T1548 Google Chronicle · YARA-L

Detect Abuse Elevation Control Mechanism in Google Chronicle

Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms intended to limit privileges a user can perform. Adversaries exploit these mechanisms across Windows (UAC bypass via auto-elevate binaries, COM object hijacking, DLL side-loading into elevated processes), Linux (setuid/setgid bit abuse, sudo misconfiguration, pkexec exploitation), macOS (TCC database manipulation, Elevated Execution with Prompt), and cloud environments (temporary role assumption, IAM privilege escalation). Real-world actors including UNC3886 and malware like Raspberry Robin have weaponized these techniques to gain SYSTEM or root access without triggering standard UAC consent dialogs.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Canonical reference
https://attack.mitre.org/techniques/T1548/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule uac_bypass_autoelevate_child_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects UAC bypass via auto-elevate binaries spawning suspicious shell or scripting child processes (T1548.002)"
    mitre_attack_tactic = "Privilege Escalation"
    mitre_attack_technique = "T1548"
    mitre_attack_subtechnique = "T1548.002"
    severity = "HIGH"
    priority = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.process.file.full_path = /(?i)(fodhelper|eventvwr|sdclt|cmstp|computerdefaults|slui|wsreset|dccw|pkgmgr|wusa|infdefaultinstall|msconfig|colorcpl|cliconfg|dism|eudcedit|iexpress|ntprint|recdisc)\.exe$/
    $proc.target.process.file.full_path = /(?i)(cmd|powershell|pwsh|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin|wmic|regasm|regsvcs)\.exe$/
    $proc.principal.hostname = $hostname

  condition:
    $proc
}

rule uac_bypass_registry_hijack_prep {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects registry key writes to ms-settings or mscfile shell open command paths used in fodhelper/eventvwr UAC bypass (T1548.002)"
    mitre_attack_tactic = "Privilege Escalation"
    mitre_attack_technique = "T1548"
    mitre_attack_subtechnique = "T1548.002"
    severity = "CRITICAL"
    priority = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $reg.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      $reg.target.registry.registry_key = /(?i).*\\Software\\Classes\\ms-settings\\shell\\open\\command.*/ or
      $reg.target.registry.registry_key = /(?i).*\\Software\\Classes\\mscfile\\shell\\open\\command.*/
    )
    $reg.principal.hostname = $hostname

  condition:
    $reg
}

rule linux_setuid_sudo_privilege_escalation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Linux privilege escalation via setuid bit manipulation or interactive sudo shell spawning by non-privileged accounts (T1548.001 / T1548.003)"
    mitre_attack_tactic = "Privilege Escalation"
    mitre_attack_technique = "T1548"
    mitre_attack_subtechnique = "T1548.001"
    severity = "HIGH"
    priority = "MEDIUM"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $linux.metadata.event_type = "PROCESS_LAUNCH"
    $linux.principal.platform = "LINUX"
    (
      $linux.target.process.command_line = /(?i).*(chmod \+s|chmod u\+s|chmod 4755|chmod 4777|chmod 6755).*/  or
      (
        $linux.target.process.file.full_path = /(?i).*\/sudo$/ and
        $linux.target.process.command_line = /(?i)sudo\s+(-s|su|bash|sh|\/bin\/(bash|sh)|python[23]?|perl|ruby).*/
      ) or
      $linux.target.process.file.full_path = /(?i).*\/(pkexec|doas)$/
    )
    not $linux.principal.user.userid = "root"
    not $linux.principal.user.userid = "daemon"
    not $linux.principal.user.userid = "nobody"
    $linux.principal.hostname = $hostname

  condition:
    $linux
}
high severity high confidence

Three complementary Chronicle YARA-L 2.0 rules detecting abuse of elevation control mechanisms (T1548): Rule 1 matches PROCESS_LAUNCH events where a known UAC auto-elevate binary (18 binaries including fodhelper, eventvwr, sdclt, cmstp) spawns a shell or scripting interpreter child process. Rule 2 matches REGISTRY_MODIFICATION events targeting ms-settings or mscfile shell open command paths used in registry-based UAC hijacks. Rule 3 detects Linux setuid bit manipulation and interactive sudo shell invocations by non-system accounts. All rules use UDM field model with principal (parent/actor) and target (child/object) semantics.

