T1548.002 Elastic Security · Elastic

Detect Bypass User Account Control in Elastic Security

Adversaries bypass Windows User Account Control (UAC) to execute code with elevated privileges without triggering user prompts. Common methods include: eventvwr.exe hijacking (ZeroT, Koadic), fodhelper.exe Registry key abuse (Saint Bot), sdclt.exe App Paths abuse (WarzoneRAT), CMSTPLUA COM interface (Avaddon), and DLL hijacking via auto-elevated applications (ShimRat via migwiz.exe). Used by BlackCat, LockBit 2.0/3.0, Cobalt Strike, DarkGate, Evilnum, APT37, APT38, BRONZE BUTLER, and many others. UACME documents 70+ bypass methods.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.002 Bypass User Account Control
Canonical reference
https://attack.mitre.org/techniques/T1548/002/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   process.parent.name : ("eventvwr.exe", "fodhelper.exe", "sdclt.exe", "cmstp.exe", "migwiz.exe", "wsreset.exe", "computerdefaults.exe", "slui.exe", "pkgmgr.exe", "sysprep.exe", "osk.exe", "msconfig.exe", "mmc.exe", "eudcedit.exe", "charmap.exe", "colorcpl.exe") and
   not process.name : ("conhost.exe", "WerFault.exe", "dwm.exe")]
  [any where true]

// Part 2: UAC bypass via registry modification
registry where event.type in ("creation", "change") and
  registry.path : ("*\\Software\\Classes\\ms-settings*", "*\\Software\\Classes\\mscfile*", "*\\Classes\\exefile\\shell\\runas*", "*\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe*") and
  registry.hive == "HKEY_CURRENT_USER"

// Part 3: CMSTPLUA COM elevation
process where event.type == "start" and
  (process.name : "cmstp.exe" or
   (process.name : "dllhost.exe" and process.args : "*3E5FC7F9-9A51-4367-9063-A120244FBEC7*"))
high severity high confidence

Detects UAC bypass techniques including auto-elevating binary child process spawning, HKCU registry key abuse at known UAC bypass paths (ms-settings, mscfile, runas), and CMSTPLUA COM interface elevation via cmstp.exe or dllhost.exe with the CMSTPLUA CLSID. Covers methods used by BlackCat, LockBit, Cobalt Strike, fodhelper abuse (Saint Bot), eventvwr hijacking (ZeroT/Koadic), and sdclt App Paths abuse (WarzoneRAT).

Data Sources

Elastic Endpoint SecurityWindows Event Logs via Elastic AgentSysmon via Winlogbeat

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.registry-*winlogbeat-*

False Positives & Tuning

  • Legitimate system administration tools or software installers that use auto-elevated binaries as part of normal installation workflows (e.g., Windows Update, enterprise MSI deployments via migwiz.exe)
  • Security software or EDR agents that legitimately spawn child processes from auto-elevated system binaries during remediation or configuration tasks
  • SCCM/Intune device management operations that modify ms-settings or App Paths registry keys as part of policy enforcement or software deployment
Download portable Sigma rule (.yml)

Other platforms for T1548.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1UAC Bypass via eventvwr.exe (Registry Hijacking)

    Expected signal: Sysmon EventCode 13: RegistryValueSet at HKCU\Software\Classes\mscfile\shell\open\command. Sysmon EventCode 1: eventvwr.exe process, followed by calc.exe (or cmd.exe) spawned with High integrity level. Security Event 4688 for calc.exe with high integrity.

  2. Test 2UAC Bypass via fodhelper.exe (ms-settings)

    Expected signal: Sysmon EventCode 12/13: HKCU\Software\Classes\ms-settings\shell\open\command created with cmd.exe value. Sysmon EventCode 1: fodhelper.exe spawning cmd.exe with High integrity level.

  3. Test 3Check UAC Configuration and Current Integrity Level

    Expected signal: Sysmon EventCode 1: reg.exe and whoami.exe process creation.

Last updated: 2026-04-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1548.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and SetgidT1548.003Sudo and Sudo CachingT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud AccessT1548.006TCC Manipulation

Related Techniques

T1548Abuse Elevation Control MechanismT1112Modify RegistryT1218.011Rundll32T1059.001PowerShellT1055Process InjectionT1098Account Manipulation

Same Tactic: Privilege Escalation

Popular Detections