T1548

Abuse Elevation Control Mechanism

Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms intended to limit privileges a user can perform. Adversaries exploit these mechanisms across Windows (UAC bypass via auto-elevate binaries, COM object hijacking, DLL side-loading into elevated processes), Linux (setuid/setgid bit abuse, sudo misconfiguration, pkexec exploitation), macOS (TCC database manipulation, Elevated Execution with Prompt), and cloud environments (temporary role assumption, IAM privilege escalation). Real-world actors including UNC3886 and malware like Raspberry Robin have weaponized these techniques to gain SYSTEM or root access without triggering standard UAC consent dialogs.

Microsoft Sentinel / Defender

kusto

let UACBypassAutoElevateBinaries = dynamic([
  "fodhelper.exe", "eventvwr.exe", "sdclt.exe", "cmstp.exe",
  "computerdefaults.exe", "slui.exe", "wsreset.exe", "dccw.exe",
  "pkgmgr.exe", "wusa.exe", "infdefaultinstall.exe", "msconfig.exe",
  "colorcpl.exe", "cliconfg.exe", "dism.exe", "eudcedit.exe",
  "iexpress.exe", "ntprint.exe", "recdisc.exe", "tabletpc.cpl"
]);
let SuspiciousChildProcesses = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe",
  "cscript.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe",
  "certutil.exe", "bitsadmin.exe", "wmic.exe", "regasm.exe", "regsvcs.exe"
]);
let LegitimateElevatedParents = dynamic([
  "services.exe", "svchost.exe", "lsass.exe", "csrss.exe", "wininit.exe",
  "winlogon.exe", "smss.exe", "taskhostw.exe", "userinit.exe", "msiexec.exe",
  "TiWorker.exe", "TrustedInstaller.exe", "WmiPrvSE.exe"
]);
// Detection 1: UAC Bypass - auto-elevate binary spawning suspicious child process
let UACBypassChildSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (UACBypassAutoElevateBinaries)
| where FileName has_any (SuspiciousChildProcesses)
| extend DetectionType = "UAC_Bypass_AutoElevate_Child"
| extend RiskScore = 80
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          ProcessIntegrityLevel, InitiatingProcessIntegrityLevel,
          DetectionType, RiskScore;
// Detection 2: Unexpected integrity level escalation (Medium/Low parent spawning High/System child)
let IntegrityEscalation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessIntegrityLevel in ("High", "System")
| where InitiatingProcessIntegrityLevel in ("Medium", "Low")
| where InitiatingProcessFileName !in~ (LegitimateElevatedParents)
| where FileName !in~ ("consent.exe", "dllhost.exe", "RuntimeBroker.exe")
| where AccountName !endswith "$"
| extend DetectionType = "Integrity_Level_Escalation"
| extend RiskScore = 70
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          ProcessIntegrityLevel, InitiatingProcessIntegrityLevel,
          DetectionType, RiskScore;
// Detection 3: Linux setuid abuse and sudo privilege escalation
let LinuxPrivEsc = DeviceProcessEvents
| where Timestamp > ago(24h)
| where OSPlatform == "Linux"
| where ProcessCommandLine has_any (
    "chmod +s", "chmod u+s", "chmod 4755", "chmod 4777", "chmod 6755",
    "sudo -s", "sudo su", "sudo bash", "sudo sh", "sudo /bin/bash",
    "sudo /bin/sh", "sudo python", "sudo perl", "sudo ruby",
    "pkexec", "doas "
  )
| where AccountName !in ("root", "_apt", "daemon", "nobody")
| extend DetectionType = "Linux_Setuid_Sudo_Abuse"
| extend RiskScore = 65
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          ProcessIntegrityLevel, InitiatingProcessIntegrityLevel,
          DetectionType, RiskScore;
// Detection 4: Fodhelper registry hijack preparation (writing to HKCU shell\open\command)
let FodhelperRegistryPrep = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_all ("Software\\Classes", "ms-settings", "shell\\open\\command")
    or RegistryKey has_all ("Software\\Classes", "mscfile", "shell\\open\\command")
| extend DetectionType = "UAC_Bypass_Registry_Hijack_Prep"
| extend RiskScore = 90
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          RegistryKey, RegistryValueName, RegistryValueData,
          DetectionType, RiskScore;
// Union all detection types
UACBypassChildSpawn
| union IntegrityEscalation
| union LinuxPrivEsc
| union (FodhelperRegistryPrep | extend ProcessIntegrityLevel = "", InitiatingProcessIntegrityLevel = "")
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Process: OS API Execution Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint Linux: Audit Logs

