        • Environment Read From ProcFS
        • File Example
        • Filesystem Fingerprint
        • Global Shlib Modification
        • Java Debug Lib Load
        • Java Instrument Lib Load
        • Machine Fingerprint
        • OS Fingerprint
        • OS Network Fingerprint
        • OS Status Fingerprint
        • Package Repo Config Modification
        • PAM Config Modification
        • Sched Debug Access
        • Shell Config Modification
        • SSL Certificate Access
        • Sudoers Modification
        • Sysrq Access
        • Unprivileged Bpf Config Access
      • Execution
        • Binary Executed By Loader
        • Code On The Fly
        • Crypto Miner Execution
        • Data Encoder Exec
        • Denial Of Service Tools
        • Exec Example
        • Exec From Unusual Dir
        • File Attribute Change
        • Hidden Elf Exec
        • Interpreter Shell Spawn
        • Net Filecopy Tool Exec
        • Net MitM Tool Exec
        • Net Scan Tool Exec
        • Net Sniff Tool Exec
        • Net Suspicious Tool Exec
        • Net Suspicious Tool Shell
        • Passwd Usage
        • Runc Suspicious Exec
        • Webserver Exec
        • Webserver Shell Exec
      • Network Peers
        • Adult Domain Access
        • Badware Domain Access
        • Dynamic DNS Domain Access
        • Fake Domain Access
        • Gambling Domain Access
        • Peer Example
        • Piracy Domain Access
        • Plaintext Communication
        • Threat Domain Access
        • Tracking Domain Access
        • VPN Domain Access
    • Bugs and Requests
    • Banner
    • License
  • Research
    • Runtime Security
      • Valkyrie Response
  • MITRE
    • Initial Access (TA0001)
      • Valid Accounts (T1078)
        • Default Accounts (T1078.001)
        • Domain Accounts (T1078.002)
        • Local Accounts (T1078.003)
        • Cloud Accounts (T1078.004)
      • Replication Through Removable Media (T1091)
      • External Remote Services (T1133)
      • Drive-by Compromise (T1189)
      • Exploit Public-Facing Application (T1190)
      • Supply Chain Compromise (T1195)
        • Compromise Software Dependencies and Development Tools (T1195.001)
        • Compromise Software Supply Chain (T1195.002)
        • Compromise Hardware Supply Chain (T1195.003)
      • Trusted Relationship (T1199)
      • Hardware Additions (T1200)
      • Phishing (T1566)
        • Spearphishing Attachment (T1566.001)
        • Spearphishing Link (T1566.002)
        • Spearphishing via Service (T1566.003)
        • Spearphishing Voice (T1566.004)
    • Execution (TA0002)
      • Windows Management Instrumentation (T1047)
      • Scheduled Task/Job (T1053)
        • At (T1053.002)
        • Cron (T1053.003)
        • Scheduled Task (T1053.005)
        • Systemd Timers (T1053.006)
        • Container Orchestration Job (T1053.007)
      • Command and Scripting Interpreter (T1059)
        • PowerShell (T1059.001)
        • AppleScript (T1059.002)
        • Windows Command Shell (T1059.003)
        • Unix Shell (T1059.004)
        • Visual Basic (T1059.005)
        • Python (T1059.006)
        • JavaScript (T1059.007)
        • Network Device CLI (T1059.008)
        • Cloud API (T1059.009)
        • AutoHotKey & AutoIT (T1059.010)
        • Lua (T1059.011)
      • Software Deployment Tools (T1072)
      • Native API (T1106)
      • Shared Modules (T1129)
      • Exploitation for Client Execution (T1203)
      • User Execution (T1204)
        • Malicious Link (T1204.001)
        • Malicious File (T1204.002)
        • Malicious Image (T1204.003)
      • Inter-Process Communication (T1559)
        • Component Object Model (T1559.001)
        • Dynamic Data Exchange (T1559.002)
        • XPC Services (T1559.003)
      • System Services (T1569)
        • Launchctl (T1569.001)
        • Service Execution (T1569.002)
      • Container Administration Command (T1609)
        • Deploy Container (T1609.001)
      • Serverless Execution (T1648)
      • Cloud Administration Command (T1651)
    • Persistence (TA0003)
      • Boot or Logon Initialization Scripts (T1037)
        • Logon Script (Windows) (T1037.001)
        • Login Hook (T1037.002)
        • Network Logon Script (T1037.003)
        • RC Scripts (T1037.004)
        • Startup Items (T1037.005)
      • Scheduled Task/Job (T1053)
        • At (T1053.002)
        • Cron (T1053.003)
        • Scheduled Task (T1053.005)
        • Systemd Timers (T1053.006)
        • Container Orchestration Job (T1053.007)
      • Valid Accounts (T1078)
        • Default Accounts (T1078.001)
        • Domain Accounts (T1078.002)
        • Local Accounts (T1078.003)
        • Cloud Accounts (T1078.004)
      • Account Manipulation (T1098)
        • Additional Cloud Credentials (T1098.001)
        • Additional Email Delegate Permissions (T1098.002)
        • Additional Cloud Roles (T1098.003)
        • SSH Authorized Keys (T1098.004)
        • Device Registration (T1098.005)
        • Additional Container Cluster Roles (T1098.006)
        • Additional Local or Domain Groups (T1098.007)
      • External Remote Services (T1133)
      • Create Account (T1136)
        • Local Account (T1136.001)
        • Domain Account (T1136.002)
        • Cloud Account (T1136.003)
      • Office Application Startup (T1137)
        • Office Template Macros (T1137.001)
        • Office Test (T1137.002)
        • Outlook Forms (T1137.003)
        • Outlook Home Page (T1137.004)
        • Outlook Rules (T1137.005)
        • Add-ins (T1137.006)
      • Browser Extensions (T1176)
      • BITS Jobs (T1197)
      • Traffic Signaling (T1205)
        • Port Knocking (T1205.001)
        • Socket Filters (T1205.002)
      • Server Software Component (T1505)
        • SQL Stored Procedures (T1505.001)
