T1548 Splunk · SPL

Detect Abuse Elevation Control Mechanism in Splunk

Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms intended to limit privileges a user can perform. Adversaries exploit these mechanisms across Windows (UAC bypass via auto-elevate binaries, COM object hijacking, DLL side-loading into elevated processes), Linux (setuid/setgid bit abuse, sudo misconfiguration, pkexec exploitation), macOS (TCC database manipulation, Elevated Execution with Prompt), and cloud environments (temporary role assumption, IAM privilege escalation). Real-world actors including UNC3886 and malware like Raspberry Robin have weaponized these techniques to gain SYSTEM or root access without triggering standard UAC consent dialogs.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Canonical reference
https://attack.mitre.org/techniques/T1548/

SPL Detection Query

Splunk (SPL)
spl 
(
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | eval Image=lower(Image), ParentImage=lower(ParentImage)
  | eval CommandLine=coalesce(CommandLine, "")
  | eval ParentCommandLine=coalesce(ParentCommandLine, "")
)
OR
(
  index=wineventlog sourcetype="WinEventLog:Security" EventCode=4688
  | eval Image=lower(NewProcessName), ParentImage=lower(ParentProcessName)
  | eval CommandLine=coalesce(CommandLine, ""), ParentCommandLine=""
)
| eval UACBypassParent=if(
    match(ParentImage, "(fodhelper|eventvwr|sdclt|cmstp|computerdefaults|slui|wsreset|dccw|pkgmgr|wusa|infdefaultinstall|msconfig|colorcpl|cliconfg|dism|eudcedit|iexpress|ntprint|recdisc)\\.exe"),
    1, 0
  )
| eval SuspiciousChild=if(
    match(Image, "(cmd|powershell|pwsh|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin|wmic|regasm|regsvcs)\\.exe"),
    1, 0
  )
| eval FodhelperBypass=if(
    match(ParentImage, "fodhelper\\.exe") AND match(Image, "(cmd|powershell|pwsh|mshta)\\.exe"),
    1, 0
  )
| eval EventvwrBypass=if(
    match(ParentImage, "eventvwr\\.exe") AND match(Image, "(cmd|powershell|pwsh|mshta|wscript)\\.exe"),
    1, 0
  )
| eval SdcltBypass=if(
    match(ParentImage, "sdclt\\.exe") AND match(Image, "(cmd|powershell|pwsh)\\.exe"),
    1, 0
  )
| eval CmstpBypass=if(
    match(ParentImage, "cmstp\\.exe") AND match(Image, "(cmd|powershell|mshta|rundll32)\\.exe"),
    1, 0
  )
| eval GenericAutoElevate=if(UACBypassParent=1 AND SuspiciousChild=1, 1, 0)
| eval SuspicionScore=FodhelperBypass + EventvwrBypass + SdcltBypass + CmstpBypass + GenericAutoElevate
| where SuspicionScore > 0
| eval DetectionType=case(
    FodhelperBypass=1, "Fodhelper_UAC_Bypass",
    EventvwrBypass=1, "Eventvwr_UAC_Bypass",
    SdcltBypass=1, "Sdclt_UAC_Bypass",
    CmstpBypass=1, "Cmstp_UAC_Bypass",
    GenericAutoElevate=1, "Generic_AutoElevate_UAC_Bypass",
    true(), "Unknown"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, SuspicionScore
| sort - SuspicionScore, - _time
high severity high confidence

Detects T1548 UAC bypass patterns using Sysmon Event ID 1 (Process Creation) and Security Event ID 4688, combining both sources for broader coverage. Evaluates parent-child process relationships against known auto-elevate UAC bypass binaries including fodhelper, eventvwr, sdclt, cmstp, and computerdefaults. Assigns specific detection labels for each bypass variant and a cumulative suspicion score. The query normalizes Image and ParentImage to lowercase for case-insensitive matching across both Sysmon and Security event formats.