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Software installers that legitimately invoke auto-elevate binaries as part of their installation workflow (e.g., Windows installer packages that chain through fodhelper)
Group Policy and SCCM/Intune deployments that spawn cmd.exe or PowerShell as children of management binaries during system configuration
IT administration tools (MMC snap-ins, Remote Server Administration Tools) that legitimately elevate to High integrity when launched by administrators via RunAs
Linux package managers (apt, yum, dnf) invoking sudo for legitimate system package installation and upgrade operations
Developer build systems using chmod to mark compiled executables or test binaries, and CI/CD pipelines running as non-root that sudo to install dependencies

Splunk

spl

(
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | eval Image=lower(Image), ParentImage=lower(ParentImage)
  | eval CommandLine=coalesce(CommandLine, "")
  | eval ParentCommandLine=coalesce(ParentCommandLine, "")
)
OR
(
  index=wineventlog sourcetype="WinEventLog:Security" EventCode=4688
  | eval Image=lower(NewProcessName), ParentImage=lower(ParentProcessName)
  | eval CommandLine=coalesce(CommandLine, ""), ParentCommandLine=""
)
| eval UACBypassParent=if(
    match(ParentImage, "(fodhelper|eventvwr|sdclt|cmstp|computerdefaults|slui|wsreset|dccw|pkgmgr|wusa|infdefaultinstall|msconfig|colorcpl|cliconfg|dism|eudcedit|iexpress|ntprint|recdisc)\\.exe"),
    1, 0
  )
| eval SuspiciousChild=if(
    match(Image, "(cmd|powershell|pwsh|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin|wmic|regasm|regsvcs)\\.exe"),
    1, 0
  )
| eval FodhelperBypass=if(
    match(ParentImage, "fodhelper\\.exe") AND match(Image, "(cmd|powershell|pwsh|mshta)\\.exe"),
    1, 0
  )
| eval EventvwrBypass=if(
    match(ParentImage, "eventvwr\\.exe") AND match(Image, "(cmd|powershell|pwsh|mshta|wscript)\\.exe"),
    1, 0
  )
| eval SdcltBypass=if(
    match(ParentImage, "sdclt\\.exe") AND match(Image, "(cmd|powershell|pwsh)\\.exe"),
    1, 0
  )
| eval CmstpBypass=if(
    match(ParentImage, "cmstp\\.exe") AND match(Image, "(cmd|powershell|mshta|rundll32)\\.exe"),
    1, 0
  )
| eval GenericAutoElevate=if(UACBypassParent=1 AND SuspiciousChild=1, 1, 0)
| eval SuspicionScore=FodhelperBypass + EventvwrBypass + SdcltBypass + CmstpBypass + GenericAutoElevate
| where SuspicionScore > 0
| eval DetectionType=case(
    FodhelperBypass=1, "Fodhelper_UAC_Bypass",
    EventvwrBypass=1, "Eventvwr_UAC_Bypass",
    SdcltBypass=1, "Sdclt_UAC_Bypass",
    CmstpBypass=1, "Cmstp_UAC_Bypass",
    GenericAutoElevate=1, "Generic_AutoElevate_UAC_Bypass",
    true(), "Unknown"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, SuspicionScore
| sort - SuspicionScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Software installers that legitimately invoke auto-elevate binaries as part of their installation workflow, particularly third-party installers that chain through Windows trusted binaries
SCCM/Intune application deployments that spawn cmd.exe or PowerShell as child processes of management binaries during provisioning tasks
IT administration scripts that use RunAs or scheduled tasks to elevate through known binaries, especially in environments without enforced UAC policies
Legitimate Windows administrative tools (Event Viewer launched by administrators, Disk Cleanup invoked by maintenance scripts) that may trigger eventvwr or cleanmgr parent associations
Software packaging tools and virtualization platforms (App-V, ThinApp) that wrap installers inside auto-elevated process containers