        • Transport Agent (T1505.002)
        • Web Shell (T1505.003)
        • IIS Components (T1505.004)
        • Terminal Services DLL (T1505.005)
      • Implant Internal Image (T1525)
      • Pre-OS Boot (T1542)
        • System Firmware (T1542.001)
        • Component Firmware (T1542.002)
        • Bootkit (T1542.003)
        • ROMMONkit (T1542.004)
        • TFTP Boot (T1542.005)
      • Create or Modify System Process (T1543)
        • Launch Agent (T1543.001)
        • Systemd Service (T1543.002)
        • Windows Service (T1543.003)
        • Launch Daemon (T1543.004)
        • Container Service (T1543.005)
      • Event Triggered Execution (T1546)
        • Change Default File Association (T1546.001)
        • Screensaver (T1546.002)
        • Windows Management Instrumentation Event Subscription (T1546.003)
        • Unix Shell Configuration Modification (T1546.004)
        • Trap (T1546.005)
        • LC_LOAD_DYLIB Addition (T1546.006)
        • Netsh Helper DLL (T1546.007)
        • Accessibility Features (T1546.008)
        • AppCert DLLs (T1546.009)
        • AppInit DLLs (T1546.010)
        • Application Shimming (T1546.011)
        • Image File Execution Options Injection (T1546.012)
        • PowerShell Profile (T1546.013)
        • Emond (T1546.014)
        • Component Object Model Hijacking (T1546.015)
        • Installer Packages (T1546.016)
        • Udev Rules (T1546.017)
      • Boot or Logon Autostart Execution (T1547)
        • Registry Run Keys / Startup Folder (T1547.001)
        • Authentication Package (T1547.002)
        • Time Providers (T1547.003)
        • Winlogon Helper DLL (T1547.004)
        • Security Support Provider (T1547.005)
        • Kernel Modules and Extensions (T1547.006)
        • Re-opened Applications (T1547.007)
        • LSASS Driver (T1547.008)
        • Shortcut Modification (T1547.009)
        • Port Monitors (T1547.010)
        • Plist Modification (T1547.011)
        • XDG Autostart Entries (T1547.013)
        • Active Setup (T1547.014)
        • Login Items (T1547.015)
      • Compromise Host Software Binary (T1554)
      • Modify Authentication Process (T1556)
        • Domain Controller Authentication (T1556.001)
        • Password Filter DLL (T1556.002)
        • Pluggable Authentication Modules (T1556.003)
        • Network Device Authentication (T1556.004)
        • Reversible Encryption (T1556.005)
        • Multi-Factor Authentication (T1556.006)
        • Hybrid Identity (T1556.007)
        • Network Provider DLL (T1556.008)
        • Conditional Access Policies (T1556.009)
      • Hijack Execution Flow (T1574)
        • DLL Search Order Hijacking (T1574.001)
        • DLL Side-Loading (T1574.002)
        • Dylib Hijacking (T1574.004)
        • Executable Installer File Permissions Weakness (T1574.005)
        • Dynamic Linker Hijacking (T1574.006)
        • Path Interception by PATH Environment Variable (T1574.007)
        • Path Interception by Search Order Hijacking (T1574.008)
        • Path Interception by Unquoted Path (T1574.009)
        • Services File Permissions Weakness (T1574.010)
        • Services Registry Permissions Weakness (T1574.011)
        • COR_PROFILER (T1574.012)
        • KernelCallbackTable (T1574.013)
        • AppDomainManager (T1574.014)
    • Privilege Escalation (TA0004)
      • Boot or Logon Initialization Scripts (T1037)
        • Logon Script (Windows) (T1037.001)
        • Login Hook (T1037.002)
        • Network Logon Script (T1037.003)
        • RC Scripts (T1037.004)
        • Startup Items (T1037.005)
      • Scheduled Task/Job (T1053)
        • At (T1053.002)
        • Cron (T1053.003)
        • Scheduled Task (T1053.005)
        • Systemd Timers (T1053.006)
        • Container Orchestration Job (T1053.007)
      • Process Injection (T1055)
        • Dynamic-link Library Injection (T1055.001)
        • Portable Executable Injection (T1055.002)
        • Thread Execution Hijacking (T1055.003)
        • Asynchronous Procedure Call (T1055.004)
        • Thread Local Storage (T1055.005)
        • Ptrace System Calls (T1055.008)
        • Proc Memory (T1055.009)
        • Extra Window Memory Injection (T1055.011)
        • Process Hollowing (T1055.012)
        • Process Doppelgänging (T1055.013)
        • VDSO Hijacking (T1055.014)
        • ListPlanting (T1055.015)
      • Exploitation for Privilege Escalation (T1068)
      • Valid Accounts (T1078)
        • Default Accounts (T1078.001)
        • Domain Accounts (T1078.002)
        • Local Accounts (T1078.003)
        • Cloud Accounts (T1078.004)
      • Account Manipulation (T1098)
        • Additional Cloud Credentials (T1098.001)
        • Additional Email Delegate Permissions (T1098.002)
        • Additional Cloud Roles (T1098.003)
        • SSH Authorized Keys (T1098.004)
        • Device Registration (T1098.005)
        • Additional Container Cluster Roles (T1098.006)
        • Additional Local or Domain Groups (T1098.007)
      • Access Token Manipulation (T1134)
        • Token Impersonation/Theft (T1134.001)
        • Create Process with Token (T1134.002)
        • Make and Impersonate Token (T1134.003)
        • Parent PID Spoofing (T1134.004)
        • SID-History Injection (T1134.005)
      • Domain or Tenant Policy Modification (T1484)
        • Group Policy Modification (T1484.001)
        • Trust Modification (T1484.002)
      • Create or Modify System Process (T1543)
        • Launch Agent (T1543.001)
        • Systemd Service (T1543.002)
        • Windows Service (T1543.003)
        • Launch Daemon (T1543.004)
        • Container Service (T1543.005)
      • Event Triggered Execution (T1546)
        • Change Default File Association (T1546.001)
        • Screensaver (T1546.002)
        • Windows Management Instrumentation Event Subscription (T1546.003)
