Which SIEM platforms have a T1548.004 detection rule?

df00tech provides T1548.004 (Elevated Execution with Prompt) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Elevated Execution with Prompt (T1548.004)?

Detecting Elevated Execution with Prompt requires the following data sources: Process: Process Creation, Microsoft Defender for Endpoint (macOS).

What severity and confidence is the T1548.004 detection?

The T1548.004 detection is rated high severity with medium confidence.

What are common false positives for T1548.004?

Common false positives for T1548.004 include: Legitimate applications that use AuthorizationExecuteWithPrivileges for installation or update (though this API is deprecated, some older apps still use it); IT management software using osascript with admin privileges for system configuration; Authorized scripting tools that use AppleScript elevation for legitimate administrative tasks.

T1548.004 Splunk · SPL

Detect Elevated Execution with Prompt in Splunk

Adversaries exploit the macOS AuthorizationExecuteWithPrivileges API to request elevated execution with a user credential prompt. Applications calling this deprecated API can escalate privileges by prompting users for their admin password. The API does not validate that the requesting binary is authorized to request elevation, allowing malicious applications to leverage it. ProtonB malware used this technique. The API has been deprecated by Apple but remains available for compatibility.

MITRE ATT&CK

Tactic: Privilege Escalation Defense Evasion
Technique: T1548 Abuse Elevation Control Mechanism
Sub-technique: T1548.004 Elevated Execution with Prompt
Canonical reference: https://attack.mitre.org/techniques/T1548/004/

SPL Detection Query

Splunk (SPL)

spl

index=mac_logs (sourcetype="macos:syslog" OR sourcetype="macos:unified_log" OR sourcetype="syslog")
| eval detection_type=case(
    match(_raw, "(?i)(AuthorizationExecuteWithPrivileges|AuthExecWithPrivileges)"),
      "AuthExecWithPriv_API_Usage",
    match(_raw, "(?i)osascript") AND
      match(_raw, "(?i)(administrator privileges|do shell script|with administrator)"),
      "Osascript_Admin_Request",
    match(_raw, "(?i)(SecurityAgent|SecurityAgentPlugin)") AND
      match(_raw, "(?i)(authoriz|elevation)"),
      "SecurityAgent_Authorization_Request",
    true(), null()
  )
| where isnotnull(detection_type)
| table _time, host, user, detection_type, _raw
| sort - _time

medium severity low confidence

Detects macOS elevated execution via syslog and unified log entries. AuthorizationExecuteWithPrivileges API usage in log entries, osascript commands requesting administrator privileges, and SecurityAgent authorization requests indicate potential elevation prompt abuse.

Data Sources

Process: Process CreationmacOS Unified LogmacOS Syslog

Required Sourcetypes

macos:syslogmacos:unified_logsyslog

False Positives & Tuning

Legacy applications using deprecated authorization API for legitimate elevation
AppleScript automation with documented administrative use cases
macOS installer packages requesting authorized elevation

Download portable Sigma rule (.yml)

Other platforms for T1548.004

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Execute Command with Administrator Privileges via osascript
Expected signal: macOS Unified Log: SecurityAgent authorization request from osascript. Syslog: osascript process with administrator privileges in command. If approved: root-owned process for whoami.
Test 2Check AuthorizationExecuteWithPrivileges Usage in Running Processes
Expected signal: macOS log command execution. No system changes.
Test 3Test Gatekeeper and Authorization Status
Expected signal: Process creation for spctl and csrutil commands. macOS unified log entries.

Last updated: 2026-03-11 Research depth: deep

References (4)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1548.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Elevated Execution with Prompt in Splunk

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1548.004

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1548.004

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

Get new detections in your inbox