T1548.002 Bypass User Account Control Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1548.002 — UAC Bypass detection
// Multiple sub-techniques: eventvwr, fodhelper, sdclt, CMSTPLUA, DLL hijacking
let UACBypassBinaries = dynamic([
  "eventvwr.exe", "fodhelper.exe", "sdclt.exe", "cmstp.exe",
  "migwiz.exe", "wsreset.exe", "computerdefaults.exe",
  "slui.exe", "pkgmgr.exe", "sysprep.exe", "osk.exe",
  "msconfig.exe", "mmc.exe", "eudcedit.exe", "charmap.exe",
  "colorcpl.exe", "windowsanytimeupgrade.exe"
]);
// Part 1: Detect auto-elevating binaries spawning unexpected child processes
let UACBypassSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (UACBypassBinaries)
| where FileName !in~ ("conhost.exe", "WerFault.exe", "dwm.exe")
| where ProcessTokenElevationType =~ "TokenElevationTypeDefault"
    or InitiatingProcessTokenElevationType =~ "TokenElevationTypeDefault"
| extend DetectionType = "UAC_Auto_Elevate_Bypass"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect registry modifications at known UAC bypass paths
let UACBypassReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    "ms-settings",
    "mscfile",
    "Classes\\exefile\\shell\\runas",
    "Software\\Classes\\ms-settings",
    "Software\\Classes\\mscfile",
    "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe"
  )
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend DetectionType = "UAC_Bypass_Registry"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect CMSTPLUA COM elevation pattern
let UACBypassCOM = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "cmstp.exe"
    or (InitiatingProcessFileName =~ "dllhost.exe" and
        InitiatingProcessCommandLine has "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}")
| extend DetectionType = "UAC_CMSTPLUA_COM"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union UACBypassSpawn, UACBypassReg, UACBypassCOM
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Windows Registry: Registry Value Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Legitimate administrative tools that invoke auto-elevating binaries (some vendor software uses eventvwr.exe legitimately)
IT management software that uses CMSTP/COM elevation for authorized software deployment
Pentest tools performing authorized UAC bypass testing on test endpoints
Application compatibility shims that may trigger auto-elevation paths

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
    EventCode=1 AND
      match(ParentImage, "(?i)(eventvwr|fodhelper|sdclt|cmstp|migwiz|wsreset|computerdefaults|slui|pkgmgr|sysprep|osk|msconfig)\.exe") AND
      NOT match(Image, "(?i)(conhost|WerFault|dwm)\.exe"),
      "UAC_Auto_Elevate_Child_Spawn",
    EventCode IN (12,13) AND
      (match(TargetObject, "(?i)(ms-settings|mscfile|exefile.*runas|App.Paths.*control)") AND
       match(TargetObject, "(?i)HKCU")),
      "UAC_Bypass_Registry_HKCU",
    EventCode=1 AND
      (match(Image, "(?i)cmstp\.exe") OR
       (match(Image, "(?i)dllhost\.exe") AND match(CommandLine, "3E5FC7F9-9A51-4367-9063-A120244FBEC7"))),
      "UAC_CMSTPLUA_COM_Elevation",
    EventCode=1 AND
      match(Image, "(?i)(powershell|cmd)\.exe") AND
      match(ParentImage, "(?i)(eventvwr|fodhelper|sdclt)\.exe"),
      "UAC_Bypass_Shell_Spawn",
    true(), null()
  )
| where isnotnull(detection_type)
| eval integrity_level=case(
    match(Mandatory_Label, "(?i)High"), "High",
    match(Mandatory_Label, "(?i)Medium"), "Medium",
    true(), "Unknown"
  )
| table _time, host, User, detection_type, Image, CommandLine, ParentImage, TargetObject, Details
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Windows Registry: Registry Value Modification Sysmon Event ID 1, 12, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate admin tools invoking auto-elevating system utilities
Vendor software using COM elevation with administrative consent
Authorized penetration testing in known test environments