        • Unix Shell Configuration Modification (T1546.004)
        • Trap (T1546.005)
        • LC_LOAD_DYLIB Addition (T1546.006)
        • Netsh Helper DLL (T1546.007)
        • Accessibility Features (T1546.008)
        • AppCert DLLs (T1546.009)
        • AppInit DLLs (T1546.010)
        • Application Shimming (T1546.011)
        • Image File Execution Options Injection (T1546.012)
        • PowerShell Profile (T1546.013)
        • Emond (T1546.014)
        • Component Object Model Hijacking (T1546.015)
        • Installer Packages (T1546.016)
        • Udev Rules (T1546.017)
      • Boot or Logon Autostart Execution (T1547)
        • Registry Run Keys / Startup Folder (T1547.001)
        • Authentication Package (T1547.002)
        • Time Providers (T1547.003)
        • Winlogon Helper DLL (T1547.004)
        • Security Support Provider (T1547.005)
        • Kernel Modules and Extensions (T1547.006)
        • Re-opened Applications (T1547.007)
        • LSASS Driver (T1547.008)
        • Shortcut Modification (T1547.009)
        • Port Monitors (T1547.010)
        • Plist Modification (T1547.011)
        • XDG Autostart Entries (T1547.013)
        • Active Setup (T1547.014)
        • Login Items (T1547.015)
      • Abuse Elevation Control Mechanism (T1548)
        • Setuid and Setgid (T1548.001)
        • Bypass User Account Control (T1548.002)
        • Sudo and Sudo Caching (T1548.003)
        • Elevated Execution with Prompt (T1548.004)
        • Temporary Elevated Cloud Access (T1548.005)
        • TCC Manipulation (T1548.006)
      • Hijack Execution Flow (T1574)
        • DLL Search Order Hijacking (T1574.001)
        • DLL Side-Loading (T1574.002)
        • Dylib Hijacking (T1574.004)
        • Executable Installer File Permissions Weakness (T1574.005)
        • Dynamic Linker Hijacking (T1574.006)
        • Path Interception by PATH Environment Variable (T1574.007)
        • Path Interception by Search Order Hijacking (T1574.008)
        • Path Interception by Unquoted Path (T1574.009)
        • Services File Permissions Weakness (T1574.010)
        • Services Registry Permissions Weakness (T1574.011)
        • COR_PROFILER (T1574.012)
        • KernelCallbackTable (T1574.013)
        • AppDomainManager (T1574.014)
      • Escape to Host (T1611)
    • Defense Evasion (TA0005)
      • Direct Volume Access (T1006)
      • Rootkit (T1014)
      • Obfuscated Files or Information (T1027)
        • Binary Padding (T1027.001)
        • Software Packing (T1027.002)
        • Steganography (T1027.003)
        • Compile After Delivery (T1027.004)
        • HTML Smuggling (T1027.006)
      • Masquerading (T1036)
        • Right-to-Left Override (T1036.002)
        • Rename System Utilities (T1036.003)
        • Masquerade Task or Service (T1036.004)
        • Match Legitimate Name or Location (T1036.005)
        • Space after Filename (T1036.006)
        • Double File Extension (T1036.007)
        • Masquerade File Type (T1036.008)
      • Process Injection (T1055)
        • Dynamic-link Library Injection (T1055.001)
        • Portable Executable Injection (T1055.002)
        • Thread Execution Hijacking (T1055.003)
        • Asynchronous Procedure Call (T1055.004)
        • Thread Local Storage (T1055.005)
        • Ptrace System Calls (T1055.008)
        • Proc Memory (T1055.009)
        • Extra Window Memory Injection (T1055.011)
        • Process Hollowing (T1055.012)
        • Process Doppelgänging (T1055.013)
        • VDSO Hijacking (T1055.014)
        • ListPlanting (T1055.015)
      • Indicator Removal (T1070)
        • Clear Windows Event Logs (T1070.001)
        • Clear Command History (T1070.003)
        • File Deletion (T1070.004)
        • Timestomp (T1070.006)
        • Clear Network Connection History and Configurations (T1070.007)
      • Valid Accounts (T1078)
        • Default Accounts (T1078.001)
        • Domain Accounts (T1078.002)
        • Local Accounts (T1078.003)
        • Cloud Accounts (T1078.004)
      • Modify Registry (T1112)
      • Access Token Manipulation (T1134)
        • Token Impersonation/Theft (T1134.001)
        • Create Process with Token (T1134.002)
        • Make and Impersonate Token (T1134.003)
        • Parent PID Spoofing (T1134.004)
        • SID-History Injection (T1134.005)
      • Deobfuscate/Decode Files or Information (T1140)
      • BITS Jobs (T1197)
      • Indirect Command Execution (T1202)
      • Traffic Signaling (T1205)
        • Port Knocking (T1205.001)
        • Socket Filters (T1205.002)
      • Rogue Domain Controller (T1207)
      • Exploitation for Defense Evasion (T1211)
      • System Script Proxy Execution (T1216)
        • PubPrn (T1216.001)
      • System Binary Proxy Execution (T1218)
        • Compiled HTML File (T1218.001)
        • Control Panel (T1218.002)
        • CMSTP (T1218.003)
        • InstallUtil (T1218.004)
        • Mshta (T1218.005)
        • Msiexec (T1218.007)
        • Odbcconf (T1218.008)
        • Regsvcs/Regasm (T1218.009)
        • Regsvr32 (T1218.010)
        • Rundll32 (T1218.011)
        • Verclsid (T1218.012)
        • Mavinject (T1218.013)
        • MMC (T1218.014)
      • XSL Script Processing (T1220)
      • Template Injection (T1221)
      • File and Directory Permissions Modification (T1222)
        • Windows File and Directory Permissions Modification (T1222.001)
        • Linux and Mac File and Directory Permissions Modification (T1222.002)
      • Execution Guardrails (T1480)
        • Environmental Keying (T1480.001)
        • Mutual Exclusion (T1480.002)
        • Time Based Evasion (T1480.003)
      • Domain or Tenant Policy Modification (T1484)
        • Group Policy Modification (T1484.001)
        • Trust Modification (T1484.002)
