Capabilities Abuse

Capabilities Abuse is a privilege escalation sub-technique where attackers exploit improperly configured capability settings in Unix-like systems to elevate privileges beyond intended boundaries. During the Deepening Control phase, after initial access has been established, attackers seek to leverage the fine-grained permissions provided by Linux capabilities (controlled via the cap_set_proc, cap_get_proc functions and managed by setcap/getcap tools) to perform operations that would typically require root access. These capabilities, which fragment the omnipotent root privilege into discrete permissions (such as CAP_NET_ADMIN for network configuration changes, CAP_SYS_ADMIN for system administration tasks, or CAP_DAC_OVERRIDE for bypassing file permission checks), can be abused when inappropriately assigned to executables, processes, or containers. A common attack vector involves exploiting binaries with the CAP_SETUID capability to spawn privileged shells, or leveraging CAP_DAC_READ_SEARCH to access sensitive system files despite lacking standard file permissions. Unlike traditional privilege escalation that requires full root access, capabilities abuse allows attackers to gain specific elevated powers that may suffice for their malicious objectives while potentially evading detection methods focused solely on complete privilege elevation.