Data Sources

Process: Process CreationSysmon Event ID 1Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Software installers that legitimately invoke auto-elevate binaries as part of their installation workflow, particularly third-party installers that chain through Windows trusted binaries
  • SCCM/Intune application deployments that spawn cmd.exe or PowerShell as child processes of management binaries during provisioning tasks
  • IT administration scripts that use RunAs or scheduled tasks to elevate through known binaries, especially in environments without enforced UAC policies
  • Legitimate Windows administrative tools (Event Viewer launched by administrators, Disk Cleanup invoked by maintenance scripts) that may trigger eventvwr or cleanmgr parent associations
  • Software packaging tools and virtualization platforms (App-V, ThinApp) that wrap installers inside auto-elevated process containers
Download portable Sigma rule (.yml)

Other platforms for T1548

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Fodhelper UAC Bypass — Registry Staging and Execution

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject containing HKCU\Software\Classes\ms-settings\shell\open\command, Details showing cmd.exe payload. Sysmon Event ID 1 (Process Create): Image=fodhelper.exe with MandatoryLabel=High Mandatory Level. Sysmon Event ID 1 again: ParentImage=fodhelper.exe, Image=cmd.exe, MandatoryLabel=High Mandatory Level — this is the UAC bypassed child. Security Event ID 4624 may show a new elevated token. MDE DeviceRegistryEvents will show ActionType=RegistryValueSet on the ms-settings key.

  2. Test 2Eventvwr UAC Bypass — mscfile COM Hijacking

    Expected signal: Sysmon Event ID 13: TargetObject=HKCU\Software\Classes\mscfile\shell\open\command, Details=cmd.exe /c whoami /priv... Sysmon Event ID 1: Image=eventvwr.exe with MandatoryLabel=High Mandatory Level. Sysmon Event ID 1: ParentImage=eventvwr.exe, Image=cmd.exe, CommandLine containing whoami /priv, MandatoryLabel=High Mandatory Level. Security Event ID 4688 (if command line auditing enabled) with mandatory label showing High Integrity.

  3. Test 3Linux Setuid Bit Abuse — Copy Shell and Set SUID

    Expected signal: MDE DeviceProcessEvents (Linux): ProcessCommandLine containing 'chmod u+s /tmp/argus-suid-test'. Follow-on process event showing /tmp/argus-suid-test -p -c 'id; whoami' with AccountName of the test runner but effective UID of root in output. Linux audit log (auditd): SYSCALL records for chmod with mode=104755 (setuid+755), PATH record for the target file. /var/log/auth.log: sudo session opened for command /bin/chmod. Sysmon for Linux (if deployed): Event ID 1 showing chmod command, Event ID 1 showing suid binary execution.

  4. Test 4Sudo GTFOBins Privilege Escalation — Python Breakout

    Expected signal: Linux auth.log: sudo session opened for user root by testuser(uid=1000), COMMAND=/usr/bin/python3 -c import os... MDE DeviceProcessEvents (Linux): ProcessCommandLine='sudo python3 -c import os; os.setuid(0); os.system(id && whoami && cat /etc/shadow...' with AccountName=testuser. Auditd: SYSCALL setuid with uid=0 result=success from python3 process. The os.system('cat /etc/shadow') represents credential access following privilege escalation.

  5. Test 5sdclt UAC Bypass — Folder Shell Command Hijacking

    Expected signal: Sysmon Event ID 13: TargetObject=HKCU\Software\Classes\Folder\shell\open\command, Details=cmd.exe /c whoami /groups... Sysmon Event ID 1: Image=sdclt.exe with ProcessCommandLine containing /kickoffelev. Sysmon Event ID 1: ParentImage=sdclt.exe, Image=cmd.exe, MandatoryLabel=High Mandatory Level. MDE DeviceRegistryEvents: ActionType=RegistryValueSet on the Folder\shell\open\command key. If UAC bypass succeeds, whoami /groups output will show 'Mandatory Label\High Mandatory Level Label'.

Last updated: 2026-04-20 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1548 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (6)

Related Techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.003Sudo and Sudo CachingT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud AccessT1548.006TCC ManipulationT1055Process InjectionT1218.011Rundll32T1543.003Windows ServiceT1053.005Scheduled TaskT1112Modify RegistryT1562.001Disable or Modify Tools

Same Tactic: Privilege Escalation

Popular Detections