      • Virtualization/Sandbox Evasion (T1497)
        • System Checks (T1497.001)
        • User Activity Based Checks (T1497.002)
        • Time Based Evasion (T1497.003)
      • Pre-OS Boot (T1542)
        • System Firmware (T1542.001)
        • Component Firmware (T1542.002)
        • Bootkit (T1542.003)
        • ROMMONkit (T1542.004)
        • TFTP Boot (T1542.005)
      • Abuse Elevation Control Mechanism (T1548)
        • Setuid and Setgid (T1548.001)
        • Bypass User Account Control (T1548.002)
        • Sudo and Sudo Caching (T1548.003)
        • Elevated Execution with Prompt (T1548.004)
        • Temporary Elevated Cloud Access (T1548.005)
        • TCC Manipulation (T1548.006)
      • Use Alternate Authentication Material (T1550)
        • Application Access Token (T1550.001)
        • Pass the Hash (T1550.002)
        • Pass the Ticket (T1550.003)
        • Web Session Cookie (T1550.004)
      • Subvert Trust Controls (T1553)
        • Gatekeeper Bypass (T1553.001)
        • Code Signing (T1553.002)
        • SIP and Trust Provider Hijacking (T1553.003)
        • Install Root Certificate (T1553.004)
        • Mark-of-the-Web Bypass (T1553.005)
      • Modify Authentication Process (T1556)
        • Domain Controller Authentication (T1556.001)
        • Password Filter DLL (T1556.002)
        • Pluggable Authentication Modules (T1556.003)
        • Network Device Authentication (T1556.004)
        • Reversible Encryption (T1556.005)
        • Multi-Factor Authentication (T1556.006)
        • Hybrid Identity (T1556.007)
        • Network Provider DLL (T1556.008)
        • Conditional Access Policies (T1556.009)
      • Impair Defenses (T1562)
        • Disable or Modify Tools (T1562.001)
        • Disable Windows Event Logging (T1562.002)
        • Disable or Modify System Firewall (T1562.004)
        • Disable or Modify Cloud Logs (T1562.008)
      • Hide Artifacts (T1564)
        • Hidden Files and Directories (T1564.001)
        • Hidden Users (T1564.002)
        • Hidden Window (T1564.003)
        • NTFS File Attributes (T1564.004)
        • Hidden File System (T1564.005)
      • Hijack Execution Flow (T1574)
        • DLL Search Order Hijacking (T1574.001)
        • DLL Side-Loading (T1574.002)
        • Dylib Hijacking (T1574.004)
        • Executable Installer File Permissions Weakness (T1574.005)
        • Dynamic Linker Hijacking (T1574.006)
        • Path Interception by PATH Environment Variable (T1574.007)
        • Path Interception by Search Order Hijacking (T1574.008)
        • Path Interception by Unquoted Path (T1574.009)
        • Services File Permissions Weakness (T1574.010)
        • Services Registry Permissions Weakness (T1574.011)
        • COR_PROFILER (T1574.012)
        • KernelCallbackTable (T1574.013)
        • AppDomainManager (T1574.014)
      • Modify Cloud Compute Infrastructure (T1578)
        • Create Snapshot (T1578.001)
        • Create Cloud Instance (T1578.002)
      • Network Boundary Bridging (T1599)
        • Network Address Translation Traversal (T1599.001)
      • Weaken Encryption (T1600)
        • Reduce Key Space (T1600.001)
        • Disable Crypto Hardware (T1600.002)
      • Modify System Image (T1601)
        • Patch System Image (T1601.001)
        • Downgrade System Image (T1601.002)
      • Build Image on Host (T1612)
      • Reflective Code Loading (T1620)
    • Credential Access (TA0006)
      • OS Credential Dumping (T1003)
        • LSASS Memory (T1003.001)
        • Security Account Manager (T1003.002)
        • NTDS (T1003.003)
        • LSA Secrets (T1003.004)
        • Cached Domain Credentials (T1003.005)
        • DCSync (T1003.006)
        • Proc Filesystem (T1003.007)
      • Network Sniffing (T1040)
      • Input Capture (T1056)
        • Keylogging (T1056.001)
        • GUI Input Capture (T1056.002)
        • Web Portal Capture (T1056.003)
      • Brute Force (T1110)
        • Password Guessing (T1110.001)
        • Password Cracking (T1110.002)
        • Password Spraying (T1110.003)
        • Credential Stuffing (T1110.004)
      • Multi-Factor Authentication Interception (T1111)
      • Forced Authentication (T1187)
      • Exploitation for Credential Access (T1212)
      • Cloud Instance Metadata API (T1522)
      • Steal Application Access Token (T1528)
      • Steal Web Session Cookie (T1539)
      • Unsecured Credentials (T1552)
        • Credentials In Files (T1552.001)
        • Credentials in Registry (T1552.002)
        • Bash History (T1552.003)
        • Group Policy Preferences (T1552.006)
      • Credentials from Password Stores (T1555)
        • Credentials from Web Browsers (T1555.003)
        • Windows Credential Manager (T1555.004)
        • Password Managers (T1555.005)
      • Modify Authentication Process (T1556)
        • Domain Controller Authentication (T1556.001)
        • Password Filter DLL (T1556.002)
        • Pluggable Authentication Modules (T1556.003)
        • Network Device Authentication (T1556.004)
        • Reversible Encryption (T1556.005)
        • Multi-Factor Authentication (T1556.006)
        • Hybrid Identity (T1556.007)
        • Network Provider DLL (T1556.008)
        • Conditional Access Policies (T1556.009)
      • Adversary-in-the-Middle (T1557)
        • LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
        • ARP Cache Poisoning (T1557.002)
        • DHCP Spoofing (T1557.003)
        • Evil Twin (T1557.004)
      • Steal or Forge Kerberos Tickets (T1558)
        • Golden Ticket (T1558.001)
        • Silver Ticket (T1558.002)
        • Kerberoasting (T1558.003)
      • Forge Web Credentials (T1606)
        • Web Cookies (T1606.001)
        • SAML Tokens (T1606.002)
      • Multi-Factor Authentication Request Generation (T1621)
      • Steal or Forge Authentication Certificates (T1649)
