T1548.004 Elastic Security · Elastic

Detect Elevated Execution with Prompt in Elastic Security

Adversaries exploit the macOS AuthorizationExecuteWithPrivileges API to request elevated execution with a user credential prompt. Applications calling this deprecated API can escalate privileges by prompting users for their admin password. The API does not validate that the requesting binary is authorized to request elevation, allowing malicious applications to leverage it. ProtonB malware used this technique. The API has been deprecated by Apple but remains available for compatibility.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.004 Elevated Execution with Prompt
Canonical reference
https://attack.mitre.org/techniques/T1548/004/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and
  host.os.type == "macos" and
  (
    (process.name : ("osascript","python*","perl","ruby","bash","sh","zsh") and
     process.args : ("*do shell script*","*with administrator privileges*","*AuthorizationExecuteWithPrivileges*")) or
    (process.parent.name : ("SecurityAgent","SecurityAgentPlugin","Installer","syspolicyd") and
     process.name : ("bash","sh","zsh","python*","perl","ruby","curl","wget") and
     not process.executable : ("/System/*","/usr/bin/*","/bin/*","/Applications/Xcode*"))
  )
high severity medium confidence

Detects macOS elevated execution via authorization prompts, AuthorizationExecuteWithPrivileges, and unexpected processes spawned from security agents.

Data Sources

macOS Process Events

Required Tables

logs-endpoint.events.process-*

False Positives & Tuning

  • Legitimate applications that use AuthorizationExecuteWithPrivileges for installation or update (though this API is deprecated, some older apps still use it)
  • IT management software using osascript with admin privileges for system configuration
  • Authorized scripting tools that use AppleScript elevation for legitimate administrative tasks
  • Some legitimate macOS installer packages that request elevation during installation
Download portable Sigma rule (.yml)

Other platforms for T1548.004

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Execute Command with Administrator Privileges via osascript

    Expected signal: macOS Unified Log: SecurityAgent authorization request from osascript. Syslog: osascript process with administrator privileges in command. If approved: root-owned process for whoami.

  2. Test 2Check AuthorizationExecuteWithPrivileges Usage in Running Processes

    Expected signal: macOS log command execution. No system changes.

  3. Test 3Test Gatekeeper and Authorization Status

    Expected signal: Process creation for spctl and csrutil commands. macOS unified log entries.

Last updated: 2026-03-11 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1548.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.003Sudo and Sudo CachingT1548.005Temporary Elevated Cloud AccessT1548.006TCC Manipulation

Related Techniques

T1548Abuse Elevation Control MechanismT1548.001Setuid and SetgidT1543.001Launch AgentT1543.004Launch DaemonT1204.002Malicious FileT1553.001Gatekeeper Bypass

Same Tactic: Privilege Escalation

Popular Detections