Elastic Security (EQL)

eql

any where
(
  /* UAC Bypass: auto-elevate binary spawning suspicious child process */
  event.category == "process" and event.type == "start" and
  process.parent.name : (
    "fodhelper.exe", "eventvwr.exe", "sdclt.exe", "cmstp.exe",
    "computerdefaults.exe", "slui.exe", "wsreset.exe", "dccw.exe",
    "pkgmgr.exe", "wusa.exe", "infdefaultinstall.exe", "msconfig.exe",
    "colorcpl.exe", "cliconfg.exe", "dism.exe", "eudcedit.exe",
    "iexpress.exe", "ntprint.exe", "recdisc.exe"
  ) and
  process.name : (
    "cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe",
    "cscript.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe",
    "certutil.exe", "bitsadmin.exe", "wmic.exe", "regasm.exe", "regsvcs.exe"
  )
)
or
(
  /* Fodhelper/EventVwr registry hijack: writing to ms-settings or mscfile shell open command */
  event.category == "registry" and
  event.type in ("creation", "change") and
  (
    registry.path : "*\\Software\\Classes\\ms-settings\\shell\\open\\command*" or
    registry.path : "*\\Software\\Classes\\mscfile\\shell\\open\\command*"
  )
)
or
(
  /* Linux setuid abuse and sudo privilege escalation */
  event.category == "process" and event.type == "start" and
  host.os.type == "linux" and
  (
    process.command_line : ("*chmod +s*", "*chmod u+s*", "*chmod 4755*", "*chmod 4777*", "*chmod 6755*") or
    (
      process.name == "sudo" and
      process.args : ("-s", "su", "bash", "sh", "/bin/bash", "/bin/sh", "python*", "perl*", "ruby*")
    ) or
    process.name in ("pkexec", "doas")
  ) and
  not user.name in ("root", "_apt", "daemon", "nobody")
)

high severity high confidence

Data Sources

Elastic Endpoint (process and registry events) Winlogbeat with Sysmon Auditbeat (Linux process events)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* winlogbeat-* auditbeat-*

False Positives

IT administrators running PowerShell or CMD from management UIs (e.g., DISM-based imaging workflows) that legitimately inherit auto-elevate binary parent process chains
Software deployment tools such as SCCM, PDQ Deploy, or Microsoft Intune that invoke fodhelper.exe or wusa.exe as part of sanctioned patch workflows and subsequently spawn shell processes
Linux system administrators running 'sudo bash' or 'sudo -s' interactively for authorized maintenance tasks on managed servers; tune by excluding known admin accounts or source hosts