    • Discovery (TA0007)
      • System Service Discovery (T1007)
      • Application Window Discovery (T1010)
      • Query Registry (T1012)
      • System Network Configuration Discovery (T1016)
        • Internet Connection Discovery (T1016.001)
      • Remote System Discovery (T1018)
      • System Owner/User Discovery (T1033)
      • Network Sniffing (T1040)
      • Network Service Discovery (T1046)
      • System Network Connections Discovery (T1049)
      • Process Discovery (T1057)
      • Permission Groups Discovery (T1069)
        • Local Groups (T1069.001)
        • Domain Groups (T1069.002)
        • Cloud Groups (T1069.003)
      • System Information Discovery (T1082)
      • File and Directory Discovery (T1083)
      • Account Discovery (T1087)
        • Local Account (T1087.001)
        • Domain Account (T1087.002)
        • Cloud Account (T1087.004)
      • Peripheral Device Discovery (T1120)
      • System Time Discovery (T1124)
      • Network Share Discovery (T1135)
      • Password Policy Discovery (T1201)
      • Browser Information Discovery (T1217)
      • Domain Trust Discovery (T1482)
      • Virtualization/Sandbox Evasion (T1497)
        • System Checks (T1497.001)
        • User Activity Based Checks (T1497.002)
        • Time Based Evasion (T1497.003)
      • Software Discovery (T1518)
        • Security Software Discovery (T1518.001)
        • Installed Services Discovery (T1518.002)
      • Cloud Service Discovery (T1526)
      • Cloud Service Dashboard (T1538)
      • Cloud Infrastructure Discovery (T1580)
      • Container and Resource Discovery (T1613)
      • System Location Discovery (T1614)
        • System Language Discovery (T1614.001)
      • Group Policy Discovery (T1615)
      • Cloud Storage Object Discovery (T1619)
    • Lateral Movement (TA0008)
      • Remote Services (T1021)
        • Remote Desktop Protocol (T1021.001)
        • SMB/Windows Admin Shares (T1021.002)
        • Distributed Component Object Model (T1021.003)
        • SSH (T1021.004)
        • VNC (T1021.005)
        • Windows Remote Management (T1021.006)
        • Cloud Services (T1021.007)
      • Software Deployment Tools (T1072)
      • Taint Shared Content (T1080)
      • Replication Through Removable Media (T1091)
      • Exploitation of Remote Services (T1210)
      • Internal Spearphishing (T1534)
      • Use Alternate Authentication Material (T1550)
        • Application Access Token (T1550.001)
        • Pass the Hash (T1550.002)
        • Pass the Ticket (T1550.003)
        • Web Session Cookie (T1550.004)
      • Remote Service Session Hijacking (T1563)
        • RDP Hijacking (T1563.002)
      • Lateral Tool Transfer (T1570)
    • Collection (TA0009)
      • Data from Local System (T1005)
      • Data from Removable Media (T1025)
      • Data from Network Shared Drive (T1039)
      • Input Capture (T1056)
        • Keylogging (T1056.001)
        • GUI Input Capture (T1056.002)
        • Web Portal Capture (T1056.003)
      • Data Staged (T1074)
        • Local Data Staging (T1074.001)
        • Remote Data Staging (T1074.002)
      • Screen Capture (T1113)
      • Email Collection (T1114)
        • Local Email Collection (T1114.001)
        • Remote Email Collection (T1114.002)
        • Email Forwarding Rule (T1114.003)
      • Clipboard Data (T1115)
      • Automated Collection (T1119)
      • Audio Capture (T1123)
      • Video Capture (T1125)
      • Browser Session Hijacking (T1185)
      • Data from Information Repositories (T1213)
        • Confluence (T1213.001)
        • Sharepoint (T1213.002)
        • Code Repositories (T1213.003)
        • Customer Relationship Management Software (T1213.004)
      • Data from Cloud Storage (T1530)
        • Cloud Storage Object (T1530.001)
      • Adversary-in-the-Middle (T1557)
        • LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
        • ARP Cache Poisoning (T1557.002)
        • DHCP Spoofing (T1557.003)
        • Evil Twin (T1557.004)
      • Archive Collected Data (T1560)
        • Archive via Utility (T1560.001)
        • Archive via Library (T1560.002)
        • Archive via Custom Method (T1560.003)
      • Data from Configuration Repository (T1602)
        • SNMP (MIB Dump) (T1602.001)
        • Network Device Configuration Dump (T1602.002)
    • Exfiltration (TA0010)
      • Exfiltration Over Other Network Medium (T1011)
        • Exfiltration Over Bluetooth (T1011.001)
      • Automated Exfiltration (T1020)
        • Traffic Duplication (T1020.001)
      • Scheduled Transfer (T1029)
      • Data Transfer Size Limits (T1030)
      • Exfiltration Over C2 Channel (T1041)
      • Exfiltration Over Alternative Protocol (T1048)
        • Exfiltration Over Symmetric Encrypted Non-C2 Protocol (T1048.001)
        • Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002)
        • Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)
      • Exfiltration Over Physical Medium (T1052)
        • Exfiltration over USB (T1052.001)
      • Exfiltration Over Web Service (T1567)
        • Exfiltration to Code Repository (T1567.001)
        • Exfiltration to Cloud Storage (T1567.002)
        • Exfiltration to Text Storage Sites (T1567.003)
        • Exfiltration Over Webhook (T1567.004)
    • Command and Control (TA0011)
      • Data Obfuscation (T1001)
        • Junk Data (T1001.001)
        • Steganography (T1001.002)
        • Protocol or Service Impersonation (T1001.003)
      • Fallback Channels (T1008)
      • Application Layer Protocol (T1071)
        • Web Protocols (T1071.001)
        • File Transfer Protocols (T1071.002)
        • Mail Protocols (T1071.003)
        • DNS (T1071.004)
      • Proxy (T1090)
        • Internal Proxy (T1090.001)
        • External Proxy (T1090.002)
