T1548 — Abuse Elevation Control Mechanism

Technique

T1548

Tactics

Privilege Escalation

MISP citations

0

KEV CVEs mapped

4

Community rules

23

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1548

MITRE description

Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2025-2783
• CVE-2023-44221
• CVE-2022-23131
• CVE-2022-1388

Detection coverage

SigmaHQ community rules

• Potential Exploitation of CVE-2025-5054 or CVE-2025-4598 (emerging-threats)
• AWS STS AssumeRole Misuse (core)
• AWS STS GetSessionToken Misuse (core)
• AWS Suspicious SAML Activity (core)
• CA Policy Removed by Non Approved Actor (core)
• CA Policy Updated by Non Approved Actor (core)
• New CA Policy by Non-approved Actor (core)
• User Added To Group With CA Policy Modification Access (core)
• User Removed From Group With CA Policy Modification Access (core)
• GCP Break-glass Container Workload Deployed (core)
• Linux Capabilities Discovery (core)
• Linux Doas Conf File Creation (core)
• Linux Setgid Capability Set on a Binary via Setcap Utility (core)
• Linux Setuid Capability Set on a Binary via Setcap Utility (core)
• Linux Doas Tool Execution (core)
• Potential Privilege Escalation via Local Kerberos Relay over LDAP (core)
• SCM Database Privileged Operation (core)
• Vulnerable Netlogon Secure Channel Connection Allowed (core)
• Credential Dumping Attempt Via Svchost (core)
• Regedit as Trusted Installer (core)
• Abused Debug Privilege by Arbitrary Parent Processes (core)
• UAC Bypass via Windows Firewall Snap-In Hijack (core)
• COM Hijack via Sdclt (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.