T1548.002 IBM QRadar · QRadar

Detect Bypass User Account Control in IBM QRadar

Adversaries bypass Windows User Account Control (UAC) to execute code with elevated privileges without triggering user prompts. Common methods include: eventvwr.exe hijacking (ZeroT, Koadic), fodhelper.exe Registry key abuse (Saint Bot), sdclt.exe App Paths abuse (WarzoneRAT), CMSTPLUA COM interface (Avaddon), and DLL hijacking via auto-elevated applications (ShimRat via migwiz.exe). Used by BlackCat, LockBit 2.0/3.0, Cobalt Strike, DarkGate, Evilnum, APT37, APT38, BRONZE BUTLER, and many others. UACME documents 70+ bypass methods.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.002 Bypass User Account Control
Canonical reference
https://attack.mitre.org/techniques/T1548/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  "CommandLine",
  "ParentCommandLine",
  "Image",
  "ParentImage",
  "TargetObject",
  CASE
    WHEN LOWER("ParentImage") MATCHES '.*\\(eventvwr|fodhelper|sdclt|cmstp|migwiz|wsreset|computerdefaults|slui|pkgmgr|sysprep|osk|msconfig|mmc|eudcedit|charmap|colorcpl)\.exe$'
      AND NOT LOWER("Image") MATCHES '.*\\(conhost|WerFault|dwm)\.exe$'
      AND QIDNAME(qid) LIKE '%Process Create%'
      THEN 'UAC_Auto_Elevate_Child_Spawn'
    WHEN (LOWER("TargetObject") LIKE '%\\Software\\Classes\\ms-settings%'
      OR LOWER("TargetObject") LIKE '%\\Software\\Classes\\mscfile%'
      OR LOWER("TargetObject") LIKE '%\\Classes\\exefile\\shell\\runas%'
      OR LOWER("TargetObject") LIKE '%\\App Paths\\control.exe%')
      AND LOWER("TargetObject") LIKE '%hkcu%'
      THEN 'UAC_Bypass_Registry_HKCU'
    WHEN LOWER("Image") LIKE '%\\cmstp.exe'
      OR (LOWER("Image") LIKE '%\\dllhost.exe' AND "CommandLine" LIKE '%3E5FC7F9-9A51-4367-9063-A120244FBEC7%')
      THEN 'UAC_CMSTPLUA_COM_Elevation'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND devicetime > DATEADD('hour', -24, NOW())
  AND (
    (
      LOWER("ParentImage") MATCHES '.*\\(eventvwr|fodhelper|sdclt|cmstp|migwiz|wsreset|computerdefaults|slui|pkgmgr|sysprep|osk|msconfig)\.exe$'
      AND NOT LOWER("Image") MATCHES '.*\\(conhost|WerFault|dwm)\.exe$'
    )
    OR (
      (LOWER("TargetObject") LIKE '%ms-settings%' OR LOWER("TargetObject") LIKE '%mscfile%'
        OR LOWER("TargetObject") LIKE '%exefile%runas%' OR LOWER("TargetObject") LIKE '%App Paths%control%')
      AND LOWER("TargetObject") LIKE '%hkcu%'
    )
    OR LOWER("Image") LIKE '%\\cmstp.exe'
    OR (LOWER("Image") LIKE '%\\dllhost.exe' AND "CommandLine" LIKE '%3E5FC7F9-9A51-4367-9063-A120244FBEC7%')
  )
ORDER BY devicetime DESC
high severity medium confidence

AQL query for QRadar that correlates Sysmon or Windows Security event log data to detect UAC bypass patterns: auto-elevating binaries spawning unexpected child processes, HKCU registry key manipulation at known UAC bypass paths, and CMSTPLUA COM interface abuse via cmstp.exe or dllhost.exe with the CMSTPLUA CLSID argument.

Data Sources

Microsoft Windows Security Event LogSysmon via QRadar DSMWindows Sysmon

Required Tables

events

False Positives & Tuning

  • Enterprise software deployment tools (SCCM, Intune) that legitimately write to App Paths or ms-settings registry locations during managed installs
  • Windows OS upgrade processes (e.g., Windows Anytime Upgrade, Feature Updates) that use migwiz.exe or sysprep.exe and spawn helper child processes
  • Legitimate administrative scripts run by IT staff that call computerdefaults.exe or wsreset.exe during workstation provisioning or troubleshooting
Download portable Sigma rule (.yml)

Other platforms for T1548.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1UAC Bypass via eventvwr.exe (Registry Hijacking)

    Expected signal: Sysmon EventCode 13: RegistryValueSet at HKCU\Software\Classes\mscfile\shell\open\command. Sysmon EventCode 1: eventvwr.exe process, followed by calc.exe (or cmd.exe) spawned with High integrity level. Security Event 4688 for calc.exe with high integrity.

  2. Test 2UAC Bypass via fodhelper.exe (ms-settings)

    Expected signal: Sysmon EventCode 12/13: HKCU\Software\Classes\ms-settings\shell\open\command created with cmd.exe value. Sysmon EventCode 1: fodhelper.exe spawning cmd.exe with High integrity level.

  3. Test 3Check UAC Configuration and Current Integrity Level

    Expected signal: Sysmon EventCode 1: reg.exe and whoami.exe process creation.

Last updated: 2026-04-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1548.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and SetgidT1548.003Sudo and Sudo CachingT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud AccessT1548.006TCC Manipulation

Related Techniques

T1548Abuse Elevation Control MechanismT1112Modify RegistryT1218.011Rundll32T1059.001PowerShellT1055Process InjectionT1098Account Manipulation

Same Tactic: Privilege Escalation

Popular Detections