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   process.parent.name : ("eventvwr.exe", "fodhelper.exe", "sdclt.exe", "cmstp.exe", "migwiz.exe", "wsreset.exe", "computerdefaults.exe", "slui.exe", "pkgmgr.exe", "sysprep.exe", "osk.exe", "msconfig.exe", "mmc.exe", "eudcedit.exe", "charmap.exe", "colorcpl.exe") and
   not process.name : ("conhost.exe", "WerFault.exe", "dwm.exe")]
  [any where true]

// Part 2: UAC bypass via registry modification
registry where event.type in ("creation", "change") and
  registry.path : ("*\\Software\\Classes\\ms-settings*", "*\\Software\\Classes\\mscfile*", "*\\Classes\\exefile\\shell\\runas*", "*\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe*") and
  registry.hive == "HKEY_CURRENT_USER"

// Part 3: CMSTPLUA COM elevation
process where event.type == "start" and
  (process.name : "cmstp.exe" or
   (process.name : "dllhost.exe" and process.args : "*3E5FC7F9-9A51-4367-9063-A120244FBEC7*"))

high severity high confidence

Data Sources

Elastic Endpoint Security Windows Event Logs via Elastic Agent Sysmon via Winlogbeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* winlogbeat-*

False Positives

Legitimate system administration tools or software installers that use auto-elevated binaries as part of normal installation workflows (e.g., Windows Update, enterprise MSI deployments via migwiz.exe)
Security software or EDR agents that legitimately spawn child processes from auto-elevated system binaries during remediation or configuration tasks
SCCM/Intune device management operations that modify ms-settings or App Paths registry keys as part of policy enforcement or software deployment

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  "CommandLine",
  "ParentCommandLine",
  "Image",
  "ParentImage",
  "TargetObject",
  CASE
    WHEN LOWER("ParentImage") MATCHES '.*\\(eventvwr|fodhelper|sdclt|cmstp|migwiz|wsreset|computerdefaults|slui|pkgmgr|sysprep|osk|msconfig|mmc|eudcedit|charmap|colorcpl)\.exe$'
      AND NOT LOWER("Image") MATCHES '.*\\(conhost|WerFault|dwm)\.exe$'
      AND QIDNAME(qid) LIKE '%Process Create%'
      THEN 'UAC_Auto_Elevate_Child_Spawn'
    WHEN (LOWER("TargetObject") LIKE '%\\Software\\Classes\\ms-settings%'
      OR LOWER("TargetObject") LIKE '%\\Software\\Classes\\mscfile%'
      OR LOWER("TargetObject") LIKE '%\\Classes\\exefile\\shell\\runas%'
      OR LOWER("TargetObject") LIKE '%\\App Paths\\control.exe%')
      AND LOWER("TargetObject") LIKE '%hkcu%'
      THEN 'UAC_Bypass_Registry_HKCU'
    WHEN LOWER("Image") LIKE '%\\cmstp.exe'
      OR (LOWER("Image") LIKE '%\\dllhost.exe' AND "CommandLine" LIKE '%3E5FC7F9-9A51-4367-9063-A120244FBEC7%')
      THEN 'UAC_CMSTPLUA_COM_Elevation'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND devicetime > DATEADD('hour', -24, NOW())
  AND (
    (
      LOWER("ParentImage") MATCHES '.*\\(eventvwr|fodhelper|sdclt|cmstp|migwiz|wsreset|computerdefaults|slui|pkgmgr|sysprep|osk|msconfig)\.exe$'
      AND NOT LOWER("Image") MATCHES '.*\\(conhost|WerFault|dwm)\.exe$'
    )
    OR (
      (LOWER("TargetObject") LIKE '%ms-settings%' OR LOWER("TargetObject") LIKE '%mscfile%'
        OR LOWER("TargetObject") LIKE '%exefile%runas%' OR LOWER("TargetObject") LIKE '%App Paths%control%')
      AND LOWER("TargetObject") LIKE '%hkcu%'
    )
    OR LOWER("Image") LIKE '%\\cmstp.exe'
    OR (LOWER("Image") LIKE '%\\dllhost.exe' AND "CommandLine" LIKE '%3E5FC7F9-9A51-4367-9063-A120244FBEC7%')
  )
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via QRadar DSM Windows Sysmon

Required Tables

events

False Positives

Enterprise software deployment tools (SCCM, Intune) that legitimately write to App Paths or ms-settings registry locations during managed installs
Windows OS upgrade processes (e.g., Windows Anytime Upgrade, Feature Updates) that use migwiz.exe or sysprep.exe and spawn helper child processes
Legitimate administrative scripts run by IT staff that call computerdefaults.exe or wsreset.exe during workstation provisioning or troubleshooting

Sumo Logic CSE

sql

// Part 1: UAC bypass via auto-elevating binary child process spawn
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventID = 1
| parse field=ParentImage "*\\*" as _parent_path, ParentBinary
| parse field=Image "*\\*" as _img_path, ChildBinary
| where toLowerCase(ParentBinary) in ("eventvwr.exe", "fodhelper.exe", "sdclt.exe", "cmstp.exe", "migwiz.exe", "wsreset.exe", "computerdefaults.exe", "slui.exe", "pkgmgr.exe", "sysprep.exe", "osk.exe", "msconfig.exe", "mmc.exe", "eudcedit.exe", "charmap.exe", "colorcpl.exe")
| where !(toLowerCase(ChildBinary) in ("conhost.exe", "werfault.exe", "dwm.exe"))
| fields _messageTime, Computer, User, ParentBinary, ChildBinary, CommandLine, ParentCommandLine
| concat ("UAC_Auto_Elevate_Bypass:", ParentBinary, " -> ", ChildBinary) as detection_label

// Part 2: UAC bypass registry key modifications
_sourceCategory=windows/sysmon
| where EventID in (12, 13)
| where TargetObject matches /(?i)(HKCU.*ms-settings|HKCU.*mscfile|HKCU.*exefile.*runas|HKCU.*App.Paths.*control)/
| fields _messageTime, Computer, User, TargetObject, Details, Image, CommandLine
| "UAC_Bypass_Registry_HKCU" as detection_label

// Part 3: CMSTPLUA COM interface elevation
_sourceCategory=windows/sysmon
| where EventID = 1
| where (toLowerCase(Image) matches /.*\\cmstp\.exe$/) OR
        (toLowerCase(Image) matches /.*\\dllhost\.exe$/ AND CommandLine matches /3E5FC7F9-9A51-4367-9063-A120244FBEC7/)
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage
| "UAC_CMSTPLUA_COM_Elevation" as detection_label

high severity high confidence

Data Sources

Windows Sysmon Windows Security Events Sumo Logic Windows Agent

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Windows built-in reset and troubleshooting tools (wsreset.exe for Windows Store cache, osk.exe for accessibility) legitimately launched by help desk staff or automated remediation scripts
Penetration testing or red team exercises where UACME or similar tooling is used in authorized assessments — coordinate with security team to establish exclusions during test windows
Third-party software that registers COM objects or modifies App Paths registry entries during installation using elevated MSI helper processes that appear as dllhost.exe children

Google Chronicle / SecOps

yaral

rule uac_bypass_auto_elevate_child_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects UAC bypass via auto-elevating binary spawning unexpected child processes"
    mitre_attack_technique = "T1548.002"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.process.file.full_path = /(?i)(eventvwr|fodhelper|sdclt|cmstp|migwiz|wsreset|computerdefaults|slui|pkgmgr|sysprep|osk|msconfig|mmc|eudcedit|charmap|colorcpl)\.exe$/
    not $proc.target.process.file.full_path = /(?i)(conhost|WerFault|dwm)\.exe$/

  condition:
    $proc
}

rule uac_bypass_registry_hkcu {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects UAC bypass via HKCU registry modification at known bypass paths"
    mitre_attack_technique = "T1548.002"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $reg.metadata.event_type = "REGISTRY_MODIFICATION"
    $reg.target.registry.registry_key = /(?i)(HKCU|HKEY_CURRENT_USER).*(ms-settings|mscfile|exefile\\shell\\runas|App\.Paths.*control\.exe)/

  condition:
    $reg
}

rule uac_bypass_cmstplua_com {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects CMSTPLUA COM interface abuse for UAC bypass elevation"
    mitre_attack_technique = "T1548.002"
    severity = "CRITICAL"
    confidence = "HIGH"

