Elevated Execution with Prompt (T1548.004)
Elevated Execution with Prompt [T1548.004]
Last updated
Elevated Execution with Prompt [T1548.004]
Last updated
Name: Elevated Execution with Prompt
ID: T1548.004
Tactics: ,
Technique:
Elevated Execution with Prompt [T1548.004] is a sub-technique listed under MITRE ATT&CK's Privilege Escalation tactic. This sub-technique involves abusing mechanisms designed to prompt users for elevated privileges, such as User Account Control (UAC) prompts on Windows systems, to execute malicious payloads or commands. Attackers exploit these prompts to gain higher-level permissions, enabling them to perform actions that otherwise require administrator privileges, thereby escalating their privileges and increasing their control over the compromised system.
Elevated Execution with Prompt typically involves manipulating or exploiting the standard authorization mechanisms provided by operating systems, notably Windows User Account Control (UAC). UAC prompts users for confirmation or administrator credentials before allowing certain actions to proceed. Attackers abuse these mechanisms by:
Crafting malicious executables or scripts that trigger UAC prompts.
Exploiting trusted Windows binaries (also called "living off the land" binaries) that inherently request elevation.
Leveraging social engineering techniques to convince users to authorize the prompt.
Technical methods and mechanisms involved include:
UAC bypass methods: Attackers may exploit certain trusted system binaries or registry keys to bypass standard UAC prompts, tricking the operating system into executing commands with elevated privileges.
Spoofed or misleading prompts: Attackers may present misleading prompts to convince users that elevation requests are legitimate and necessary.
DLL hijacking or binary planting: Attackers may place malicious DLLs or executables in trusted directories, causing legitimate elevation prompts to execute attacker-controlled payloads.
Scheduled tasks and registry modifications: Attackers may manipulate scheduled tasks or registry keys that inherently require elevated privileges, triggering elevation prompts.
Real-world procedures include attackers using built-in Windows utilities like "fodhelper.exe," "eventvwr.exe," or "sdclt.exe" to trigger elevation prompts and execute malicious payloads with administrative privileges.
Attackers typically leverage Elevated Execution with Prompt during various stages of an attack, including:
Privilege Escalation: Immediately after initial access, attackers may use this technique to escalate privileges from a standard user account to administrator.
Persistence: Attackers may establish persistent elevated access by abusing elevation prompts to create scheduled tasks or registry modifications that ensure continued privileged access.
Defense Evasion: Attackers may leverage legitimate elevation prompts to mask their malicious activities, making it harder for defenders to attribute suspicious behavior to malicious intent.
Common scenarios and stages include:
Initial compromise via phishing or drive-by downloads, followed by UAC prompt exploitation to escalate privileges.
Internal lateral movement within enterprise networks, where attackers exploit trusted binaries to elevate privileges on compromised endpoints.
Social engineering attacks that deceive users into approving elevation prompts, facilitating malware installation or privileged command execution.
Detection of Elevated Execution with Prompt typically involves monitoring, auditing, and analyzing system behaviors, logs, and user interactions. Common detection methods include:
Windows Event Logs Analysis:
Monitoring Windows Security logs for unusual UAC prompt events, such as Event ID 4688 (Process Creation) or Event ID 4673 (Sensitive Privilege Use).
Identifying uncommon binaries or executables requesting elevation.
Behavioral Analytics:
Detecting unusual or unexpected elevation requests from standard user accounts or processes.
Identifying processes that trigger elevation prompts without user initiation.
Endpoint Detection and Response (EDR) Tools:
Monitoring process execution chains and parent-child relationships to identify abnormal elevation scenarios.
Alerting on known "living off the land" binaries commonly used for UAC bypass, such as "fodhelper.exe" or "eventvwr.exe."
Registry and Scheduled Task Monitoring:
Monitoring registry keys and scheduled tasks modifications that require elevated privileges.
Detecting unauthorized changes to registry keys commonly associated with UAC bypasses, such as "HKCU\Software\Classes\ms-settings\shell\open\command."
Indicators of Compromise (IoCs):
Unusual binaries or scripts placed in trusted system directories.
Presence of suspicious registry entries or scheduled tasks associated with known UAC bypass techniques.
Execution of known binaries commonly exploited for elevation (e.g., "fodhelper.exe," "sdclt.exe," "eventvwr.exe," "computerdefaults.exe").
Detecting Elevated Execution with Prompt is critical due to the severe impacts it can have on systems and networks:
Privilege Escalation: Successful exploitation grants attackers administrative privileges, allowing them to perform sensitive operations, such as credential dumping, lateral movement, and deployment of additional malware.
Persistence and Stealth: Attackers who establish elevated persistence can remain hidden within the environment for extended periods, complicating remediation efforts.
Data Exfiltration and Damage: Elevated privileges enable attackers to access, modify, exfiltrate, or destroy sensitive data, causing significant operational, financial, and reputational damage.
Reduced Attack Surface Visibility: Abuse of legitimate elevation prompts can mask malicious activities, making detection and attribution difficult without dedicated monitoring and analysis.
Early detection helps defenders:
Limit attackers' ability to escalate privileges and move laterally within the network.
Reduce the time attackers have to achieve their objectives, minimizing potential damage.
Enhance overall security posture by identifying and mitigating vulnerabilities or misconfigurations exploited by attackers.
Real-world examples of Elevated Execution with Prompt include:
Use of "fodhelper.exe" for UAC Bypass:
Attackers exploit "fodhelper.exe," a legitimate Windows binary that auto-elevates without displaying a UAC prompt under certain conditions.
Attackers modify registry keys (e.g., "HKCU\Software\Classes\ms-settings\shell\open\command") to execute malicious payloads with elevated privileges.
Impact: Attackers gain administrative privileges without user interaction, enabling further malicious actions.
Exploiting "eventvwr.exe":
Attackers abuse "eventvwr.exe," a legitimate Windows Event Viewer application, to trigger elevation prompts and execute malicious payloads.
Attackers place malicious DLLs or executables in directories searched by "eventvwr.exe," causing it to load attacker-controlled code.
Impact: Administrative privileges granted, enabling credential theft, lateral movement, or malware installation.
Social Engineering Attacks:
Attackers craft convincing phishing emails or pop-ups prompting users to authorize UAC elevation for seemingly legitimate software updates or installations.
Users unknowingly grant elevated privileges to malicious executables or scripts.
Impact: Attackers gain privileged access, potentially leading to data theft, ransomware deployment, or system compromise.
APT29 (Cozy Bear) Campaigns:
APT29 has been observed using UAC bypass techniques involving trusted Windows binaries to escalate privileges and maintain stealthy persistence within targeted networks.
Impact: Long-term espionage campaigns, data exfiltration, and persistent access to sensitive government and enterprise networks.
These examples highlight the importance of detecting and mitigating Elevated Execution with Prompt to prevent attackers from gaining unauthorized administrative access and causing significant damage.