TH16119
Detected presence of software components that can elevate the running application privileges.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | high | high | None | None |
About the issueโ
Operating systems execute application code in multiple privilege access levels. Separation of privileges is designed to protect the stability and integrity of the operating system by shielding it from issues that may affect the user-mode applications it runs. However, some user-mode applications may need to interact with higher privilege parts of the operating system to accomplish a specific task. For this purpose operating systems provide facilities that user-mode applications may use to temporarily elevate their running privileges. Malicious code often requires elevated privileges to bypass security solutions, or achieve persistence. While the presence of code that elevates its running privilege does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that can elevate application privilege. One example of acceptable use for such functions is allowing the application to collect its debugging and error handling information.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1134 - Access Token Manipulation.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1134 - Access Token Manipulation (External resource - Mitre ATT&CK documentation)
- Privilege separation (External resource - Wikipedia)