CAPEC-69: Target Programs with Elevated Privileges
This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.
Last updated
Overview
CAPEC-69 (Target Programs with Elevated Privileges) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Find programs with elevated priveleges] The adversary probes for programs running with elevated privileges.
- Look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break.
- Step 2Explore
[Find vulnerability in running program] The adversary looks for a vulnerability in the running program that would allow for arbitrary code execution with the privilege of the running program.
- Look for improper input validation
- Look for improper failure safety. For instance when a program fails it may authorize restricted access to anyone.
- Look for a buffer overflow which may be exploited if an adversary can inject unvalidated data.