_privilege-escalation

# Escalação de Privilégios ```mermaid graph TB A["⬆️ Escal. Privilegios (TA0004) Obter permissoes elevadas"] --> B["💣 Exploit de Vulnerabilidade T1068 - Kernel/Servicos"] A --> C["🎛️ Mecanismo de Elevacao T1548 - UAC Bypass/sudo"] A --> D["🔔 Execução por Evento T1546 - Event Triggered"] A --> E["🐳 Escape de Container T1611 - Escape to Host"] B --> F["🏆 SYSTEM / root Controle total do sistema"] C --> F D --> F E --> F ``` > [!info] Visão Geral > A tática de Escalacao de Privilegios engloba as técnicas que permitem ao atacante obter permissoes mais elevadas do que as inicialmente obtidas - geralmente alcancar nivel de administrador, SYSTEM ou root. Sem privilegios elevados, o atacante fica limitado nas acoes que pode executar no sistema comprometido. > **Técnicas:** 27 técnicas nesta categoria, com exploração de vulnerabilidades de kernel e bypass de UAC como as mais comuns. > **Destaque LATAM:** A exploração de vulnerabilidades locais (**T1068**) e critica no contexto brasileiro, onde muitos sistemas corporativos e governamentais operam com versoes desatualizadas do Windows sem patches de segurança aplicados regularmente. > [!warning] Contexto Brasil/LATAM > O Brasil enfrenta um desafio critico de gestao de patches: muitas organizações operam com Windows 7 e versoes desatualizadas de Windows 10, tornando a escalacao de privilegios via exploits de kernel (**T1068**) trivial. Ransomware operators como **LockBit** e **Conti** documentaram uso de **T1548.002** (Bypass UAC) como passo padrao após comprometimento inicial em ambientes Windows. Em ambientes cloud adotados por empresas brasileiras, o abuso de mecanismos de elevação em AWS e Azure (**T1548.005**) e uma ameaça crescente explorada por grupos de ameaça persistente avancada. > **27 técnicas** · Obter permissões mais elevadas no sistema - exploração de vulnerabilidades, tokens, manipulação de processos. %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nome" FROM "ttp/techniques/privilege-escalation" WHERE type = "technique" SORT title ASC ``` %%   | Nota | Nome | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | | [[t1068-exploitation-for-privilege-escalation\|T1068 - Exploitation for Privilege Escalation]] | T1068 - Exploitation for Privilege Escalation | | [[t1068-exploitation-privilege-escalation\|T1068 - Exploitation for Privilege Escalation]] | T1068 - Exploitation for Privilege Escalation | | [[t1546-event-triggered-execution\|T1546 - Event Triggered Execution]] | T1546 - Event Triggered Execution | | [[t1546-001-change-default-file-association\|T1546.001 - Change Default File Association]] | T1546.001 - Change Default File Association | | [[t1546-002-screensaver\|T1546.002 - Screensaver]] | T1546.002 - Screensaver | | [[ttp/techniques/privilege-escalation/t1546-003-windows-management-instrumentation-event-subscription.md\|T1546.003 - Windows Management Instrumentation Event Subscription]] | T1546.003 - Windows Management Instrumentation Event Subscription | | [[t1546-004-unix-shell-configuration-modification\|T1546.004 - Unix Shell Configuration Modification]] | T1546.004 - Unix Shell Configuration Modification | | [[t1546-005-trap\|T1546.005 - Trap]] | T1546.005 - Trap | | [[t1546-006-lcloaddylib-addition\|T1546.006 - LC_LOAD_DYLIB Addition]] | T1546.006 - LC_LOAD_DYLIB Addition | | [[t1546-007-netsh-helper-dll\|T1546.007 - Netsh Helper DLL]] | T1546.007 - Netsh Helper DLL | | [[t1546-008-accessibility-features\|T1546.008 - Accessibility Features]] | T1546.008 - Accessibility Features | | [[t1546-009-appcert-dlls\|T1546.009 - AppCert DLLs]] | T1546.009 - AppCert DLLs | | [[t1546-010-appinit-dlls\|T1546.010 - AppInit DLLs]] | T1546.010 - AppInit DLLs | | [[t1546-011-application-shimming\|T1546.011 - Application Shimming]] | T1546.011 - Application Shimming | | [[t1546-012-image-file-execution-options-injection\|T1546.012 - Image File Execution Options Injection]] | T1546.012 - Image File Execution Options Injection | | [[t1546-013-powershell-profile\|T1546.013 - PowerShell Profile]] | T1546.013 - PowerShell Profile | | [[ttp/techniques/privilege-escalation/t1546-014-emond.md\|T1546.014 - Emond]] | T1546.014 - Emond | | [[ttp/techniques/privilege-escalation/t1546-015-component-object-model-hijacking.md\|T1546.015 - Component Object Model Hijacking]] | T1546.015 - Component Object Model Hijacking | | [[t1546-016-installer-packages\|T1546.016 - Installer Packages]] | T1546.016 - Installer Packages | | [[t1548-abuse-elevation-control-mechanism\|T1548 - Abuse Elevation Control Mechanism]] | T1548 - Abuse Elevation Control Mechanism | | [[t1548-001-setuid-and-setgid\|T1548.001 - Setuid and Setgid]] | T1548.001 - Setuid and Setgid | | [[t1548-002-bypass-uac\|T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control]] | T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control | | [[t1548-002-bypass-user-account-control\|T1548.002 - Bypass User Account Control]] | T1548.002 - Bypass User Account Control | | [[t1548-003-sudo-and-sudo-caching\|T1548.003 - Sudo and Sudo Caching]] | T1548.003 - Sudo and Sudo Caching | | [[t1548-004-elevated-execution-with-prompt\|T1548.004 - Elevated Execution with Prompt]] | T1548.004 - Elevated Execution with Prompt | | [[t1548-005-temporary-elevated-cloud-access\|T1548.005 - Temporary Elevated Cloud Access]] | T1548.005 - Temporary Elevated Cloud Access | | [[t1611-escape-to-host\|T1611 - Escape to Host]] | T1611 - Escape to Host |  --- **Navegação:** [[_techniques|Técnicas]] · [[_tactics|Táticas]] · [[_procedures|Procedimentos]]