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  "Process Name" AS child_process,
  "Parent Process Name" AS parent_process,
  "Command Line" AS command_line,
  "Parent Command Line" AS parent_command_line,
  CASE
    WHEN LOWER("Parent Process Name") = 'fodhelper.exe'
      AND LOWER("Process Name") MATCHES '(cmd|powershell|pwsh|mshta)\.exe'
      THEN 'Fodhelper_UAC_Bypass'
    WHEN LOWER("Parent Process Name") = 'eventvwr.exe'
      AND LOWER("Process Name") MATCHES '(cmd|powershell|pwsh|mshta|wscript)\.exe'
      THEN 'Eventvwr_UAC_Bypass'
    WHEN LOWER("Parent Process Name") = 'sdclt.exe'
      AND LOWER("Process Name") MATCHES '(cmd|powershell|pwsh)\.exe'
      THEN 'Sdclt_UAC_Bypass'
    WHEN LOWER("Parent Process Name") = 'cmstp.exe'
      AND LOWER("Process Name") MATCHES '(cmd|powershell|mshta|rundll32)\.exe'
      THEN 'Cmstp_UAC_Bypass'
    WHEN LOWER("Parent Process Name") MATCHES '(computerdefaults|slui|wsreset|dccw|pkgmgr|wusa|infdefaultinstall|msconfig|colorcpl|cliconfg|dism|eudcedit|iexpress|ntprint|recdisc)\.exe'
      AND LOWER("Process Name") MATCHES '(cmd|powershell|pwsh|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin|wmic|regasm|regsvcs)\.exe'
      THEN 'Generic_AutoElevate_UAC_Bypass'
    WHEN "Registry Key" IMATCHES '%Software\\Classes\\ms-settings\\shell\\open\\command%'
      OR "Registry Key" IMATCHES '%Software\\Classes\\mscfile\\shell\\open\\command%'
      THEN 'UAC_Bypass_Registry_Hijack_Prep'
    WHEN LOWER("Command Line") MATCHES '.*(chmod \+s|chmod u\+s|chmod 4755|chmod 4777|chmod 6755|sudo -s|sudo su|sudo bash|sudo sh|sudo /bin/bash|sudo /bin/sh|pkexec|doas ).*'
      AND username NOT IN ('root', '_apt', 'daemon', 'nobody')
      THEN 'Linux_Setuid_Sudo_Abuse'
    ELSE 'Unknown'
  END AS detection_type,
  CASE
    WHEN LOWER("Registry Key") IMATCHES '%ms-settings\\shell\\open\\command%' THEN 90
    WHEN LOWER("Parent Process Name") = 'fodhelper.exe' THEN 85
    WHEN LOWER("Parent Process Name") IN ('eventvwr.exe','sdclt.exe','cmstp.exe') THEN 80
    ELSE 65
  END AS risk_score
FROM events
WHERE
  starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (
      LOWER("Parent Process Name") MATCHES
        '(fodhelper|eventvwr|sdclt|cmstp|computerdefaults|slui|wsreset|dccw|pkgmgr|wusa|infdefaultinstall|msconfig|colorcpl|cliconfg|dism|eudcedit|iexpress|ntprint|recdisc)\.exe'
      AND LOWER("Process Name") MATCHES
        '(cmd|powershell|pwsh|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin|wmic|regasm|regsvcs)\.exe'
    )
    OR (
      "Registry Key" IMATCHES '%Software\\Classes\\ms-settings\\shell\\open\\command%'
      OR "Registry Key" IMATCHES '%Software\\Classes\\mscfile\\shell\\open\\command%'
    )
    OR (
      LOWER("Command Line") MATCHES
        '.*(chmod \+s|chmod u\+s|chmod 4755|chmod 4777|chmod 6755|sudo -s|sudo su|sudo bash|sudo sh|sudo /bin/bash|pkexec|doas ).*'
      AND username NOT IN ('root', '_apt', 'daemon', 'nobody')
    )
  )
ORDER BY starttime DESC

high severity high confidence

Data Sources

Windows Security Event Log (EventID 4688) Sysmon via Windows Event Log (EventID 1, 12, 13) Linux auditd / syslog process events

Required Tables

events

False Positives

Enterprise patch management solutions that invoke wusa.exe or pkgmgr.exe as part of update pipelines and subsequently spawn child cmd.exe or msiexec.exe processes for installation tasks
Security assessment or vulnerability scanning tools that enumerate sudo configurations on Linux endpoints, triggering sudo command pattern matches without actual privilege escalation
Developer workstations where fodhelper or eventvwr may be legitimately launched alongside developer shells in non-adversarial contexts; scope the rule to server OU or production asset groups to reduce noise

