Detect Abuse Elevation Control Mechanism in Microsoft Sentinel
Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms intended to limit privileges a user can perform. Adversaries exploit these mechanisms across Windows (UAC bypass via auto-elevate binaries, COM object hijacking, DLL side-loading into elevated processes), Linux (setuid/setgid bit abuse, sudo misconfiguration, pkexec exploitation), macOS (TCC database manipulation, Elevated Execution with Prompt), and cloud environments (temporary role assumption, IAM privilege escalation). Real-world actors including UNC3886 and malware like Raspberry Robin have weaponized these techniques to gain SYSTEM or root access without triggering standard UAC consent dialogs.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Canonical reference
- https://attack.mitre.org/techniques/T1548/
KQL Detection Query
let UACBypassAutoElevateBinaries = dynamic([
"fodhelper.exe", "eventvwr.exe", "sdclt.exe", "cmstp.exe",
"computerdefaults.exe", "slui.exe", "wsreset.exe", "dccw.exe",
"pkgmgr.exe", "wusa.exe", "infdefaultinstall.exe", "msconfig.exe",
"colorcpl.exe", "cliconfg.exe", "dism.exe", "eudcedit.exe",
"iexpress.exe", "ntprint.exe", "recdisc.exe", "tabletpc.cpl"
]);
let SuspiciousChildProcesses = dynamic([
"cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe",
"cscript.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe",
"certutil.exe", "bitsadmin.exe", "wmic.exe", "regasm.exe", "regsvcs.exe"
]);
let LegitimateElevatedParents = dynamic([
"services.exe", "svchost.exe", "lsass.exe", "csrss.exe", "wininit.exe",
"winlogon.exe", "smss.exe", "taskhostw.exe", "userinit.exe", "msiexec.exe",
"TiWorker.exe", "TrustedInstaller.exe", "WmiPrvSE.exe"
]);
// Detection 1: UAC Bypass - auto-elevate binary spawning suspicious child process
let UACBypassChildSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (UACBypassAutoElevateBinaries)
| where FileName has_any (SuspiciousChildProcesses)
| extend DetectionType = "UAC_Bypass_AutoElevate_Child"
| extend RiskScore = 80
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
ProcessIntegrityLevel, InitiatingProcessIntegrityLevel,
DetectionType, RiskScore;
// Detection 2: Unexpected integrity level escalation (Medium/Low parent spawning High/System child)
let IntegrityEscalation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessIntegrityLevel in ("High", "System")
| where InitiatingProcessIntegrityLevel in ("Medium", "Low")
| where InitiatingProcessFileName !in~ (LegitimateElevatedParents)
| where FileName !in~ ("consent.exe", "dllhost.exe", "RuntimeBroker.exe")
| where AccountName !endswith "$"
| extend DetectionType = "Integrity_Level_Escalation"
| extend RiskScore = 70
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
ProcessIntegrityLevel, InitiatingProcessIntegrityLevel,
DetectionType, RiskScore;
// Detection 3: Linux setuid abuse and sudo privilege escalation
let LinuxPrivEsc = DeviceProcessEvents
| where Timestamp > ago(24h)
| where OSPlatform == "Linux"
| where ProcessCommandLine has_any (
"chmod +s", "chmod u+s", "chmod 4755", "chmod 4777", "chmod 6755",
"sudo -s", "sudo su", "sudo bash", "sudo sh", "sudo /bin/bash",
"sudo /bin/sh", "sudo python", "sudo perl", "sudo ruby",
"pkexec", "doas "
)
| where AccountName !in ("root", "_apt", "daemon", "nobody")
| extend DetectionType = "Linux_Setuid_Sudo_Abuse"
| extend RiskScore = 65
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
ProcessIntegrityLevel, InitiatingProcessIntegrityLevel,
DetectionType, RiskScore;
// Detection 4: Fodhelper registry hijack preparation (writing to HKCU shell\open\command)
let FodhelperRegistryPrep = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_all ("Software\\Classes", "ms-settings", "shell\\open\\command")
or RegistryKey has_all ("Software\\Classes", "mscfile", "shell\\open\\command")
| extend DetectionType = "UAC_Bypass_Registry_Hijack_Prep"
| extend RiskScore = 90
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
FileName = InitiatingProcessFileName,
ProcessCommandLine = InitiatingProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
RegistryKey, RegistryValueName, RegistryValueData,
DetectionType, RiskScore;
// Union all detection types
UACBypassChildSpawn
| union IntegrityEscalation
| union LinuxPrivEsc
| union (FodhelperRegistryPrep | extend ProcessIntegrityLevel = "", InitiatingProcessIntegrityLevel = "")
| sort by Timestamp descDetects T1548 Abuse Elevation Control Mechanism across four detection patterns using Microsoft Defender for Endpoint tables. Pattern 1 catches UAC bypass via auto-elevate binaries (fodhelper, eventvwr, sdclt, etc.) spawning suspicious child processes like cmd.exe or PowerShell. Pattern 2 detects unexpected integrity level escalation where a Medium/Low integrity parent spawns a High/System integrity child without going through consent.exe. Pattern 3 covers Linux setuid bit manipulation and sudo abuse. Pattern 4 catches the registry key staging step of registry-based UAC bypasses (HKCU ms-settings or mscfile shell\open\command hijacking used by fodhelper and eventvwr techniques).