  events:
    $com.metadata.event_type = "PROCESS_LAUNCH"
    (
      $com.target.process.file.full_path = /(?i)\\cmstp\.exe$/ or
      (
        $com.target.process.file.full_path = /(?i)\\dllhost\.exe$/ and
        $com.target.process.command_line = /3E5FC7F9-9A51-4367-9063-A120244FBEC7/
      )
    )

  condition:
    $com
}

rule uac_bypass_shell_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects UAC bypass resulting in cmd or powershell spawned by known bypass binaries"
    mitre_attack_technique = "T1548.002"
    severity = "CRITICAL"
    confidence = "HIGH"

  events:
    $shell.metadata.event_type = "PROCESS_LAUNCH"
    $shell.target.process.file.full_path = /(?i)(powershell|cmd)\.exe$/
    $shell.principal.process.file.full_path = /(?i)(eventvwr|fodhelper|sdclt)\.exe$/

  condition:
    $shell
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Event Logs via Chronicle Forwarder Sysmon via Chronicle

Required Tables

UDM Events — process_launch UDM Events — registry_modification

False Positives

Windows Defender or other AV products that use elevated COM objects (dllhost.exe with elevated CLSID) for quarantine or remediation operations triggered from system processes
Enterprise GPO-based configurations that write to Software\Classes registry hives including ms-settings paths when applying policy during domain-joined workstation startup
Sysinternals or IT tooling (e.g., Autoruns, Process Monitor) that enumerate or touch runas shell handler registry keys as part of system inspection

CrowdStrike LogScale (CQL)

cql

// Part 1: UAC bypass — auto-elevating binary spawns unexpected child
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(eventvwr|fodhelper|sdclt|cmstp|migwiz|wsreset|computerdefaults|slui|pkgmgr|sysprep|osk|msconfig|mmc|eudcedit|charmap|colorcpl)\.exe$/
| FileName != /(?i)^(conhost|WerFault|dwm)\.exe$/
| "UAC_Auto_Elevate_Child_Spawn" as DetectionType
| table([_timeutc, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionType])

// Part 2: UAC bypass — registry key modification at known bypass paths
#event_simpleName=RegSetValue
| RegObjectName = /(?i)(ms-settings|mscfile|exefile\\shell\\runas|App.Paths.*control)/
| RegObjectName = /(?i)HKCU/
| "UAC_Bypass_Registry_HKCU" as DetectionType
| table([_timeutc, ComputerName, UserName, RegObjectName, RegValueName, RegStringValue, ImageFileName, CommandLine, DetectionType])

// Part 3: UAC bypass — CMSTPLUA COM elevation
#event_simpleName=ProcessRollup2
| FileName = /(?i)^cmstp\.exe$/
  OR (FileName = /(?i)^dllhost\.exe$/ AND CommandLine = /3E5FC7F9-9A51-4367-9063-A120244FBEC7/)
| "UAC_CMSTPLUA_COM_Elevation" as DetectionType
| table([_timeutc, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionType])

// Part 4: UAC bypass — elevated shell spawned from bypass binary
#event_simpleName=ProcessRollup2
| FileName = /(?i)^(powershell|cmd)\.exe$/
| ParentBaseFileName = /(?i)^(eventvwr|fodhelper|sdclt)\.exe$/
| "UAC_Bypass_Elevated_Shell" as DetectionType
| table([_timeutc, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionType])

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon Sensor — ProcessRollup2 Falcon Sensor — RegSetValue

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=RegSetValue

False Positives

Falcon sensor itself or CrowdStrike maintenance processes that spawn child processes from system utilities listed in the UAC bypass binary list during sensor updates or policy enforcement
Corporate software packaging tools (e.g., Flexera AdminStudio, Advanced Installer) that use sdclt.exe or computerdefaults.exe as part of MSI transform or compatibility shim testing
IT helpdesk remote control or scripting tools (e.g., PDQ Deploy, Kace) that invoke UAC-auto-elevated binaries as launcher stubs when deploying software to endpoints without user interaction

Bypass User Account Control

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Privilege Escalation

Popular Detections