ATTACK-T1548.004Active

Elevated Execution with Prompt

Statement

Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.

Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.

Adversaries may abuse <code>AuthorizationExecuteWithPrivileges</code> to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with Masquerading to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)

Location

Tactic: Privilege Escalation

Technique Details

Identifier: ATTACK-T1548.004
Parent Technique: ATTACK-T1548
ATT&CK Page: View on MITRE

Tactics

Privilege EscalationDefense Evasion

Platforms

macOS

Detection

macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection

Mitigations

Execution Prevention: Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution.
Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml")

Script Blocking:

Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources.
Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., Set-ExecutionPolicy AllSigned)

Executable Blocking:

Use Case: Prevent execution of binaries from suspicious locations, such as %TEMP% or %APPDATA% directories.
Implementation: Block execution of .exe, .bat, or .ps1 files from user-writable directories.

Dynamic Analysis Prevention:

Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time.
Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

EquivalentPartialRelated

SP 800-53

SP800-53-CM-2relatedvia ctid-attack-to-sp800-53

SP800-53-CM-6relatedvia ctid-attack-to-sp800-53

SP800-53-CM-7relatedvia ctid-attack-to-sp800-53

SP800-53-CM-8relatedvia ctid-attack-to-sp800-53

SP800-53-SC-18relatedvia ctid-attack-to-sp800-53

View in graph Report an issue

← Back to Privilege Escalation

Statement

Application Control:

Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution.
Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml")

Script Blocking:

Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources.
Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., Set-ExecutionPolicy AllSigned)

Executable Blocking:

Use Case: Prevent execution of binaries from suspicious locations, such as %TEMP% or %APPDATA% directories.
Implementation: Block execution of .exe, .bat, or .ps1 files from user-writable directories.

Dynamic Analysis Prevention:

Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time.
Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Elevated Execution with Prompt

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings11

Elevated Execution with Prompt

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings11