T1548.004 Microsoft Sentinel · KQL

Detect Elevated Execution with Prompt in Microsoft Sentinel

Adversaries exploit the macOS AuthorizationExecuteWithPrivileges API to request elevated execution with a user credential prompt. Applications calling this deprecated API can escalate privileges by prompting users for their admin password. The API does not validate that the requesting binary is authorized to request elevation, allowing malicious applications to leverage it. ProtonB malware used this technique. The API has been deprecated by Apple but remains available for compatibility.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.004 Elevated Execution with Prompt
Canonical reference
https://attack.mitre.org/techniques/T1548/004/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1548.004 — Elevated Execution with Prompt (macOS)
// Requires macOS endpoints in Defender for Endpoint
// Part 1: Detect processes spawned with elevated privileges from unexpected parents
let ElevatedExecPrompt = DeviceProcessEvents
| where Timestamp > ago(24h)
| where DeviceName has_any ("mac", "osx", "darwin") // Filter macOS endpoints
| where AccountName =~ "root"
| where InitiatingProcessFileName !in~ ("sudo", "launchd", "SecurityAgent", "authd")
| where FolderPath has_any ("/tmp/", "/var/folders/", "/Users/", "/Downloads/")
| extend DetectionType = "Elevated_Exec_Non_Standard_Path"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, DetectionType;
// Part 2: Detect AuthorizationExecuteWithPrivileges API usage pattern
let AuthExecWithPriv = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("AuthorizationExecuteWithPrivileges",
                                    "osascript.*administrator",
                                    "do shell script.*password",
                                    "with administrator privileges")
| extend DetectionType = "AuthExecWithPriv_API_Usage"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, DetectionType;
// Part 3: Detect osascript requesting elevated execution
let OsascriptPriv = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "osascript"
| where ProcessCommandLine has_any ("administrator privileges", "with password",
                                    "do shell script", "administrator")
| extend DetectionType = "Osascript_Admin_Exec"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union ElevatedExecPrompt, AuthExecWithPriv, OsascriptPriv
| sort by Timestamp desc
high severity medium confidence

Three-part detection for macOS Elevated Execution with Prompt. Part 1 detects root-context process execution from non-standard paths (user-writable directories) where elevated execution was prompted. Part 2 catches direct references to AuthorizationExecuteWithPrivileges or related AppleScript admin execution strings. Part 3 detects osascript commands requesting administrator privileges via 'do shell script with administrator privileges'.

Data Sources

Process: Process CreationMicrosoft Defender for Endpoint (macOS)

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate applications that use AuthorizationExecuteWithPrivileges for installation or update (though this API is deprecated, some older apps still use it)
  • IT management software using osascript with admin privileges for system configuration
  • Authorized scripting tools that use AppleScript elevation for legitimate administrative tasks
  • Some legitimate macOS installer packages that request elevation during installation
Download portable Sigma rule (.yml)

Other platforms for T1548.004

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Execute Command with Administrator Privileges via osascript

    Expected signal: macOS Unified Log: SecurityAgent authorization request from osascript. Syslog: osascript process with administrator privileges in command. If approved: root-owned process for whoami.

  2. Test 2Check AuthorizationExecuteWithPrivileges Usage in Running Processes

    Expected signal: macOS log command execution. No system changes.

  3. Test 3Test Gatekeeper and Authorization Status

    Expected signal: Process creation for spctl and csrutil commands. macOS unified log entries.

Last updated: 2026-03-11 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1548.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.003Sudo and Sudo CachingT1548.005Temporary Elevated Cloud AccessT1548.006TCC Manipulation

Related Techniques

T1548Abuse Elevation Control MechanismT1548.001Setuid and SetgidT1543.001Launch AgentT1543.004Launch DaemonT1204.002Malicious FileT1553.001Gatekeeper Bypass

Same Tactic: Privilege Escalation

Popular Detections