Detect Elevated Execution with Prompt in IBM QRadar
Adversaries exploit the macOS AuthorizationExecuteWithPrivileges API to request elevated execution with a user credential prompt. Applications calling this deprecated API can escalate privileges by prompting users for their admin password. The API does not validate that the requesting binary is authorized to request elevation, allowing malicious applications to leverage it. ProtonB malware used this technique. The API has been deprecated by Apple but remains available for compatibility.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.004 Elevated Execution with Prompt
- Canonical reference
- https://attack.mitre.org/techniques/T1548/004/
QRadar Detection Query
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
logsourcename(logsourceid) as LogSource, username as User,
"Image" as ProcessImage, "CommandLine" as CommandLine,
"ParentImage" as ParentProcess,
CASE WHEN "CommandLine" ILIKE '%AuthorizationExecuteWithPrivileges%' THEN 10
WHEN "ParentImage" ILIKE '%SecurityAgent%' THEN 9
WHEN "CommandLine" ILIKE '%do shell script%with administrator privileges%' THEN 9
ELSE 6 END as RiskScore
FROM events
WHERE eventid = 1
AND (
("CommandLine" ILIKE '%AuthorizationExecuteWithPrivileges%' OR
"CommandLine" ILIKE '%do shell script%administrator%')
OR ("ParentImage" ILIKE '%SecurityAgent%' AND
LOWER("Image") LIKE ANY ('%/bash%','%/sh%','%/python%','%/curl%','%/wget%') AND
"Image" NOT LIKE '/System/%' AND "Image" NOT LIKE '/usr/bin/%')
)
ORDER BY EventTime DESCDetects macOS elevated execution with prompt patterns in QRadar using Sysmon for macOS events.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate applications that use AuthorizationExecuteWithPrivileges for installation or update (though this API is deprecated, some older apps still use it)
- IT management software using osascript with admin privileges for system configuration
- Authorized scripting tools that use AppleScript elevation for legitimate administrative tasks
- Some legitimate macOS installer packages that request elevation during installation
Other platforms for T1548.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Execute Command with Administrator Privileges via osascript
Expected signal: macOS Unified Log: SecurityAgent authorization request from osascript. Syslog: osascript process with administrator privileges in command. If approved: root-owned process for whoami.
- Test 2Check AuthorizationExecuteWithPrivileges Usage in Running Processes
Expected signal: macOS log command execution. No system changes.
- Test 3Test Gatekeeper and Authorization Status
Expected signal: Process creation for spctl and csrutil commands. macOS unified log entries.
References (4)
- https://attack.mitre.org/techniques/T1548/004/
- https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg
- https://www.welivesecurity.com/2017/07/20/osx-proton-new-mac-malware-signed-handbrake/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.004/T1548.004.md
Unlock Pro Content
Get the full detection package for T1548.004 including response playbook, investigation guide, and atomic red team tests.