Data Sources
Required Tables
False Positives & Tuning
- Software installers that legitimately invoke auto-elevate binaries as part of their installation workflow (e.g., Windows installer packages that chain through fodhelper)
- Group Policy and SCCM/Intune deployments that spawn cmd.exe or PowerShell as children of management binaries during system configuration
- IT administration tools (MMC snap-ins, Remote Server Administration Tools) that legitimately elevate to High integrity when launched by administrators via RunAs
- Linux package managers (apt, yum, dnf) invoking sudo for legitimate system package installation and upgrade operations
- Developer build systems using chmod to mark compiled executables or test binaries, and CI/CD pipelines running as non-root that sudo to install dependencies
Other platforms for T1548
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Fodhelper UAC Bypass — Registry Staging and Execution
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject containing HKCU\Software\Classes\ms-settings\shell\open\command, Details showing cmd.exe payload. Sysmon Event ID 1 (Process Create): Image=fodhelper.exe with MandatoryLabel=High Mandatory Level. Sysmon Event ID 1 again: ParentImage=fodhelper.exe, Image=cmd.exe, MandatoryLabel=High Mandatory Level — this is the UAC bypassed child. Security Event ID 4624 may show a new elevated token. MDE DeviceRegistryEvents will show ActionType=RegistryValueSet on the ms-settings key.
- Test 2Eventvwr UAC Bypass — mscfile COM Hijacking
Expected signal: Sysmon Event ID 13: TargetObject=HKCU\Software\Classes\mscfile\shell\open\command, Details=cmd.exe /c whoami /priv... Sysmon Event ID 1: Image=eventvwr.exe with MandatoryLabel=High Mandatory Level. Sysmon Event ID 1: ParentImage=eventvwr.exe, Image=cmd.exe, CommandLine containing whoami /priv, MandatoryLabel=High Mandatory Level. Security Event ID 4688 (if command line auditing enabled) with mandatory label showing High Integrity.
- Test 3Linux Setuid Bit Abuse — Copy Shell and Set SUID
Expected signal: MDE DeviceProcessEvents (Linux): ProcessCommandLine containing 'chmod u+s /tmp/argus-suid-test'. Follow-on process event showing /tmp/argus-suid-test -p -c 'id; whoami' with AccountName of the test runner but effective UID of root in output. Linux audit log (auditd): SYSCALL records for chmod with mode=104755 (setuid+755), PATH record for the target file. /var/log/auth.log: sudo session opened for command /bin/chmod. Sysmon for Linux (if deployed): Event ID 1 showing chmod command, Event ID 1 showing suid binary execution.
- Test 4Sudo GTFOBins Privilege Escalation — Python Breakout
Expected signal: Linux auth.log: sudo session opened for user root by testuser(uid=1000), COMMAND=/usr/bin/python3 -c import os... MDE DeviceProcessEvents (Linux): ProcessCommandLine='sudo python3 -c import os; os.setuid(0); os.system(id && whoami && cat /etc/shadow...' with AccountName=testuser. Auditd: SYSCALL setuid with uid=0 result=success from python3 process. The os.system('cat /etc/shadow') represents credential access following privilege escalation.
- Test 5sdclt UAC Bypass — Folder Shell Command Hijacking
Expected signal: Sysmon Event ID 13: TargetObject=HKCU\Software\Classes\Folder\shell\open\command, Details=cmd.exe /c whoami /groups... Sysmon Event ID 1: Image=sdclt.exe with ProcessCommandLine containing /kickoffelev. Sysmon Event ID 1: ParentImage=sdclt.exe, Image=cmd.exe, MandatoryLabel=High Mandatory Level. MDE DeviceRegistryEvents: ActionType=RegistryValueSet on the Folder\shell\open\command key. If UAC bypass succeeds, whoami /groups output will show 'Mandatory Label\High Mandatory Level Label'.
References (13)
- https://attack.mitre.org/techniques/T1548/
- https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware
- https://www.sudo.ws/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md
- https://github.com/hfiref0x/UACME
- https://gtfobins.github.io/
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
- https://posts.specterops.io/a-brief-history-of-uac-bypasses-fce8a6a87b75
Unlock Pro Content
Get the full detection package for T1548 including response playbook, investigation guide, and atomic red team tests.