Sumo Logic CSE

sql

(_sourceCategory=*windows/sysmon* OR _sourceCategory=*windows/security* OR _sourceCategory=*linux/secure* OR _sourceCategory=*linux/audit*)
| parse regex field=_raw "(?:Image|NewProcessName)[=:\s]+(?:'|")?(?P<child_image>[^'"\s\r\n]+)" nodrop
| parse regex field=_raw "(?:ParentImage|ParentProcessName)[=:\s]+(?:'|")?(?P<parent_image>[^'"\s\r\n]+)" nodrop
| parse regex field=_raw "(?:CommandLine|ProcessCommandLine)[=:\s]+(?:'|")?(?P<command_line>[^\r\n]+)" nodrop
| parse regex field=_raw "(?:User|SubjectUserName|AccountName)[=:\s]+(?:'|")?(?P<username>[^'"\s\r\n]+)" nodrop
| parse regex field=_raw "(?:Computer|Workstation|hostname)[=:\s]+(?:'|")?(?P<hostname>[^'"\s\r\n]+)" nodrop
| parse regex field=_raw "(?:RegistryKey|TargetObject)[=:\s]+(?:'|")?(?P<registry_key>[^'"\s\r\n]+)" nodrop
| parse regex field=_raw "EventID[=:\s]+(?P<event_id>\d+)" nodrop
| where (
    /* UAC Bypass: auto-elevate binary spawning suspicious child */
    (
      parent_image matches /(?i)(fodhelper|eventvwr|sdclt|cmstp|computerdefaults|slui|wsreset|dccw|pkgmgr|wusa|infdefaultinstall|msconfig|colorcpl|cliconfg|dism|eudcedit|iexpress|ntprint|recdisc)\.exe/
      and child_image matches /(?i)(cmd|powershell|pwsh|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin|wmic|regasm|regsvcs)\.exe/
    )
    /* Registry hijack preparation */
    or (
      registry_key matches /(?i).*Software\\Classes\\(ms-settings|mscfile)\\shell\\open\\command.*/
      and event_id in ("12", "13", "4657")
    )
    /* Linux setuid/sudo abuse */
    or (
      command_line matches /(?i).*(chmod \+s|chmod u\+s|chmod 4755|chmod 4777|chmod 6755|sudo -s|sudo su|sudo bash|sudo sh|sudo \/bin\/(bash|sh)|pkexec|doas ).*/
      and not username in ("root", "_apt", "daemon", "nobody", "www-data")
    )
  )
| if (parent_image matches /(?i)fodhelper\.exe/ and child_image matches /(?i)(cmd|powershell|pwsh|mshta)\.exe/, "Fodhelper_UAC_Bypass",
    if (parent_image matches /(?i)eventvwr\.exe/ and child_image matches /(?i)(cmd|powershell|pwsh|mshta|wscript)\.exe/, "Eventvwr_UAC_Bypass",
      if (parent_image matches /(?i)sdclt\.exe/ and child_image matches /(?i)(cmd|powershell|pwsh)\.exe/, "Sdclt_UAC_Bypass",
        if (parent_image matches /(?i)cmstp\.exe/ and child_image matches /(?i)(cmd|powershell|mshta|rundll32)\.exe/, "Cmstp_UAC_Bypass",
          if (registry_key matches /(?i).*ms-settings.*shell.*open.*command.*/, "UAC_Bypass_Registry_Hijack_Prep",
            if (command_line matches /(?i).*(chmod \+s|chmod 4[67]|sudo (bash|sh|-s)|pkexec).*/, "Linux_Setuid_Sudo_Abuse",
              "Generic_AutoElevate_UAC_Bypass"
            )
          )
        )
      )
    )
  ) as detection_type
| if (detection_type = "UAC_Bypass_Registry_Hijack_Prep", 90,
    if (detection_type = "Fodhelper_UAC_Bypass", 85,
      if (detection_type in ("Eventvwr_UAC_Bypass", "Sdclt_UAC_Bypass", "Cmstp_UAC_Bypass"), 80,
        65
      )
    )
  ) as risk_score
| fields _messagetime, hostname, username, child_image, parent_image, command_line, registry_key, detection_type, risk_score
| sort by _messagetime desc

high severity high confidence

Data Sources

Windows Sysmon (EventID 1 process create, EventID 12/13 registry) Windows Security Event Log (EventID 4688 process create, EventID 4657 registry) Linux auditd / secure log (process exec events)

Required Tables

_sourceCategory=*windows/sysmon* _sourceCategory=*windows/security* _sourceCategory=*linux/secure* _sourceCategory=*linux/audit*