        • Multi-hop Proxy (T1090.003)
        • Domain Fronting (T1090.004)
      • Communication Through Removable Media (T1092)
      • Non-Application Layer Protocol (T1095)
      • Web Service (T1102)
        • Dead Drop Resolver (T1102.001)
        • Bidirectional Communication (T1102.002)
        • One-Way Communication (T1102.003)
      • Multi-Stage Channels (T1104)
      • Ingress Tool Transfer (T1105)
      • Data Encoding (T1132)
        • Standard Encoding (T1132.001)
        • Non-Standard Encoding (T1132.002)
      • Traffic Signaling (T1205)
        • Port Knocking (T1205.001)
        • Socket Filters (T1205.002)
      • Remote Access Software (T1219)
      • Dynamic Resolution (T1568)
        • Fast Flux DNS (T1568.001)
        • Domain Generation Algorithms (T1568.002)
        • DNS Calculation (T1568.003)
      • Non-Standard Port (T1571)
      • Protocol Tunneling (T1572)
      • Encrypted Channel (T1573)
        • Symmetric Cryptography (T1573.001)
        • Asymmetric Cryptography (T1573.002)
    • Impact (TA0040)
      • Data Destruction (T1485)
        • Lifecycle-Triggered Deletion (T1485.001)
      • Data Encrypted for Impact (T1486)
      • Service Stop (T1489)
      • Inhibit System Recovery (T1490)
      • Defacement (T1491)
        • Internal Defacement (T1491.001)
        • External Defacement (T1491.002)
      • Firmware Corruption (T1495)
      • Resource Hijacking (T1496)
        • Compute Hijacking (T1496.001)
      • Network Denial of Service (T1498)
        • Direct Network Flood (T1498.001)
        • Reflection Amplification (T1498.002)
      • Endpoint Denial of Service (T1499)
        • OS Exhaustion Flood (T1499.001)
        • Service Exhaustion Flood (T1499.002)
        • Application Exhaustion Flood (T1499.003)
        • Application or System Exploitation (T1499.004)
      • System Shutdown/Reboot (T1529)
      • Account Access Removal (T1531)
      • Disk Wipe (T1561)
        • Disk Content Wipe (T1561.001)
        • Disk Structure Wipe (T1561.002)
      • Data Manipulation (T1565)
        • Stored Data Manipulation (T1565.001)
        • Transmitted Data Manipulation (T1565.002)
        • Runtime Data Manipulation (T1565.003)
    • Resource Development (TA0042)
      • Acquire Infrastructure (T1583)
        • Domains (T1583.001)
        • DNS Server (T1583.002)
        • Virtual Private Server (T1583.003)
        • Server (T1583.004)
        • Botnet (T1583.005)
        • Web Services (T1583.006)
        • Serverless (T1583.007)
        • Malvertising (T1583.008)
      • Compromise Infrastructure (T1584)
        • Domains (T1584.001)
        • DNS Server (T1584.002)
        • Virtual Private Server (T1584.003)
        • Server (T1584.004)
        • Botnet (T1584.005)
        • Web Services (T1584.006)
        • Serverless (T1584.007)
        • Network Devices (T1584.008)
      • Establish Accounts (T1585)
        • Social Media Accounts (T1585.001)
        • Email Accounts (T1585.002)
        • Cloud Accounts (T1585.003)
      • Compromise Accounts (T1586)
        • Social Media Accounts (T1586.001)
        • Email Accounts (T1586.002)
        • Cloud Accounts (T1586.003)
      • Develop Capabilities (T1587)
        • Malware (T1587.001)
        • Code Signing Certificates (T1587.002)
        • Digital Certificates (T1587.003)
        • Exploits (T1587.004)
      • Obtain Capabilities (T1588)
        • Malware (T1588.001)
        • Tool (T1588.002)
        • Code Signing Certificates (T1588.003)
        • Digital Certificates (T1588.004)
        • Exploits (T1588.005)
        • Vulnerabilities (T1588.006)
        • Artificial Intelligence (T1588.007)
      • Stage Capabilities (T1608)
        • Upload Malware (T1608.001)
        • Upload Tool (T1608.002)
        • Install Digital Certificate (T1608.003)
        • Drive-by Target (T1608.004)
        • Link Target (T1608.005)
        • SEO Poisoning (T1608.006)
      • Acquire Access (T1650)
    • Reconnaissance (TA0043)
      • Gather Victim Identity Information (T1589)
        • Credentials (T1589.001)
        • Email Addresses (T1589.002)
        • Employee Names (T1589.003)
      • Gather Victim Network Information (T1590)
        • Domain Properties (T1590.001)
        • DNS (T1590.002)
        • Network Trust Dependencies (T1590.003)
        • Network Topology (T1590.004)
        • IP Addresses (T1590.005)
        • Network Security Appliances (T1590.006)
      • Gather Victim Org Information (T1591)
        • Determine Physical Locations (T1591.001)
        • Business Relationships (T1591.002)
        • Identify Business Tempo (T1591.003)
        • Identify Roles (T1591.004)
      • Gather Victim Host Information (T1592)
        • Hardware (T1592.001)
        • Software (T1592.002)
        • Firmware (T1592.003)
        • Client Configurations (T1592.004)
      • Search Open Websites/Domains (T1593)
        • Social Media (T1593.001)
        • Search Engines (T1593.002)
        • Code Repositories (T1593.003)
      • Search Victim-Owned Websites (T1594)
      • Active Scanning (T1595)
        • Scanning IP Blocks (T1595.001)
        • Vulnerability Scanning (T1595.002)
        • Wordlist Scanning (T1595.003)
      • Search Open Technical Databases (T1596)
        • DNS/Passive DNS (T1596.001)
        • WHOIS (T1596.002)
        • Digital Certificates (T1596.003)
        • CDNs (T1596.004)
        • Scan Databases (T1596.005)
      • Search Closed Sources (T1597)
        • Threat Intel Vendors (T1597.001)
        • Purchase Technical Data (T1597.002)
      • Phishing for Information (T1598)
        • Spearphishing Service (T1598.001)
        • Spearphishing Attachment (T1598.002)
        • Spearphishing Link (T1598.003)
        • Spearphishing Voice (T1598.004)
    • All Techniques
Powered by GitBook

