T1548.004 Elevated Execution with Prompt Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1548.004 — Elevated Execution with Prompt (macOS)
// Requires macOS endpoints in Defender for Endpoint
// Part 1: Detect processes spawned with elevated privileges from unexpected parents
let ElevatedExecPrompt = DeviceProcessEvents
| where Timestamp > ago(24h)
| where DeviceName has_any ("mac", "osx", "darwin") // Filter macOS endpoints
| where AccountName =~ "root"
| where InitiatingProcessFileName !in~ ("sudo", "launchd", "SecurityAgent", "authd")
| where FolderPath has_any ("/tmp/", "/var/folders/", "/Users/", "/Downloads/")
| extend DetectionType = "Elevated_Exec_Non_Standard_Path"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, DetectionType;
// Part 2: Detect AuthorizationExecuteWithPrivileges API usage pattern
let AuthExecWithPriv = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("AuthorizationExecuteWithPrivileges",
                                    "osascript.*administrator",
                                    "do shell script.*password",
                                    "with administrator privileges")
| extend DetectionType = "AuthExecWithPriv_API_Usage"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, DetectionType;
// Part 3: Detect osascript requesting elevated execution
let OsascriptPriv = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "osascript"
| where ProcessCommandLine has_any ("administrator privileges", "with password",
                                    "do shell script", "administrator")
| extend DetectionType = "Osascript_Admin_Exec"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union ElevatedExecPrompt, AuthExecWithPriv, OsascriptPriv
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Microsoft Defender for Endpoint (macOS)

Required Tables

DeviceProcessEvents

False Positives

Legitimate applications that use AuthorizationExecuteWithPrivileges for installation or update (though this API is deprecated, some older apps still use it)
IT management software using osascript with admin privileges for system configuration
Authorized scripting tools that use AppleScript elevation for legitimate administrative tasks
Some legitimate macOS installer packages that request elevation during installation

Splunk

spl

index=mac_logs (sourcetype="macos:syslog" OR sourcetype="macos:unified_log" OR sourcetype="syslog")
| eval detection_type=case(
    match(_raw, "(?i)(AuthorizationExecuteWithPrivileges|AuthExecWithPrivileges)"),
      "AuthExecWithPriv_API_Usage",
    match(_raw, "(?i)osascript") AND
      match(_raw, "(?i)(administrator privileges|do shell script|with administrator)"),
      "Osascript_Admin_Request",
    match(_raw, "(?i)(SecurityAgent|SecurityAgentPlugin)") AND
      match(_raw, "(?i)(authoriz|elevation)"),
      "SecurityAgent_Authorization_Request",
    true(), null()
  )
| where isnotnull(detection_type)
| table _time, host, user, detection_type, _raw
| sort - _time

medium severity low confidence

Data Sources

Process: Process Creation macOS Unified Log macOS Syslog

Required Sourcetypes

macos:syslog macos:unified_log syslog

False Positives

Legacy applications using deprecated authorization API for legitimate elevation
AppleScript automation with documented administrative use cases
macOS installer packages requesting authorized elevation

Elastic Security (EQL)

eql

process where event.type == "start" and
  host.os.type == "macos" and
  (
    (process.name : ("osascript","python*","perl","ruby","bash","sh","zsh") and
     process.args : ("*do shell script*","*with administrator privileges*","*AuthorizationExecuteWithPrivileges*")) or
    (process.parent.name : ("SecurityAgent","SecurityAgentPlugin","Installer","syspolicyd") and
     process.name : ("bash","sh","zsh","python*","perl","ruby","curl","wget") and
     not process.executable : ("/System/*","/usr/bin/*","/bin/*","/Applications/Xcode*"))
  )

high severity medium confidence

Data Sources

macOS Process Events

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate applications that use AuthorizationExecuteWithPrivileges for installation or update (though this API is deprecated, some older apps still use it)
IT management software using osascript with admin privileges for system configuration
Authorized scripting tools that use AppleScript elevation for legitimate administrative tasks
Some legitimate macOS installer packages that request elevation during installation

