Exploitation for Privilege Escalation, Technique T1068 - Enterprise (original) (raw)
APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263, and CVE-2022-38028 to escalate privileges.[3][4][5][6]
APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host.[7]
APT32 has used CVE-2016-7255 to escalate privileges.[8]
APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system.[9]
BITTER has exploited CVE-2021-1732 for privilege escalation.[10][11]
BlackByte has exploited CVE-2024-37085 in VMWare ESXi software for authentication bypass and subsequent privilege escalation.[12]
BlackByte 2.0 Ransomware exploits a vulnerability in the RTCore64.sys driver (CVE-2019-16098) to enable privilege escalation and defense evasion when run as a service.[13]
Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.[14][15]
Cobalt Group has used exploits to increase their levels of rights and privileges.[16]
Cobalt Strike can exploit vulnerabilities such as MS14-058.[17][18]
CosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398.[19]
Embargo has leveraged MS4Killer to deliver a vulnerable driver to the victim device, sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).[20] Embargo has utilized the vulnerable driver probmon.sys version 3.0.0.4 which had a revoked certificated from "ITM System Co.,LTD."[20]
Empire can exploit vulnerabilities such as MS16-032 and MS16-135.[21]
FIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.[22]
FIN8 has exploited the CVE-2016-0167 local vulnerability.[23][24]
HAFNIUM has targeted unpatched applications to elevate access in targeted organizations.[25]
Hildegard has used the BOtB tool which exploits CVE-2019-5736.[26]
InvisiMole has exploited CVE-2007-5633 vulnerability in the speedfan.sys driver to obtain kernel mode privileges.[1]
JHUHUGIT has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges.[27][28]
LAPSUS$ has exploited unpatched vulnerabilities on internally accessible servers including JIRA, GitLab, and Confluence for privilege escalation.[29]
Leviathan Australian Intrusions
Leviathan exploited software vulnerabilities in victim environments to escalate privileges during Leviathan Australian Intrusions.[30]
MoustachedBouncer has exploited CVE-2021-1732 to execute malware components with elevated rights.[31]
OilRig has exploited the Windows Kernel Elevation of Privilege vulnerability, CVE-2024-30088.[32]
Pandora can use CVE-2017-15303 to bypass Windows Driver Signature Enforcement (DSE) protection and load its driver.[33]
PLATINUM has leveraged a zero-day vulnerability to escalate privileges.[34]
PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.[35]
ProLock can use CVE-2019-0859 to escalate privileges on a compromised host.[36]
Remsec has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges.[37]
Scattered Spider has deployed a malicious kernel driver through exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).[38]
During ShadowRay, threat actors downloaded a privilege escalation payload to gain root access.[39]
Siloscape has leveraged a vulnerability in Windows containers to perform an Escape to Host.[40]
Stuxnet used MS10-073 and an undisclosed Task Scheduler vulnerability to escalate privileges on local Windows machines.[41]
Threat Group-3390 has used CVE-2014-6324 and CVE-2017-0213 to escalate privileges.[42][43]
Tonto Team has exploited CVE-2019-0803 and MS16-032 to escalate privileges.[44]
Turla has exploited vulnerabilities in the VBoxDrv.sys driver to obtain kernel mode privileges.[2]
UNC3886 has exploited zero-day vulnerability CVE-2023-20867 to enable execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs.[45]
Volt Typhoon has gained initial access by exploiting privilege escalation vulnerabilities in the operating system or network services.[46]
Whitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers.[47]
Wingbird exploits CVE-2016-4117 to allow an executable to gain escalated privileges.[48]
XCSSET has used a zero-day exploit in the ssh launchdaemon to elevate privileges and bypass SIP.[49]
ZeroCleare has used a vulnerable signed VBoxDrv driver to bypass Microsoft Driver Signature Enforcement (DSE) protections and subsequently load the unsigned RawDisk driver.[50]
ZIRCONIUM has exploited CVE-2017-0005 for local privilege escalation.[51]
Zox has the ability to leverage local and remote exploits to escalate privileges.[52]