MITRE ATT&CK Technique
Privilege Escalation T1068
Description

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570).

Supported Platforms
Containers Linux macOS Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2017-05-31T21:30:55.066Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may exploit software vulnerabilities in an '
                'attempt to elevate privileges. Exploitation of a software '
                'vulnerability occurs when an adversary takes advantage of a '
                'programming error in a program, service, or within the '
                'operating system software or kernel itself to execute '
                'adversary-controlled code. Security constructs such as '
                'permission levels will often hinder access to information and '
                'use of certain techniques, so adversaries will likely need to '
                'perform privilege escalation to include use of software '
                'exploitation to circumvent those restrictions.\n'
                '\n'
                'When initially gaining access to a system, an adversary may '
                'be operating within a lower privileged process which will '
                'prevent them from accessing certain resources on the system. '
                'Vulnerabilities may exist, usually in operating system '
                'components and software commonly running at higher '
                'permissions, that can be exploited to gain higher levels of '
                'access on the system. This could enable someone to move from '
                'unprivileged or user level permissions to SYSTEM or root '
                'permissions depending on the component that is vulnerable. '
                'This could also enable an adversary to move from a '
                'virtualized environment, such as within a virtual machine or '
                'container, onto the underlying host. This may be a necessary '
                'step for an adversary compromising an endpoint system that '
                'has been properly configured and limits other privilege '
                'escalation methods.\n'
                '\n'
                'Adversaries may bring a signed vulnerable driver onto a '
                'compromised machine so that they can exploit the '
                'vulnerability to execute code in kernel mode. This process is '
                'sometimes referred to as Bring Your Own Vulnerable Driver '
                '(BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: '
                'Unit42 AcidBox June 2020) Adversaries may include the '
                'vulnerable driver with files delivered during Initial Access '
                'or download it to a compromised system via [Ingress Tool '
                'Transfer](https://attack.mitre.org/techniques/T1105) or '
                '[Lateral Tool '
                'Transfer](https://attack.mitre.org/techniques/T1570).',
 'external_references': [{'external_id': 'T1068',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1068'},
                         {'description': 'Hromcova, Z. and Cherpanov, A. '
                                         '(2020, June). INVISIMOLE: THE HIDDEN '
                                         'PART OF THE STORY. Retrieved July '
                                         '16, 2020.',
                          'source_name': 'ESET InvisiMole June 2020',
                          'url': 'https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf'},
                         {'description': 'Microsoft. (2020, October 15). '
                                         'Microsoft recommended driver block '
                                         'rules. Retrieved March 16, 2021.',
                          'source_name': 'Microsoft Driver Block Rules',
                          'url': 'https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules'},
                         {'description': 'Reichel, D. and Idrizovic, E. (2020, '
                                         'June 17). AcidBox: Rare Malware '
                                         'Repurposing Turla Group Exploit '
                                         'Targeted Russian Organizations. '
                                         'Retrieved March 16, 2021.',
                          'source_name': 'Unit42 AcidBox June 2020',
                          'url': 'https://unit42.paloaltonetworks.com/acidbox-rare-malware/'}],
 'id': 'attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'privilege-escalation'}],
 'modified': '2025-10-24T17:49:14.643Z',
 'name': 'Exploitation for Privilege Escalation',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics',
                          'Yaniv Agman, @AgmanYaniv, Team Nautilus Aqua '
                          'Security',
                          'Idan Revivo, @idanr86, Team Nautilus Aqua Security',
                          'David Tayouri'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Containers', 'Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.6'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (27)
nightspire
High
MoustachedBouncer
High
BlackByte
High
cuba
High
devman
High
View All 27 Actors
Back to TTPs
Dashboard About