T1548 IBM QRadar · QRadar

Detect Abuse Elevation Control Mechanism in IBM QRadar

Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms intended to limit privileges a user can perform. Adversaries exploit these mechanisms across Windows (UAC bypass via auto-elevate binaries, COM object hijacking, DLL side-loading into elevated processes), Linux (setuid/setgid bit abuse, sudo misconfiguration, pkexec exploitation), macOS (TCC database manipulation, Elevated Execution with Prompt), and cloud environments (temporary role assumption, IAM privilege escalation). Real-world actors including UNC3886 and malware like Raspberry Robin have weaponized these techniques to gain SYSTEM or root access without triggering standard UAC consent dialogs.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Canonical reference
https://attack.mitre.org/techniques/T1548/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  "Process Name" AS child_process,
  "Parent Process Name" AS parent_process,
  "Command Line" AS command_line,
  "Parent Command Line" AS parent_command_line,
  CASE
    WHEN LOWER("Parent Process Name") = 'fodhelper.exe'
      AND LOWER("Process Name") MATCHES '(cmd|powershell|pwsh|mshta)\.exe'
      THEN 'Fodhelper_UAC_Bypass'
    WHEN LOWER("Parent Process Name") = 'eventvwr.exe'
      AND LOWER("Process Name") MATCHES '(cmd|powershell|pwsh|mshta|wscript)\.exe'
      THEN 'Eventvwr_UAC_Bypass'
    WHEN LOWER("Parent Process Name") = 'sdclt.exe'
      AND LOWER("Process Name") MATCHES '(cmd|powershell|pwsh)\.exe'
      THEN 'Sdclt_UAC_Bypass'
    WHEN LOWER("Parent Process Name") = 'cmstp.exe'
      AND LOWER("Process Name") MATCHES '(cmd|powershell|mshta|rundll32)\.exe'
      THEN 'Cmstp_UAC_Bypass'
    WHEN LOWER("Parent Process Name") MATCHES '(computerdefaults|slui|wsreset|dccw|pkgmgr|wusa|infdefaultinstall|msconfig|colorcpl|cliconfg|dism|eudcedit|iexpress|ntprint|recdisc)\.exe'
      AND LOWER("Process Name") MATCHES '(cmd|powershell|pwsh|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin|wmic|regasm|regsvcs)\.exe'
      THEN 'Generic_AutoElevate_UAC_Bypass'
    WHEN "Registry Key" IMATCHES '%Software\\Classes\\ms-settings\\shell\\open\\command%'
      OR "Registry Key" IMATCHES '%Software\\Classes\\mscfile\\shell\\open\\command%'
      THEN 'UAC_Bypass_Registry_Hijack_Prep'
    WHEN LOWER("Command Line") MATCHES '.*(chmod \+s|chmod u\+s|chmod 4755|chmod 4777|chmod 6755|sudo -s|sudo su|sudo bash|sudo sh|sudo /bin/bash|sudo /bin/sh|pkexec|doas ).*'
      AND username NOT IN ('root', '_apt', 'daemon', 'nobody')
      THEN 'Linux_Setuid_Sudo_Abuse'
    ELSE 'Unknown'
  END AS detection_type,
  CASE
    WHEN LOWER("Registry Key") IMATCHES '%ms-settings\\shell\\open\\command%' THEN 90
    WHEN LOWER("Parent Process Name") = 'fodhelper.exe' THEN 85
    WHEN LOWER("Parent Process Name") IN ('eventvwr.exe','sdclt.exe','cmstp.exe') THEN 80
    ELSE 65
  END AS risk_score
FROM events
WHERE
  starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (
      LOWER("Parent Process Name") MATCHES
        '(fodhelper|eventvwr|sdclt|cmstp|computerdefaults|slui|wsreset|dccw|pkgmgr|wusa|infdefaultinstall|msconfig|colorcpl|cliconfg|dism|eudcedit|iexpress|ntprint|recdisc)\.exe'
      AND LOWER("Process Name") MATCHES
        '(cmd|powershell|pwsh|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin|wmic|regasm|regsvcs)\.exe'
    )
    OR (
      "Registry Key" IMATCHES '%Software\\Classes\\ms-settings\\shell\\open\\command%'
      OR "Registry Key" IMATCHES '%Software\\Classes\\mscfile\\shell\\open\\command%'
    )
    OR (
      LOWER("Command Line") MATCHES
        '.*(chmod \+s|chmod u\+s|chmod 4755|chmod 4777|chmod 6755|sudo -s|sudo su|sudo bash|sudo sh|sudo /bin/bash|pkexec|doas ).*'
      AND username NOT IN ('root', '_apt', 'daemon', 'nobody')
    )
  )
ORDER BY starttime DESC
high severity high confidence

Detects UAC bypass via auto-elevate binaries spawning suspicious child processes, registry hijack preparation targeting ms-settings and mscfile shell open command paths, and Linux setuid/sudo privilege escalation. Uses AQL MATCHES operator for regex-based process name correlation across Windows Security, Sysmon, and Linux log sources ingested into QRadar. Risk scoring is weighted by specificity: registry hijack prep scores highest at 90 as it indicates deliberate bypass preparation.