Data Sources

Google Chronicle UDM (PROCESS_LAUNCH events from Windows endpoint agents)Google Chronicle UDM (REGISTRY_MODIFICATION events from Windows endpoint agents)Google Chronicle UDM (PROCESS_LAUNCH events from Linux endpoint agents)

Required Tables

UDM events (PROCESS_LAUNCH)UDM events (REGISTRY_MODIFICATION)

False Positives & Tuning

  • Authorized IT management tooling that invokes colorcpl.exe, recdisc.exe, or msconfig.exe as part of OS hardening scripts and spawns cmd.exe for configuration validation steps
  • Enterprise software packaging tools (WiX, NSIS, InstallShield) that use dism.exe or wusa.exe as parent processes for package extraction, potentially spawning msiexec.exe as a child
  • Linux system accounts performing authorized chmod operations on application binaries during deployment pipelines; tune the Linux rule by adding allowlist conditions for known CI/CD service account UIDs
Download portable Sigma rule (.yml)

Other platforms for T1548

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Fodhelper UAC Bypass — Registry Staging and Execution

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject containing HKCU\Software\Classes\ms-settings\shell\open\command, Details showing cmd.exe payload. Sysmon Event ID 1 (Process Create): Image=fodhelper.exe with MandatoryLabel=High Mandatory Level. Sysmon Event ID 1 again: ParentImage=fodhelper.exe, Image=cmd.exe, MandatoryLabel=High Mandatory Level — this is the UAC bypassed child. Security Event ID 4624 may show a new elevated token. MDE DeviceRegistryEvents will show ActionType=RegistryValueSet on the ms-settings key.

  2. Test 2Eventvwr UAC Bypass — mscfile COM Hijacking

    Expected signal: Sysmon Event ID 13: TargetObject=HKCU\Software\Classes\mscfile\shell\open\command, Details=cmd.exe /c whoami /priv... Sysmon Event ID 1: Image=eventvwr.exe with MandatoryLabel=High Mandatory Level. Sysmon Event ID 1: ParentImage=eventvwr.exe, Image=cmd.exe, CommandLine containing whoami /priv, MandatoryLabel=High Mandatory Level. Security Event ID 4688 (if command line auditing enabled) with mandatory label showing High Integrity.

  3. Test 3Linux Setuid Bit Abuse — Copy Shell and Set SUID

    Expected signal: MDE DeviceProcessEvents (Linux): ProcessCommandLine containing 'chmod u+s /tmp/argus-suid-test'. Follow-on process event showing /tmp/argus-suid-test -p -c 'id; whoami' with AccountName of the test runner but effective UID of root in output. Linux audit log (auditd): SYSCALL records for chmod with mode=104755 (setuid+755), PATH record for the target file. /var/log/auth.log: sudo session opened for command /bin/chmod. Sysmon for Linux (if deployed): Event ID 1 showing chmod command, Event ID 1 showing suid binary execution.

  4. Test 4Sudo GTFOBins Privilege Escalation — Python Breakout

    Expected signal: Linux auth.log: sudo session opened for user root by testuser(uid=1000), COMMAND=/usr/bin/python3 -c import os... MDE DeviceProcessEvents (Linux): ProcessCommandLine='sudo python3 -c import os; os.setuid(0); os.system(id && whoami && cat /etc/shadow...' with AccountName=testuser. Auditd: SYSCALL setuid with uid=0 result=success from python3 process. The os.system('cat /etc/shadow') represents credential access following privilege escalation.

  5. Test 5sdclt UAC Bypass — Folder Shell Command Hijacking

    Expected signal: Sysmon Event ID 13: TargetObject=HKCU\Software\Classes\Folder\shell\open\command, Details=cmd.exe /c whoami /groups... Sysmon Event ID 1: Image=sdclt.exe with ProcessCommandLine containing /kickoffelev. Sysmon Event ID 1: ParentImage=sdclt.exe, Image=cmd.exe, MandatoryLabel=High Mandatory Level. MDE DeviceRegistryEvents: ActionType=RegistryValueSet on the Folder\shell\open\command key. If UAC bypass succeeds, whoami /groups output will show 'Mandatory Label\High Mandatory Level Label'.

Last updated: 2026-04-20 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1548 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (6)

Related Techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.003Sudo and Sudo CachingT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud AccessT1548.006TCC ManipulationT1055Process InjectionT1218.011Rundll32T1543.003Windows ServiceT1053.005Scheduled TaskT1112Modify RegistryT1562.001Disable or Modify Tools

Same Tactic: Privilege Escalation

Popular Detections