False Positives

Legitimate administrative scripts that invoke colorcpl.exe, dism.exe, or wusa.exe as part of Windows image servicing pipelines and subsequently spawn cmd.exe for follow-on configuration steps
Penetration testing or red team exercises on authorized hosts where UAC bypass techniques are being validated using tools like UACME, Metasploit, or PowerShell Empire with proper change tickets
Linux DevOps engineers using 'sudo bash' or 'sudo -s' during interactive debugging sessions on build servers; consider allowlisting specific usernames or source IP ranges used by ops teams

Google Chronicle / SecOps

yaral

rule uac_bypass_autoelevate_child_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects UAC bypass via auto-elevate binaries spawning suspicious shell or scripting child processes (T1548.002)"
    mitre_attack_tactic = "Privilege Escalation"
    mitre_attack_technique = "T1548"
    mitre_attack_subtechnique = "T1548.002"
    severity = "HIGH"
    priority = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.process.file.full_path = /(?i)(fodhelper|eventvwr|sdclt|cmstp|computerdefaults|slui|wsreset|dccw|pkgmgr|wusa|infdefaultinstall|msconfig|colorcpl|cliconfg|dism|eudcedit|iexpress|ntprint|recdisc)\.exe$/
    $proc.target.process.file.full_path = /(?i)(cmd|powershell|pwsh|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin|wmic|regasm|regsvcs)\.exe$/
    $proc.principal.hostname = $hostname

  condition:
    $proc
}

rule uac_bypass_registry_hijack_prep {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects registry key writes to ms-settings or mscfile shell open command paths used in fodhelper/eventvwr UAC bypass (T1548.002)"
    mitre_attack_tactic = "Privilege Escalation"
    mitre_attack_technique = "T1548"
    mitre_attack_subtechnique = "T1548.002"
    severity = "CRITICAL"
    priority = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $reg.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      $reg.target.registry.registry_key = /(?i).*\\Software\\Classes\\ms-settings\\shell\\open\\command.*/ or
      $reg.target.registry.registry_key = /(?i).*\\Software\\Classes\\mscfile\\shell\\open\\command.*/
    )
    $reg.principal.hostname = $hostname

  condition:
    $reg
}

rule linux_setuid_sudo_privilege_escalation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Linux privilege escalation via setuid bit manipulation or interactive sudo shell spawning by non-privileged accounts (T1548.001 / T1548.003)"
    mitre_attack_tactic = "Privilege Escalation"
    mitre_attack_technique = "T1548"
    mitre_attack_subtechnique = "T1548.001"
    severity = "HIGH"
    priority = "MEDIUM"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $linux.metadata.event_type = "PROCESS_LAUNCH"
    $linux.principal.platform = "LINUX"
    (
      $linux.target.process.command_line = /(?i).*(chmod \+s|chmod u\+s|chmod 4755|chmod 4777|chmod 6755).*/  or
      (
        $linux.target.process.file.full_path = /(?i).*\/sudo$/ and
        $linux.target.process.command_line = /(?i)sudo\s+(-s|su|bash|sh|\/bin\/(bash|sh)|python[23]?|perl|ruby).*/
      ) or
      $linux.target.process.file.full_path = /(?i).*\/(pkexec|doas)$/
    )
    not $linux.principal.user.userid = "root"
    not $linux.principal.user.userid = "daemon"
    not $linux.principal.user.userid = "nobody"
    $linux.principal.hostname = $hostname

  condition:
    $linux
}

high severity high confidence

Data Sources

Google Chronicle UDM (PROCESS_LAUNCH events from Windows endpoint agents) Google Chronicle UDM (REGISTRY_MODIFICATION events from Windows endpoint agents) Google Chronicle UDM (PROCESS_LAUNCH events from Linux endpoint agents)

Required Tables

UDM events (PROCESS_LAUNCH) UDM events (REGISTRY_MODIFICATION)

