TID-219: OS/Kernel Privilege Escalation
Threat Description
Operating Systems and Kernels frequently run at the highest levels of permissions. If processes with lower permissions are able to exploit a vulnerability in the OS or Kernel (such as a vulnerability enabled by TID-206), they may be able to raise the privileges of their process. If a threat actor were to exploit this vulnerability, they may be able to raise the permissions of a malicious process, thereby granting themselves greater access to the device.
Threat Maturity and Evidence
Observed Adversary Behavior
ATT&CK Technique: Exploitation for Privilege Escalation (T0890)
Procedure Example: Triton (S1009)
“Triton leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.010.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges.”
CWE
CWE-250: Execution with Unnecessary Privileges
“The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.”