New to CAPEC? Start Here
Home > CAPEC List > CAPEC-30: Hijacking a Privileged Thread of Execution (Version 3.9)  

CAPEC-30: Hijacking a Privileged Thread of Execution

Attack Pattern ID: 30
Abstraction: Standard
View customized information:
+ Description
An adversary hijacks a privileged thread of execution by injecting malicious code into a running process. By using a privleged thread to do their bidding, adversaries can evade process-based detection that would stop an attack that creates a new process. This can lead to an adversary gaining access to the process's memory and can also enable elevated privileges. The most common way to perform this attack is by suspending an existing thread and manipulating its memory.
+ Likelihood Of Attack

Low

+ Typical Severity

Very High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.233Privilege Escalation
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Determine target thread: The adversary determines the underlying system thread that is subject to user-control

Experiment
  1. Gain handle to thread: The adversary then gains a handle to a process thread.

    Techniques
    Use the "OpenThread" API call in Windows on a known thread.
    Cause an exception in a java privileged block public function and catch it, or catch a normal signal. The thread is then hanging and the adversary can attempt to gain a handle to it.
  2. Alter process memory: Once the adversary has a handle to the target thread, they will suspend the thread and alter the memory using native OS calls.

    Techniques
    On Windows, use "SuspendThread" followed by "VirtualAllocEx", "WriteProcessMemory", and "SetThreadContext".
Exploit
  1. Resume thread execution: Once the process memory has been altered to execute malicious code, the thread is then resumed.

    Techniques
    On Windows, use "ResumeThread".
+ Prerequisites
The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users
In order to feasibly execute this class of attacks, the adversary must have the ability to hijack a privileged thread. This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or calling native OS calls that can suspend and alter process memory. This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute.
+ Skills Required
[Level: High]
Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread.
+ Resources Required

None: No specialized resources are required to execute this type of attack. The adversary needs to be able to latch onto a privileged thread.

The adversary does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the adversary's malicious code. This is the case even if the adversary conducts the attack remotely.

+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Access Control
Authorization
Gain Privileges
Confidentiality
Integrity
Availability
Execute Unauthorized Commands
+ Mitigations
Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code.
Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope.
+ Example Instances
Adversary targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread (e.g., a system call). The adversary could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (also see parent)
Entry IDEntry Name
1055.003Process Injection: Thread Execution Hijacking
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-01-09
(Version 2.9)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2017-08-04
(Version 2.11)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Probing_Techniques, Resources_Required
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Description Summary, Examples-Instances, Probing_Techniques
2020-07-30
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow, Related_Attack_Patterns, Taxonomy_Mappings
2021-10-21
(Version 3.6)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Execution_Flow, Prerequisites
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018