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine,
  "ParentImage" as ParentProcess,
  CASE WHEN "CommandLine" ILIKE '%AuthorizationExecuteWithPrivileges%' THEN 10
       WHEN "ParentImage" ILIKE '%SecurityAgent%' THEN 9
       WHEN "CommandLine" ILIKE '%do shell script%with administrator privileges%' THEN 9
       ELSE 6 END as RiskScore
FROM events
WHERE eventid = 1
  AND (
    ("CommandLine" ILIKE '%AuthorizationExecuteWithPrivileges%' OR
     "CommandLine" ILIKE '%do shell script%administrator%')
    OR ("ParentImage" ILIKE '%SecurityAgent%' AND
        LOWER("Image") LIKE ANY ('%/bash%','%/sh%','%/python%','%/curl%','%/wget%') AND
        "Image" NOT LIKE '/System/%' AND "Image" NOT LIKE '/usr/bin/%')
  )
ORDER BY EventTime DESC

high severity medium confidence

Data Sources

Sysmon for macOS macOS Unified Log

Required Tables

events

False Positives

Legitimate applications that use AuthorizationExecuteWithPrivileges for installation or update (though this API is deprecated, some older apps still use it)
IT management software using osascript with admin privileges for system configuration
Authorized scripting tools that use AppleScript elevation for legitimate administrative tasks
Some legitimate macOS installer packages that request elevation during installation

Sumo Logic CSE

sql

_sourceCategory=macos/endpoint
| json auto
| where EventID == "1"
| eval CmdLower = toLower(coalesce(CommandLine,""))
| eval ParentLower = toLower(coalesce(ParentImage,""))
| eval ImageLower = toLower(coalesce(Image,""))
| eval is_elevated_exec = if(
    CmdLower matches "(authorizationexecutewithprivileges|do shell script.*administrator|with administrator privileges)",
    1, 0)
| eval is_suspicious_parent = if(
    ParentLower matches "(securityagent|securityagentplugin|syspolicyd)" AND
    ImageLower matches "(bash|sh|zsh|python|perl|ruby|curl|wget)$" AND
    !ImageLower matches "^(/system/|/usr/bin/|/bin/)",
    1, 0)
| where is_elevated_exec == 1 OR is_suspicious_parent == 1
| table _time, Computer, User, Image, CommandLine, ParentImage, is_elevated_exec, is_suspicious_parent
| sort by _time desc

high severity medium confidence

Data Sources

macOS Endpoint Events via Sumo Logic

Required Tables

macos/endpoint

False Positives

Legitimate applications that use AuthorizationExecuteWithPrivileges for installation or update (though this API is deprecated, some older apps still use it)
IT management software using osascript with admin privileges for system configuration
Authorized scripting tools that use AppleScript elevation for legitimate administrative tasks
Some legitimate macOS installer packages that request elevation during installation

Google Chronicle / SecOps

yaral

rule macos_elevated_execution_prompt {
  meta:
    author = "Detection Engineering"
    description = "Detects macOS elevated execution via authorization prompts (T1548.004)"
    severity = "HIGH"
    tactic = "TA0004"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.asset.platform_software.platform = "MAC"
    (
      re.regex($e.target.process.command_line, `(?i)(AuthorizationExecuteWithPrivileges|do shell script.*administrator|with administrator privileges)`) nocase or
      (re.regex($e.principal.process.file.full_path, `(?i)(SecurityAgent|syspolicyd)`) nocase and
       re.regex($e.target.process.file.full_path, `(?i)(bash|sh|zsh|python|perl|ruby|curl|wget)$`) nocase)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

macOS Process Events via Chronicle UDM

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate applications that use AuthorizationExecuteWithPrivileges for installation or update (though this API is deprecated, some older apps still use it)
IT management software using osascript with admin privileges for system configuration
Authorized scripting tools that use AppleScript elevation for legitimate administrative tasks
Some legitimate macOS installer packages that request elevation during installation

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| PlatformType = "3"
| (CommandLine = /AuthorizationExecuteWithPrivileges|do shell script.*administrator/i
   OR (ParentBaseFileName = /SecurityAgent|syspolicyd/i
       AND ImageFileName = /(bash|sh|zsh|python|perl|ruby|curl|wget)$/i))
| eval risk = case {
    CommandLine = /AuthorizationExecuteWithPrivileges/i : "critical";
    ParentBaseFileName = /SecurityAgent/i : "high";
    * : "medium"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, risk
| sort by timestamp desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Process Events (macOS)

Required Tables

ProcessRollup2

False Positives

Legitimate applications that use AuthorizationExecuteWithPrivileges for installation or update (though this API is deprecated, some older apps still use it)
IT management software using osascript with admin privileges for system configuration
Authorized scripting tools that use AppleScript elevation for legitimate administrative tasks
Some legitimate macOS installer packages that request elevation during installation

Elevated Execution with Prompt

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Privilege Escalation

Popular Detections