T1548Privilege Escalation

Abuse Elevation Control Mechanism

Bypass UAC, sudo, setuid, etc.

§ Where this technique fits

T1548 is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

Authoritative reference: attack.mitre.org/techniques/T1548/.

§ Dossiers chaining this technique

SCCM Network Access Account disclosure → privileged creds
Any authenticated user on a SCCM-managed endpoint can recover the Network Access Account credentials from WMI / client cache — and the NAA is usually over-privileged.
step 2 / 5

§ What commonly comes next

01
SCCM Network Access Account Disclosure
AD-SCCM-NAA · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

SCCM Network Access Account disclosure → privileged creds

§ What commonly comes next