© 2025 • Jibril • by Garnet Labs

On this page
  • Information
  • Introduction
  • Deep Dive Into Technique
  • When this Technique is Usually Used
  • How this Technique is Usually Detected
  • Why it is Important to Detect This Technique
  • Examples
  1. MITRE

Privilege Escalation (TA0004)

Privilege Escalation [TA0004]

Information

  • ID: TA0004

Introduction

Privilege Escalation, as defined by the MITRE ATT&CK framework, refers to techniques an attacker employs to gain higher-level permissions on a compromised system or network. Attackers initially gaining limited access privileges often seek to escalate their permissions to administrator or root-level accounts, enabling them to bypass access controls, execute unauthorized commands, access sensitive data, or establish persistence within the environment. Privilege escalation is a critical step in many cyber-attacks, significantly increasing the attacker’s control over targeted systems.

Deep Dive Into Technique

Privilege escalation techniques can be broadly categorized into two types:

  • Vertical Privilege Escalation: Elevating privileges from a lower-level account (e.g., standard user) to a higher-level account (e.g., administrator/root).

  • Horizontal Privilege Escalation: Gaining access to accounts or resources at the same privilege level, typically belonging to other users.

Attackers commonly leverage vulnerabilities and misconfigurations to escalate privileges, including:

  • Exploitation of Vulnerabilities:

    • Kernel exploits (e.g., Dirty COW, Kernel Exploits targeting Windows).

    • Vulnerable software applications (e.g., outdated versions of third-party software with known vulnerabilities).

    • Misconfigured services or daemons (e.g., services running with overly permissive privileges).

  • Credential Theft and Reuse:

    • Capturing credentials from memory using tools like Mimikatz.

    • Extracting credentials from configuration files, scripts, or repositories.

    • Credential reuse across multiple systems or services.

  • Misuse of Legitimate Features:

    • Abuse of sudo privileges in Unix/Linux systems.

    • Exploitation of scheduled tasks or cron jobs configured with higher privileges.

    • Manipulation of Windows services or DLL hijacking.

  • Abuse of Access Control Misconfigurations:

    • Incorrect file permissions allowing unauthorized access or modification.

    • Misconfigured Active Directory permissions, enabling attackers to escalate privileges within domain environments.

