Detect Abuse Elevation Control Mechanism in Elastic Security
Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms intended to limit privileges a user can perform. Adversaries exploit these mechanisms across Windows (UAC bypass via auto-elevate binaries, COM object hijacking, DLL side-loading into elevated processes), Linux (setuid/setgid bit abuse, sudo misconfiguration, pkexec exploitation), macOS (TCC database manipulation, Elevated Execution with Prompt), and cloud environments (temporary role assumption, IAM privilege escalation). Real-world actors including UNC3886 and malware like Raspberry Robin have weaponized these techniques to gain SYSTEM or root access without triggering standard UAC consent dialogs.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Canonical reference
- https://attack.mitre.org/techniques/T1548/
Elastic Detection Query
any where
(
/* UAC Bypass: auto-elevate binary spawning suspicious child process */
event.category == "process" and event.type == "start" and
process.parent.name : (
"fodhelper.exe", "eventvwr.exe", "sdclt.exe", "cmstp.exe",
"computerdefaults.exe", "slui.exe", "wsreset.exe", "dccw.exe",
"pkgmgr.exe", "wusa.exe", "infdefaultinstall.exe", "msconfig.exe",
"colorcpl.exe", "cliconfg.exe", "dism.exe", "eudcedit.exe",
"iexpress.exe", "ntprint.exe", "recdisc.exe"
) and
process.name : (
"cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe",
"cscript.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe",
"certutil.exe", "bitsadmin.exe", "wmic.exe", "regasm.exe", "regsvcs.exe"
)
)
or
(
/* Fodhelper/EventVwr registry hijack: writing to ms-settings or mscfile shell open command */
event.category == "registry" and
event.type in ("creation", "change") and
(
registry.path : "*\\Software\\Classes\\ms-settings\\shell\\open\\command*" or
registry.path : "*\\Software\\Classes\\mscfile\\shell\\open\\command*"
)
)
or
(
/* Linux setuid abuse and sudo privilege escalation */
event.category == "process" and event.type == "start" and
host.os.type == "linux" and
(
process.command_line : ("*chmod +s*", "*chmod u+s*", "*chmod 4755*", "*chmod 4777*", "*chmod 6755*") or
(
process.name == "sudo" and
process.args : ("-s", "su", "bash", "sh", "/bin/bash", "/bin/sh", "python*", "perl*", "ruby*")
) or
process.name in ("pkexec", "doas")
) and
not user.name in ("root", "_apt", "daemon", "nobody")
)Detects abuse of elevation control mechanisms (T1548) across three behavioral patterns: (1) UAC bypass via auto-elevate Windows binaries spawning suspicious child processes such as cmd.exe or PowerShell, (2) registry key creation under ms-settings or mscfile shell\open\command paths used in fodhelper and eventvwr UAC hijacks, and (3) Linux privilege escalation via setuid bit manipulation or interactive sudo shell spawning by non-privileged accounts. Uses ECS fields from Elastic Endpoint or Winlogbeat/Auditbeat data streams.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators running PowerShell or CMD from management UIs (e.g., DISM-based imaging workflows) that legitimately inherit auto-elevate binary parent process chains
- Software deployment tools such as SCCM, PDQ Deploy, or Microsoft Intune that invoke fodhelper.exe or wusa.exe as part of sanctioned patch workflows and subsequently spawn shell processes
- Linux system administrators running 'sudo bash' or 'sudo -s' interactively for authorized maintenance tasks on managed servers; tune by excluding known admin accounts or source hosts
Other platforms for T1548
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Fodhelper UAC Bypass — Registry Staging and Execution
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject containing HKCU\Software\Classes\ms-settings\shell\open\command, Details showing cmd.exe payload. Sysmon Event ID 1 (Process Create): Image=fodhelper.exe with MandatoryLabel=High Mandatory Level. Sysmon Event ID 1 again: ParentImage=fodhelper.exe, Image=cmd.exe, MandatoryLabel=High Mandatory Level — this is the UAC bypassed child. Security Event ID 4624 may show a new elevated token. MDE DeviceRegistryEvents will show ActionType=RegistryValueSet on the ms-settings key.
- Test 2Eventvwr UAC Bypass — mscfile COM Hijacking
Expected signal: Sysmon Event ID 13: TargetObject=HKCU\Software\Classes\mscfile\shell\open\command, Details=cmd.exe /c whoami /priv... Sysmon Event ID 1: Image=eventvwr.exe with MandatoryLabel=High Mandatory Level. Sysmon Event ID 1: ParentImage=eventvwr.exe, Image=cmd.exe, CommandLine containing whoami /priv, MandatoryLabel=High Mandatory Level. Security Event ID 4688 (if command line auditing enabled) with mandatory label showing High Integrity.
- Test 3Linux Setuid Bit Abuse — Copy Shell and Set SUID
Expected signal: MDE DeviceProcessEvents (Linux): ProcessCommandLine containing 'chmod u+s /tmp/argus-suid-test'. Follow-on process event showing /tmp/argus-suid-test -p -c 'id; whoami' with AccountName of the test runner but effective UID of root in output. Linux audit log (auditd): SYSCALL records for chmod with mode=104755 (setuid+755), PATH record for the target file. /var/log/auth.log: sudo session opened for command /bin/chmod. Sysmon for Linux (if deployed): Event ID 1 showing chmod command, Event ID 1 showing suid binary execution.
- Test 4Sudo GTFOBins Privilege Escalation — Python Breakout
Expected signal: Linux auth.log: sudo session opened for user root by testuser(uid=1000), COMMAND=/usr/bin/python3 -c import os... MDE DeviceProcessEvents (Linux): ProcessCommandLine='sudo python3 -c import os; os.setuid(0); os.system(id && whoami && cat /etc/shadow...' with AccountName=testuser. Auditd: SYSCALL setuid with uid=0 result=success from python3 process. The os.system('cat /etc/shadow') represents credential access following privilege escalation.
- Test 5sdclt UAC Bypass — Folder Shell Command Hijacking
Expected signal: Sysmon Event ID 13: TargetObject=HKCU\Software\Classes\Folder\shell\open\command, Details=cmd.exe /c whoami /groups... Sysmon Event ID 1: Image=sdclt.exe with ProcessCommandLine containing /kickoffelev. Sysmon Event ID 1: ParentImage=sdclt.exe, Image=cmd.exe, MandatoryLabel=High Mandatory Level. MDE DeviceRegistryEvents: ActionType=RegistryValueSet on the Folder\shell\open\command key. If UAC bypass succeeds, whoami /groups output will show 'Mandatory Label\High Mandatory Level Label'.
References (13)
- https://attack.mitre.org/techniques/T1548/
- https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware
- https://www.sudo.ws/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md
- https://github.com/hfiref0x/UACME
- https://gtfobins.github.io/
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
- https://posts.specterops.io/a-brief-history-of-uac-bypasses-fce8a6a87b75
Unlock Pro Content
Get the full detection package for T1548 including response playbook, investigation guide, and atomic red team tests.