T1548.002 CrowdStrike LogScale · LogScale

Detect Bypass User Account Control in CrowdStrike LogScale

Adversaries bypass Windows User Account Control (UAC) to execute code with elevated privileges without triggering user prompts. Common methods include: eventvwr.exe hijacking (ZeroT, Koadic), fodhelper.exe Registry key abuse (Saint Bot), sdclt.exe App Paths abuse (WarzoneRAT), CMSTPLUA COM interface (Avaddon), and DLL hijacking via auto-elevated applications (ShimRat via migwiz.exe). Used by BlackCat, LockBit 2.0/3.0, Cobalt Strike, DarkGate, Evilnum, APT37, APT38, BRONZE BUTLER, and many others. UACME documents 70+ bypass methods.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.002 Bypass User Account Control
Canonical reference
https://attack.mitre.org/techniques/T1548/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Part 1: UAC bypass — auto-elevating binary spawns unexpected child
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(eventvwr|fodhelper|sdclt|cmstp|migwiz|wsreset|computerdefaults|slui|pkgmgr|sysprep|osk|msconfig|mmc|eudcedit|charmap|colorcpl)\.exe$/
| FileName != /(?i)^(conhost|WerFault|dwm)\.exe$/
| "UAC_Auto_Elevate_Child_Spawn" as DetectionType
| table([_timeutc, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionType])

// Part 2: UAC bypass — registry key modification at known bypass paths
#event_simpleName=RegSetValue
| RegObjectName = /(?i)(ms-settings|mscfile|exefile\\shell\\runas|App.Paths.*control)/
| RegObjectName = /(?i)HKCU/
| "UAC_Bypass_Registry_HKCU" as DetectionType
| table([_timeutc, ComputerName, UserName, RegObjectName, RegValueName, RegStringValue, ImageFileName, CommandLine, DetectionType])

// Part 3: UAC bypass — CMSTPLUA COM elevation
#event_simpleName=ProcessRollup2
| FileName = /(?i)^cmstp\.exe$/
  OR (FileName = /(?i)^dllhost\.exe$/ AND CommandLine = /3E5FC7F9-9A51-4367-9063-A120244FBEC7/)
| "UAC_CMSTPLUA_COM_Elevation" as DetectionType
| table([_timeutc, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionType])

// Part 4: UAC bypass — elevated shell spawned from bypass binary
#event_simpleName=ProcessRollup2
| FileName = /(?i)^(powershell|cmd)\.exe$/
| ParentBaseFileName = /(?i)^(eventvwr|fodhelper|sdclt)\.exe$/
| "UAC_Bypass_Elevated_Shell" as DetectionType
| table([_timeutc, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionType])
critical severity high confidence

CrowdStrike LogScale (Falcon) CQL queries across four UAC bypass detection patterns using Falcon sensor telemetry: (1) ProcessRollup2 events where known auto-elevating Windows binaries spawn unexpected child processes, (2) RegSetValue events targeting HKCU UAC bypass registry paths (ms-settings, mscfile, runas handler, App Paths), (3) cmstp.exe execution or dllhost.exe with CMSTPLUA CLSID indicating COM interface elevation, and (4) high-confidence shell (cmd/powershell) spawned directly by a UAC bypass binary indicating successful code execution with elevated token.

Data Sources

CrowdStrike Falcon Endpoint ProtectionFalcon Sensor — ProcessRollup2Falcon Sensor — RegSetValue

Required Tables

#event_simpleName=ProcessRollup2#event_simpleName=RegSetValue

False Positives & Tuning

  • Falcon sensor itself or CrowdStrike maintenance processes that spawn child processes from system utilities listed in the UAC bypass binary list during sensor updates or policy enforcement
  • Corporate software packaging tools (e.g., Flexera AdminStudio, Advanced Installer) that use sdclt.exe or computerdefaults.exe as part of MSI transform or compatibility shim testing
  • IT helpdesk remote control or scripting tools (e.g., PDQ Deploy, Kace) that invoke UAC-auto-elevated binaries as launcher stubs when deploying software to endpoints without user interaction
Download portable Sigma rule (.yml)

Other platforms for T1548.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1UAC Bypass via eventvwr.exe (Registry Hijacking)

    Expected signal: Sysmon EventCode 13: RegistryValueSet at HKCU\Software\Classes\mscfile\shell\open\command. Sysmon EventCode 1: eventvwr.exe process, followed by calc.exe (or cmd.exe) spawned with High integrity level. Security Event 4688 for calc.exe with high integrity.

  2. Test 2UAC Bypass via fodhelper.exe (ms-settings)

    Expected signal: Sysmon EventCode 12/13: HKCU\Software\Classes\ms-settings\shell\open\command created with cmd.exe value. Sysmon EventCode 1: fodhelper.exe spawning cmd.exe with High integrity level.

  3. Test 3Check UAC Configuration and Current Integrity Level

    Expected signal: Sysmon EventCode 1: reg.exe and whoami.exe process creation.

Last updated: 2026-04-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1548.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and SetgidT1548.003Sudo and Sudo CachingT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud AccessT1548.006TCC Manipulation

Related Techniques

T1548Abuse Elevation Control MechanismT1112Modify RegistryT1218.011Rundll32T1059.001PowerShellT1055Process InjectionT1098Account Manipulation

Same Tactic: Privilege Escalation

Popular Detections