Real-world procedures typically involve reconnaissance to identify potential privilege escalation paths, exploitation of identified vulnerabilities or misconfigurations, and finally, persistence establishment once escalated privileges are obtained.

When this Technique is Usually Used

Privilege escalation commonly appears across multiple stages and scenarios of cyber-attacks, including:

  • Initial Compromise Stage: After gaining initial foothold through phishing, malware execution, or exploitation of publicly exposed services, attackers escalate privileges to gain deeper system control.

  • Internal Reconnaissance Stage: Attackers escalate privileges to access sensitive internal resources, perform lateral movement, or gather intelligence.

  • Persistence and Defense Evasion Stage: Elevated privileges allow attackers to establish persistence mechanisms (e.g., creating hidden administrative accounts, modifying system configurations to evade detection).

  • Exfiltration Stage: Higher privileges facilitate easy access to sensitive data, simplifying data exfiltration.

Typical attack scenarios include:

  • Targeted phishing attacks leading to user-level access, followed by privilege escalation to administrator.

  • Web application compromises exploiting vulnerabilities, followed by escalation to database administrative privileges.

  • Insider threats escalating privileges to access sensitive corporate information or systems.

How this Technique is Usually Detected

Detection of privilege escalation techniques involves a combination of monitoring strategies, tools, and indicators of compromise (IoCs):

  • Endpoint Detection and Response (EDR) Solutions:

    • Monitoring suspicious process executions, privilege escalations, and abnormal access patterns.

    • Detection of known privilege escalation exploits and tools (e.g., Mimikatz, Metasploit modules).

  • Security Information and Event Management (SIEM) Solutions:

    • Correlation of logs from operating systems, applications, and network devices to detect anomalous privilege changes.

    • Alerting on suspicious account creations, modifications, or privilege assignments.

  • File Integrity Monitoring (FIM):

    • Detecting unauthorized modifications to critical system files, configurations, and permissions.

  • Behavioral Analytics:

    • Identifying abnormal behaviors such as unusual login patterns, privilege escalation attempts, and atypical process executions.

  • Specific Indicators of Compromise (IoCs):

    • Unexpected creation of privileged accounts or groups.

    • Unusual scheduled tasks or cron jobs with elevated privileges.

    • Unexpected modifications to sudoers file or Windows registry keys related to privilege escalation.

    • Detection of privilege escalation tools (e.g., PowerSploit, Empire, LinPEAS, WinPEAS scripts).

    • Evidence of exploitation attempts in system logs, such as kernel panic logs, crash dumps, or error messages related to known exploits.

Why it is Important to Detect This Technique

Early detection of privilege escalation is crucial due to its significant impacts on systems and networks:

  • Increased Attack Surface: Elevated privileges enable attackers to access sensitive data, critical infrastructure, and additional systems within the network.

  • Persistence and Stealth: Attackers with escalated privileges can establish persistent footholds, making detection and remediation more challenging.

  • Data Exfiltration and Intellectual Property Theft: Privileged access allows attackers to easily extract sensitive information, intellectual property, or personally identifiable information (PII).

  • Operational Disruption: Attackers may leverage elevated privileges to disrupt critical services, modify configurations, or deploy ransomware.

  • Compliance and Regulatory Implications: Failure to detect and respond promptly to privilege escalation can lead to regulatory penalties, reputational damage, and loss of customer trust.

Detecting privilege escalation early enables rapid containment and remediation, minimizes damage, reduces operational disruption, and maintains organizational security posture.

Examples

Real-world examples showcasing privilege escalation include:

  • Dirty COW (CVE-2016-5195):

    • Attack Scenario: Linux kernel vulnerability allowed attackers to overwrite read-only memory mappings, escalating privileges from standard user to root.

    • Tools Used: Publicly available exploit code, Metasploit modules.

    • Impact: Full administrative control over vulnerable Linux systems, leading to potential data theft, persistence establishment, and lateral movement.

  • Windows Print Spooler Vulnerability (PrintNightmare, CVE-2021-34527):

    • Attack Scenario: Vulnerability in Windows Print Spooler service enabled authenticated users to execute arbitrary code with SYSTEM-level privileges.

    • Tools Used: Exploit scripts released publicly, Metasploit modules.

    • Impact: Complete system compromise, lateral movement within Active Directory environments, widespread ransomware deployments.

  • Mimikatz Credential Theft:

    • Attack Scenario: Attackers use Mimikatz to extract plaintext passwords, hashes, and Kerberos tickets from memory.

    • Tools Used: Mimikatz, PowerSploit, Empire Framework.

    • Impact: Attacker gains administrative credentials, enabling lateral movement, persistence, and data exfiltration.

  • Sudo Privilege Escalation (CVE-2021-3156, Baron Samedit):

    • Attack Scenario: Heap-based buffer overflow in sudo allowed attackers with standard privileges to escalate to root.

    • Tools Used: Publicly available exploit code, Metasploit modules.

    • Impact: Complete administrative control over Unix/Linux systems, potential for persistence, lateral movement, and sensitive data access.

  • DLL Hijacking in Windows:

    • Attack Scenario: Attackers exploit DLL search order vulnerabilities to load malicious DLLs with higher privileges.

    • Tools Used: Custom malicious DLLs, Metasploit, custom scripts.

    • Impact: Privilege escalation, persistence establishment, stealthy lateral movement, and data exfiltration.

These examples illustrate the diverse methods attackers use to escalate privileges, highlighting the critical need for effective detection, prevention, and response strategies.

Last updated 5 hours ago