False Positives

Authorized IT management tooling that invokes colorcpl.exe, recdisc.exe, or msconfig.exe as part of OS hardening scripts and spawns cmd.exe for configuration validation steps
Enterprise software packaging tools (WiX, NSIS, InstallShield) that use dism.exe or wusa.exe as parent processes for package extraction, potentially spawning msiexec.exe as a child
Linux system accounts performing authorized chmod operations on application binaries during deployment pipelines; tune the Linux rule by adding allowlist conditions for known CI/CD service account UIDs

CrowdStrike LogScale (CQL)

cql

// Detection 1: UAC Bypass - auto-elevate binary spawning suspicious child process
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)(fodhelper|eventvwr|sdclt|cmstp|computerdefaults|slui|wsreset|dccw|pkgmgr|wusa|infdefaultinstall|msconfig|colorcpl|cliconfg|dism|eudcedit|iexpress|ntprint|recdisc)\.exe/i
| ImageFileName = /(?i)(cmd|powershell|pwsh|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin|wmic|regasm|regsvcs)\.exe/i
| detection_type := case {
    ParentBaseFileName = /fodhelper\.exe/i and ImageFileName = /(?i)(cmd|powershell|pwsh|mshta)\.exe/ => "Fodhelper_UAC_Bypass";
    ParentBaseFileName = /eventvwr\.exe/i and ImageFileName = /(?i)(cmd|powershell|pwsh|mshta|wscript)\.exe/ => "Eventvwr_UAC_Bypass";
    ParentBaseFileName = /sdclt\.exe/i and ImageFileName = /(?i)(cmd|powershell|pwsh)\.exe/ => "Sdclt_UAC_Bypass";
    ParentBaseFileName = /cmstp\.exe/i and ImageFileName = /(?i)(cmd|powershell|mshta|rundll32)\.exe/ => "Cmstp_UAC_Bypass";
    * => "Generic_AutoElevate_UAC_Bypass"
  }
| risk_score := case {
    detection_type = "Fodhelper_UAC_Bypass" => 85;
    detection_type in ["Eventvwr_UAC_Bypass", "Sdclt_UAC_Bypass", "Cmstp_UAC_Bypass"] => 80;
    * => 65
  }
| table([_timeparsed, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, detection_type, risk_score])
| sort(field=_timeparsed, order=desc)

// Detection 2: Fodhelper registry hijack preparation (separate query - run independently)
// #event_simpleName=RegGenericValueSet OR #event_simpleName=RegSetValue
// | RegObjectName = /(?i).*\\Software\\Classes\\(ms-settings|mscfile)\\shell\\open\\command.*/i
// | table([_timeparsed, ComputerName, UserName, RegObjectName, RegStringValue, ImageFileName, CommandLine])
// | sort(field=_timeparsed, order=desc)

// Detection 3: Linux setuid/sudo abuse (separate query - run independently on Linux sensors)
// #event_simpleName=ProcessRollup2 event_platform=Lin
// | CommandLine = /(?i)(chmod \+s|chmod u\+s|chmod 4755|chmod 4777|chmod 6755|sudo -s|sudo su|sudo bash|sudo sh|sudo \/bin\/(bash|sh)|pkexec|doas )/i
// | UserName != "root"
// | table([_timeparsed, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName])
// | sort(field=_timeparsed, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 - process telemetry) CrowdStrike Falcon Endpoint (RegGenericValueSet / RegSetValue - registry telemetry) CrowdStrike Falcon Linux Sensor (ProcessRollup2 - Linux process telemetry)

Required Tables

ProcessRollup2 RegGenericValueSet RegSetValue

False Positives

Software update orchestration platforms that use wsreset.exe or wusa.exe as parent processes for update package execution, with msiexec.exe or cmd.exe spawned as legitimate installation children
Security tooling such as EDR agents or AV products that may spawn cmd.exe or powershell.exe from elevated management processes that share the auto-elevate binary naming space
Linux administrators using 'sudo bash' or 'sudo -s' for interactive escalation on systems where sudo is the standard privilege management mechanism; scope detection to servers or specific asset groups rather than all endpoints

Last updated: 2026-04-20 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1548 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Abuse Elevation Control Mechanism

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (6)

Same Tactic: Privilege Escalation

Popular Detections