T1548 CrowdStrike LogScale · LogScale

Detect Abuse Elevation Control Mechanism in CrowdStrike LogScale

Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms intended to limit privileges a user can perform. Adversaries exploit these mechanisms across Windows (UAC bypass via auto-elevate binaries, COM object hijacking, DLL side-loading into elevated processes), Linux (setuid/setgid bit abuse, sudo misconfiguration, pkexec exploitation), macOS (TCC database manipulation, Elevated Execution with Prompt), and cloud environments (temporary role assumption, IAM privilege escalation). Real-world actors including UNC3886 and malware like Raspberry Robin have weaponized these techniques to gain SYSTEM or root access without triggering standard UAC consent dialogs.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Canonical reference
https://attack.mitre.org/techniques/T1548/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Detection 1: UAC Bypass - auto-elevate binary spawning suspicious child process
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)(fodhelper|eventvwr|sdclt|cmstp|computerdefaults|slui|wsreset|dccw|pkgmgr|wusa|infdefaultinstall|msconfig|colorcpl|cliconfg|dism|eudcedit|iexpress|ntprint|recdisc)\.exe/i
| ImageFileName = /(?i)(cmd|powershell|pwsh|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin|wmic|regasm|regsvcs)\.exe/i
| detection_type := case {
    ParentBaseFileName = /fodhelper\.exe/i and ImageFileName = /(?i)(cmd|powershell|pwsh|mshta)\.exe/ => "Fodhelper_UAC_Bypass";
    ParentBaseFileName = /eventvwr\.exe/i and ImageFileName = /(?i)(cmd|powershell|pwsh|mshta|wscript)\.exe/ => "Eventvwr_UAC_Bypass";
    ParentBaseFileName = /sdclt\.exe/i and ImageFileName = /(?i)(cmd|powershell|pwsh)\.exe/ => "Sdclt_UAC_Bypass";
    ParentBaseFileName = /cmstp\.exe/i and ImageFileName = /(?i)(cmd|powershell|mshta|rundll32)\.exe/ => "Cmstp_UAC_Bypass";
    * => "Generic_AutoElevate_UAC_Bypass"
  }
| risk_score := case {
    detection_type = "Fodhelper_UAC_Bypass" => 85;
    detection_type in ["Eventvwr_UAC_Bypass", "Sdclt_UAC_Bypass", "Cmstp_UAC_Bypass"] => 80;
    * => 65
  }
| table([_timeparsed, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, detection_type, risk_score])
| sort(field=_timeparsed, order=desc)

// Detection 2: Fodhelper registry hijack preparation (separate query - run independently)
// #event_simpleName=RegGenericValueSet OR #event_simpleName=RegSetValue
// | RegObjectName = /(?i).*\\Software\\Classes\\(ms-settings|mscfile)\\shell\\open\\command.*/i
// | table([_timeparsed, ComputerName, UserName, RegObjectName, RegStringValue, ImageFileName, CommandLine])
// | sort(field=_timeparsed, order=desc)

// Detection 3: Linux setuid/sudo abuse (separate query - run independently on Linux sensors)
// #event_simpleName=ProcessRollup2 event_platform=Lin
// | CommandLine = /(?i)(chmod \+s|chmod u\+s|chmod 4755|chmod 4777|chmod 6755|sudo -s|sudo su|sudo bash|sudo sh|sudo \/bin\/(bash|sh)|pkexec|doas )/i
// | UserName != "root"
// | table([_timeparsed, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName])
// | sort(field=_timeparsed, order=desc)
high severity high confidence

Detects UAC bypass via auto-elevate Windows binaries spawning suspicious child processes using CrowdStrike Falcon ProcessRollup2 events. Primary query correlates ParentBaseFileName (auto-elevate binary list of 18 executables) with ImageFileName (shell and scripting interpreters), categorizing specific bypasses by technique (Fodhelper, Eventvwr, Sdclt, Cmstp) with risk scoring. Companion commented queries cover registry hijack preparation via RegGenericValueSet/RegSetValue events targeting ms-settings or mscfile shell open command keys, and Linux setuid/sudo abuse via Linux sensor ProcessRollup2 events. Uses Falcon's ParentBaseFileName field which contains only the filename without path, enabling reliable matching regardless of process path.

