Privilege Escalation
Techniques
| ID | Name | Description |
|---|---|---|
| EST000062 | Privilege Escalation via Direct Connect System | A Cyber Embedded Technique in which an adversary utilizes Direct Connect System or spoofed Direct Connect System to gain privileged access to a Line Replaceable Unit (LRU) by appearing to mimic normal maintenance operations. Some LRUs have additional guards that require DCS configurations to reflash protected portions of memory that can only be written from DCS in ‘OEM’ mode. |
| EST000063 | Hidden Menu | A Cyber Embedded Technique in which an adversary utilizes hidden menus that are inherent in the LRU but require special knowledge of its presence to gain privileged access to LRU submenus and settings. Submenus can include diagnostic and maintenance pages that can provide complete control over the targeted LRU by allowing read and write access to system memory while the device is running. This may be further exploited by dumping the system memory to reverse engineer the devices functionality and look for additional vulnerabilities that can be exploited remotely at a later time. |
| EST000064 | Reserve Software Options | A Cyber Embedded Technique in which an adversary utilizes software options that did not originally ship with a LRU but are built into the software package as options for maintainers and OEM maintenance to gain privileged access to the LRU. Software options can generally be configured from hidden menus or general maintenance pages. They follow specific bit sequences that are usually proprietary information, but once exploited can provide an abundance of additional functionality and/or access to the targeted LRU, potentially including persistent remote access via RF channels. |
| EST000065 | Configuration Settings | A Cyber Embedded Technique in which an adversary changes the startup configurations that effect LRU boot to gain privileged access to the LRU. |
| EST000066 | Differential Software Loading | A Cyber Embedded Technique in which an adversary exploits the differential software loading capability of a Line Replaceable Unit (LRU) or other embedded system to inject malicious code. Differential software loading allows for updating only the differences between the old and new software versions, rather than replacing the entire image. The adversary crafts a malicious delta update that overwrites specific, vulnerable sections of code, often targeting inactive or rarely used functions to avoid disrupting core system functionality. This can enable the adversary to gain privileged access (Ring 0) and execute arbitrary code. For example, the adversary might overwrite system memory, such as the serial bus memory buffer, potentially allowing them to intercept or manipulate communication on the bus. |
| EST000067 | Side Channel Attack | A Cyber Embedded Technique in which an adversary exploits unintended information leakage from a system during its normal operation. This leakage can be observed through various side channels, such as timing variations, power consumption, electromagnetic emissions, or memory access patterns. These channels provide indirect insights into the system's internal state or the data it is processing. Attackers leverage these side channels in passive ways, observing and analyzing the side channel data to extract sensitive information, such as cryptographic keys or algorithm secrets, without directly interfering with the system's execution. Examples include timing attacks, power analysis attacks, and electromagnetic analysis attacks. Complementing this, a Living-off-the-Land approach at the hardware level involves leveraging legitimate, low-level processor or memory operations—such as cache behavior, memory mapping, or speculative execution pipelines—to amplify/enable side channel leakage without relying on traditional software-based payloads. This approach capitalizes on the system's intended architecture and behavior to establish persistence or escalate privileges, effectively blending in with normal operations to evade detection. Note: This technique focuses on passive observation and analysis of side channels. Active manipulation of the system to induce faults is covered in the separate technique, EST000068 Fault Injection (Power/EM). |
| EST000068 | Fault Injection | A Cyber Embedded Technique in which an adversary actively utilizes power or electromagnetic (EM) fault injection techniques to deliberately introduce errors into the execution of code within a Line Replaceable Unit (LRU). This technique specifically focuses on the active introduction of faults using power and electromagnetic manipulation. This involves precisely manipulating the power supply voltage or applying EM pulses to the LRU's hardware to cause specific glitches or skips in instructions, such as bit flips in memory, instruction skips, or register corruption. By carefully timing these faults, the adversary can alter the intended control flow of the program, bypass security checks, or force the system into a privileged state. This allows the adversary to gain unauthorized access, execute arbitrary code, or extract sensitive information. Power and EM fault injection attacks exploit the physical characteristics of the hardware to compromise the system's security. It does not include passive observation and analysis of side channels, which are covered in the separate technique, EST000067 Side Channel Attack. |