Data Sources

Windows Security Event Log (EventID 4688)Sysmon via Windows Event Log (EventID 1, 12, 13)Linux auditd / syslog process events

Required Tables

events

False Positives & Tuning

  • Enterprise patch management solutions that invoke wusa.exe or pkgmgr.exe as part of update pipelines and subsequently spawn child cmd.exe or msiexec.exe processes for installation tasks
  • Security assessment or vulnerability scanning tools that enumerate sudo configurations on Linux endpoints, triggering sudo command pattern matches without actual privilege escalation
  • Developer workstations where fodhelper or eventvwr may be legitimately launched alongside developer shells in non-adversarial contexts; scope the rule to server OU or production asset groups to reduce noise
Download portable Sigma rule (.yml)

Other platforms for T1548

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Fodhelper UAC Bypass — Registry Staging and Execution

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject containing HKCU\Software\Classes\ms-settings\shell\open\command, Details showing cmd.exe payload. Sysmon Event ID 1 (Process Create): Image=fodhelper.exe with MandatoryLabel=High Mandatory Level. Sysmon Event ID 1 again: ParentImage=fodhelper.exe, Image=cmd.exe, MandatoryLabel=High Mandatory Level — this is the UAC bypassed child. Security Event ID 4624 may show a new elevated token. MDE DeviceRegistryEvents will show ActionType=RegistryValueSet on the ms-settings key.

  2. Test 2Eventvwr UAC Bypass — mscfile COM Hijacking

    Expected signal: Sysmon Event ID 13: TargetObject=HKCU\Software\Classes\mscfile\shell\open\command, Details=cmd.exe /c whoami /priv... Sysmon Event ID 1: Image=eventvwr.exe with MandatoryLabel=High Mandatory Level. Sysmon Event ID 1: ParentImage=eventvwr.exe, Image=cmd.exe, CommandLine containing whoami /priv, MandatoryLabel=High Mandatory Level. Security Event ID 4688 (if command line auditing enabled) with mandatory label showing High Integrity.

  3. Test 3Linux Setuid Bit Abuse — Copy Shell and Set SUID

    Expected signal: MDE DeviceProcessEvents (Linux): ProcessCommandLine containing 'chmod u+s /tmp/argus-suid-test'. Follow-on process event showing /tmp/argus-suid-test -p -c 'id; whoami' with AccountName of the test runner but effective UID of root in output. Linux audit log (auditd): SYSCALL records for chmod with mode=104755 (setuid+755), PATH record for the target file. /var/log/auth.log: sudo session opened for command /bin/chmod. Sysmon for Linux (if deployed): Event ID 1 showing chmod command, Event ID 1 showing suid binary execution.

  4. Test 4Sudo GTFOBins Privilege Escalation — Python Breakout

    Expected signal: Linux auth.log: sudo session opened for user root by testuser(uid=1000), COMMAND=/usr/bin/python3 -c import os... MDE DeviceProcessEvents (Linux): ProcessCommandLine='sudo python3 -c import os; os.setuid(0); os.system(id && whoami && cat /etc/shadow...' with AccountName=testuser. Auditd: SYSCALL setuid with uid=0 result=success from python3 process. The os.system('cat /etc/shadow') represents credential access following privilege escalation.

  5. Test 5sdclt UAC Bypass — Folder Shell Command Hijacking

    Expected signal: Sysmon Event ID 13: TargetObject=HKCU\Software\Classes\Folder\shell\open\command, Details=cmd.exe /c whoami /groups... Sysmon Event ID 1: Image=sdclt.exe with ProcessCommandLine containing /kickoffelev. Sysmon Event ID 1: ParentImage=sdclt.exe, Image=cmd.exe, MandatoryLabel=High Mandatory Level. MDE DeviceRegistryEvents: ActionType=RegistryValueSet on the Folder\shell\open\command key. If UAC bypass succeeds, whoami /groups output will show 'Mandatory Label\High Mandatory Level Label'.

Last updated: 2026-04-20 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1548 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (6)

Related Techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.003Sudo and Sudo CachingT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud AccessT1548.006TCC ManipulationT1055Process InjectionT1218.011Rundll32T1543.003Windows ServiceT1053.005Scheduled TaskT1112Modify RegistryT1562.001Disable or Modify Tools

Same Tactic: Privilege Escalation

Popular Detections