Applied Cybernetics Group
T1068 — Exploitation for Privilege Escalation
- Technique
T1068- Tactics
- Privilege Escalation
- MISP citations
- 0
- KEV CVEs mapped
- 69
- Community rules
- 28
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1068
MITRE description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570).
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
CVE-2025-54309CVE-2025-47812CVE-2025-4632CVE-2025-32709CVE-2025-32706CVE-2025-32701CVE-2025-30400CVE-2025-25257CVE-2025-25181CVE-2025-24993CVE-2025-24085CVE-2025-22225CVE-2025-21590CVE-2025-21418CVE-2025-21391CVE-2025-21335CVE-2025-21334CVE-2025-21333CVE-2025-1976CVE-2025-0994CVE-2025-0111CVE-2024-55591CVE-2024-54085CVE-2024-53197CVE-2024-53104CVE-2024-49035CVE-2024-4885CVE-2024-4577CVE-2024-41713CVE-2024-41710CVE-2024-38080CVE-2024-37085CVE-2024-30051CVE-2024-29059CVE-2024-12987CVE-2024-12686CVE-2023-44221CVE-2023-33538CVE-2023-28252CVE-2023-28229CVE-2023-21674CVE-2023-20273CVE-2023-20118CVE-2022-47966CVE-2022-41125CVE-2022-41073CVE-2022-41033CVE-2022-37969CVE-2022-26904CVE-2022-24521CVE-2022-22948CVE-2022-22718CVE-2022-22047CVE-2022-21999CVE-2022-21919CVE-2022-20708CVE-2021-41379CVE-2021-40449CVE-2021-4034CVE-2021-36934CVE-2021-33739CVE-2021-32030CVE-2021-29256CVE-2021-22900CVE-2020-1472CVE-2020-0787CVE-2020-0069CVE-2019-0211CVE-2014-0546
Detection coverage
SigmaHQ community rules
- Exploiting SetupComplete.cmd CVE-2019-1378 (emerging-threats)
- Exploiting CVE-2019-1388 (emerging-threats)
- Sudo Privilege Escalation CVE-2019-14287 - Builtin (emerging-threats)
- Sudo Privilege Escalation CVE-2019-14287 (emerging-threats)
- OMIGOD HTTP No Authentication RCE - CVE-2021-38647 (emerging-threats)
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event (emerging-threats)
- Potential CVE-2021-41379 Exploitation Attempt (emerging-threats)
- Potential SystemNightmare Exploitation Attempt (emerging-threats)
- Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800 (emerging-threats)
- Suspicious Sysmon as Execution Parent (emerging-threats)
- Potential CVE-2024-35250 Exploitation Activity (emerging-threats)
- Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation (emerging-threats)
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) (emerging-threats)
- Possible Coin Miner CPU Priority Param (core)
- Buffer Overflow Attempts (core)
- Linux Sudo Chroot Execution (core)
- OMIGOD SCX RunAsProvider ExecuteScript (core)
- OMIGOD SCX RunAsProvider ExecuteShellCommand (core)
- Audit CVE Event (core)
- Malicious Driver Load By Name (core)
- Malicious Driver Load (core)
- Vulnerable Driver Load By Name (core)
- Vulnerable Driver Load (core)
- Process Explorer Driver Creation By Non-Sysinternals Binary (core)
- Process Monitor Driver Creation By Non-Sysinternals Binary (core)
Showing 25 of 28 community rules —
the full set is tagged attack.t1068 in
SigmaHQ.