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 - process telemetry)CrowdStrike Falcon Endpoint (RegGenericValueSet / RegSetValue - registry telemetry)CrowdStrike Falcon Linux Sensor (ProcessRollup2 - Linux process telemetry)

Required Tables

ProcessRollup2RegGenericValueSetRegSetValue

False Positives & Tuning

  • Software update orchestration platforms that use wsreset.exe or wusa.exe as parent processes for update package execution, with msiexec.exe or cmd.exe spawned as legitimate installation children
  • Security tooling such as EDR agents or AV products that may spawn cmd.exe or powershell.exe from elevated management processes that share the auto-elevate binary naming space
  • Linux administrators using 'sudo bash' or 'sudo -s' for interactive escalation on systems where sudo is the standard privilege management mechanism; scope detection to servers or specific asset groups rather than all endpoints
Download portable Sigma rule (.yml)

Other platforms for T1548

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Fodhelper UAC Bypass — Registry Staging and Execution

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject containing HKCU\Software\Classes\ms-settings\shell\open\command, Details showing cmd.exe payload. Sysmon Event ID 1 (Process Create): Image=fodhelper.exe with MandatoryLabel=High Mandatory Level. Sysmon Event ID 1 again: ParentImage=fodhelper.exe, Image=cmd.exe, MandatoryLabel=High Mandatory Level — this is the UAC bypassed child. Security Event ID 4624 may show a new elevated token. MDE DeviceRegistryEvents will show ActionType=RegistryValueSet on the ms-settings key.

  2. Test 2Eventvwr UAC Bypass — mscfile COM Hijacking

    Expected signal: Sysmon Event ID 13: TargetObject=HKCU\Software\Classes\mscfile\shell\open\command, Details=cmd.exe /c whoami /priv... Sysmon Event ID 1: Image=eventvwr.exe with MandatoryLabel=High Mandatory Level. Sysmon Event ID 1: ParentImage=eventvwr.exe, Image=cmd.exe, CommandLine containing whoami /priv, MandatoryLabel=High Mandatory Level. Security Event ID 4688 (if command line auditing enabled) with mandatory label showing High Integrity.

  3. Test 3Linux Setuid Bit Abuse — Copy Shell and Set SUID

    Expected signal: MDE DeviceProcessEvents (Linux): ProcessCommandLine containing 'chmod u+s /tmp/argus-suid-test'. Follow-on process event showing /tmp/argus-suid-test -p -c 'id; whoami' with AccountName of the test runner but effective UID of root in output. Linux audit log (auditd): SYSCALL records for chmod with mode=104755 (setuid+755), PATH record for the target file. /var/log/auth.log: sudo session opened for command /bin/chmod. Sysmon for Linux (if deployed): Event ID 1 showing chmod command, Event ID 1 showing suid binary execution.

  4. Test 4Sudo GTFOBins Privilege Escalation — Python Breakout

    Expected signal: Linux auth.log: sudo session opened for user root by testuser(uid=1000), COMMAND=/usr/bin/python3 -c import os... MDE DeviceProcessEvents (Linux): ProcessCommandLine='sudo python3 -c import os; os.setuid(0); os.system(id && whoami && cat /etc/shadow...' with AccountName=testuser. Auditd: SYSCALL setuid with uid=0 result=success from python3 process. The os.system('cat /etc/shadow') represents credential access following privilege escalation.

  5. Test 5sdclt UAC Bypass — Folder Shell Command Hijacking

    Expected signal: Sysmon Event ID 13: TargetObject=HKCU\Software\Classes\Folder\shell\open\command, Details=cmd.exe /c whoami /groups... Sysmon Event ID 1: Image=sdclt.exe with ProcessCommandLine containing /kickoffelev. Sysmon Event ID 1: ParentImage=sdclt.exe, Image=cmd.exe, MandatoryLabel=High Mandatory Level. MDE DeviceRegistryEvents: ActionType=RegistryValueSet on the Folder\shell\open\command key. If UAC bypass succeeds, whoami /groups output will show 'Mandatory Label\High Mandatory Level Label'.

Last updated: 2026-04-20 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1548 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (6)

Related Techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.003Sudo and Sudo CachingT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud AccessT1548.006TCC ManipulationT1055Process InjectionT1218.011Rundll32T1543.003Windows ServiceT1053.005Scheduled TaskT1112Modify RegistryT1562.001Disable or Modify Tools

Same Tactic: Privilege Escalation

Popular Detections