T1068Exploitation for Privilege Escalation
T1068 — Exploitation for Privilege Escalation is a MITRE ATT&CK technique in the Privilege Escalation tactic. Clankerusecase tracks 73 detection use cases covering it and 27 threat-intel articles citing it.
Privilege Escalation
73Use cases
27Articles
0Sub-techniques
1Tactic
Use cases covering this technique (73)
[WEEKLY] Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) [WEEKLY] Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain [WEEKLY] Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition [WEEKLY] Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) [WEEKLY] Public-Facing App Runtime Spawns Shell, LOLBin, or Container-Control Tool [WEEKLY] Sub-admin grants Owner/Administrator role then grantee signs in from a different source within 60 minutes [WEEKLY] Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host Child Processes of Spoolsv exe Cisco Isovalent - Kprobe Spike Detect Baron Samedit CVE-2021-3156 Detect Baron Samedit CVE-2021-3156 Segfault Detect Baron Samedit CVE-2021-3156 via OSQuery First Time Seen Child Process of Zoom Linux Auditd Copy Fail Privilege Escalation Linux Binary Launched Process with Null Argv Linux Malformed Auth Entry Linux PF_ALG Registration Outside of Boot Window Linux pkexec Privilege Escalation Linux Suspicious Namespace Creation Spoolsv Suspicious Process Access Windows Driver Inventory Windows Driver Load Non-Standard Path Windows Drivers Loaded by Signature Windows MSI Rollback Script Deleted By Non-Msiexec Process Windows Potato Privilege Escalation Tool Execution Windows Privilege Escalation Attempt Via MSI Rollback Windows Privilege Escalation Suspicious Process Elevation Windows Privilege Escalation System Process Without System Parent Windows Privilege Escalation User Process Spawn System Process Windows Remote Image Load Windows Service Create Kernel Mode Driver Windows System File on Disk Microsoft SharePoint Server Elevation of Privilege VMWare Aria Operations Exploit Attempt [LLM] eBPF program load or pinned object created from non-system parent on Arch host [LLM] Budibase CVE-2026-48150: POST /api/public/v1/roles/assign with global builder/admin grant in body [LLM] Budibase audit log: builder.global / admin.global granted to user by non-global caller [LLM] Budibase: rapid bulk POSTs to /api/public/v1/roles/assign from single source [LLM] Budibase: API key minted via /api/global/self/api_key then /api/public/v1/roles/assign within 5m [LLM] Atomic Arch rootkit — eBPF program load by AUR-build-chain descendant [LLM] CTFMON spawning elevated child or CTFMON-hosted privilege escalation (CVE-2026-45586 / GreenPlasma) [LLM] PoC artefact drop — Chaotic Eclipse named exploits (YellowKey, GreenPlasma, MiniPlasma, RoguePlanet, bitskrieg) [LLM] Defender Component (MsMpEng/NisSrv) Spawns Interactive Shell with SYSTEM Integrity [LLM] Unpatched Assets Vulnerable to Chaotic Eclipse Defender CVE Cluster [LLM] Hosts missing June 2026 Patch Tuesday critical RCE/EoP fixes [LLM] csrss.exe or dwm.exe spawning child process (Win32K-GRFX kernel exploit marker) [LLM] Hyper-V worker process (vmwp.exe / vmms.exe) spawning unexpected child (guest-to-host escape) [LLM] nebula-mesh CVE-2026-47724 — cross-operator admin API key mint via POST /api/v1/operators/{id}/api-keys [LLM] Unprivileged user namespace + nf_tables manipulation chain (CVE-2026-23111 exploitation) [LLM] nft (nftables) ruleset manipulation by non-root account on Linux endpoints [LLM] HTTP access to Shopper admin team-settings / Livewire endpoints (CVE-2026-47744) [LLM] Privileged or root pod created by Jupyter Enterprise Gateway ServiceAccount [LLM] Enterprise Gateway service account creates Jupyter kernel pod as root (CVE-2026-44180 outcome) [LLM] praisonai-platform: POST /workspaces/*/members with role=owner (CVE-2026-47413) [LLM] Container escape via cgroups release_agent write (CVE-2022-0492) [LLM] praisonai-platform CVE-2026-47416: PATCH /workspaces/{id}/members/{user_id} role-change request [LLM] PraisonAI Python subprocess spawns OS shell with discovery / credential-reading commands [LLM] Literal PraisonAI sandbox-escape signature: `print.__self__` + builtins dict access [LLM] Node.js process spawns shell or LOLBin — vm2 sandbox escape post-exploitation (CVE-2026-47210) [LLM] node.exe spawning child_process targets — vm2 Promise species sandbox escape post-exploitation [LLM] vm2 Promise species sandbox escape PoC fingerprint in scripts/command lines [LLM] Node.exe spawning OS shell after vm2 sandbox exploitation [LLM] Container privilege escalation via Looney Tunables, PwnKit, sudo chroot [LLM] Nezha CVE-2026-46716 exploit: POST /api/v1/cron with empty servers + CronCoverAll [LLM] MLflow server process spawning Claude Code CLI or shell — CVE-2026-2611 RCE chain [LLM] utcp-cli command injection via UTCP_ARG substitution in python→bash -c CMD_N_OUTPUT script [LLM] Portainer Swarm service spec with elevated Linux capabilities or unconfined Seccomp [LLM] Portainer plugin management API access (CVE-2026-44848) [LLM] Docker plugin runtime spawned from /var/lib/docker/plugins/ on host (CVE-2026-44848) [LLM] Docker daemon plugin install/enable event from non-admin context (CVE-2026-44848) [LLM] FlowiseAI POST /api/v1/node-custom-function with NodeVM Sandbox-Escape Payload (CVE-2026-46442) [LLM] CVE-2022-26923 exploitation via update6.exe binary execution [LLM] BYOVD: Genshin Impact mhyprot.sys driver dropped/loaded outside legitimate game install (Embargo evil-mhyprot-cli)Articles citing this technique (27)
crit 400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security art-14