Symlink Attack

When adversaries have already gained initial access to a system through techniques like phishing or exploiting external vulnerabilities, they may leverage symlink attacks to achieve privilege escalation and deepen their control. A symlink (symbolic link) attack occurs when attackers manipulate symbolic links to trick privileged processes into operating on attacker-controlled files by exploiting the time gap between access check and actual operation (time-of-check-to-time-of-use or TOCTOU vulnerability). By creating or modifying symlinks that point to sensitive system files or directories, attackers can redirect operations intended for innocuous files toward critical system resources when those operations are executed with elevated privileges. This technique is particularly effective against setuid programs, cron jobs, or service processes that operate with higher privileges than the attacker currently possesses. Successful exploitation allows attackers to modify protected files, access restricted data, or execute commands with elevated permissions, thereby establishing more persistent and comprehensive control over the compromised system.