Home  >  APT29  >  Results  >  Elastic  >  Privilege Escalation

Tactic Results: Privilege Escalation (TA0004) Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Technique
Procedures Criteria Step
Detection Type Detection Notes
Bypass User Account Control
(T1088)
Executed elevated PowerShell payload
High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
3.B.2
Telemetry (Correlated)
Telemetry showed control.exe creating a high integrity powershell.exe. The event was correlated to a parent General detection for malicious file execution. [1] [2]
Executed elevated PowerShell payload
High integrity powrshell.exe spawning from control.exe​​ (spawned from sdclt.exe)
14.A.2
Telemetry (Correlated)
Telemetry showed a new High Integrity PowerShell callback spawned from control.exe (spawned from sdclt.exe). The event was correlated to a parent General detection for a suspicious Windows script. [1]