attack.t1548

Linux Capabilities Discovery

Dec 8, 2025 · attack.discovery attack.defense-evasion attack.privilege-escalation attack.t1083 attack.t1548 ·

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

Abused Debug Privilege by Arbitrary Parent Processes

Nov 24, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1548 ·

Share on:

Detection of unusual child processes by different system processes

Vulnerable Netlogon Secure Channel Connection Allowed

Nov 24, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1548 ·

Share on:

Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.

AWS STS AssumeRole Misuse

Oct 23, 2025 · attack.lateral-movement attack.privilege-escalation attack.defense-evasion attack.t1548 attack.t1550 attack.t1550.001 ·

Share on:

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

AWS STS GetSessionToken Misuse

Oct 23, 2025 · attack.lateral-movement attack.privilege-escalation attack.defense-evasion attack.t1548 attack.t1550 attack.t1550.001 ·

Share on:

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

AWS Suspicious SAML Activity

Oct 23, 2025 · attack.defense-evasion attack.initial-access attack.lateral-movement attack.persistence attack.privilege-escalation attack.t1078 attack.t1548 attack.t1550 attack.t1550.001 ·

Share on:

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

CA Policy Removed by Non Approved Actor

Oct 23, 2025 · attack.privilege-escalation attack.credential-access attack.defense-evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

CA Policy Updated by Non Approved Actor

Oct 23, 2025 · attack.privilege-escalation attack.credential-access attack.defense-evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

COM Hijack via Sdclt

Oct 23, 2025 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1546 attack.t1548 ·

Share on:

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

Credential Dumping Attempt Via Svchost

Oct 23, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1548 ·

Share on:

Detects when a process tries to access the memory of svchost to potentially dump credentials.

GCP Break-glass Container Workload Deployed

Oct 23, 2025 · attack.privilege-escalation attack.defense-evasion attack.t1548 ·

Share on:

Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.

Linux Doas Conf File Creation

Oct 23, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1548 ·

Share on:

Detects the creation of doas.conf file in linux host platform.

Linux Doas Tool Execution

Oct 23, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1548 ·

Share on:

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.

New CA Policy by Non-approved Actor

Oct 23, 2025 · attack.privilege-escalation attack.defense-evasion attack.t1548 ·

Share on:

Monitor and alert on conditional access changes.

Potential Privilege Escalation via Local Kerberos Relay over LDAP

Oct 23, 2025 · attack.defense-evasion attack.privilege-escalation attack.credential-access attack.t1548 ·

Share on:

Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.