T1548 Sumo Logic CSE · Sumo

Detect Abuse Elevation Control Mechanism in Sumo Logic CSE

Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms intended to limit privileges a user can perform. Adversaries exploit these mechanisms across Windows (UAC bypass via auto-elevate binaries, COM object hijacking, DLL side-loading into elevated processes), Linux (setuid/setgid bit abuse, sudo misconfiguration, pkexec exploitation), macOS (TCC database manipulation, Elevated Execution with Prompt), and cloud environments (temporary role assumption, IAM privilege escalation). Real-world actors including UNC3886 and malware like Raspberry Robin have weaponized these techniques to gain SYSTEM or root access without triggering standard UAC consent dialogs.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Canonical reference
https://attack.mitre.org/techniques/T1548/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows/sysmon* OR _sourceCategory=*windows/security* OR _sourceCategory=*linux/secure* OR _sourceCategory=*linux/audit*)
| parse regex field=_raw "(?:Image|NewProcessName)[=:\s]+(?:'|")?(?P<child_image>[^'"\s\r\n]+)" nodrop
| parse regex field=_raw "(?:ParentImage|ParentProcessName)[=:\s]+(?:'|")?(?P<parent_image>[^'"\s\r\n]+)" nodrop
| parse regex field=_raw "(?:CommandLine|ProcessCommandLine)[=:\s]+(?:'|")?(?P<command_line>[^\r\n]+)" nodrop
| parse regex field=_raw "(?:User|SubjectUserName|AccountName)[=:\s]+(?:'|")?(?P<username>[^'"\s\r\n]+)" nodrop
| parse regex field=_raw "(?:Computer|Workstation|hostname)[=:\s]+(?:'|")?(?P<hostname>[^'"\s\r\n]+)" nodrop
| parse regex field=_raw "(?:RegistryKey|TargetObject)[=:\s]+(?:'|")?(?P<registry_key>[^'"\s\r\n]+)" nodrop
| parse regex field=_raw "EventID[=:\s]+(?P<event_id>\d+)" nodrop
| where (
    /* UAC Bypass: auto-elevate binary spawning suspicious child */
    (
      parent_image matches /(?i)(fodhelper|eventvwr|sdclt|cmstp|computerdefaults|slui|wsreset|dccw|pkgmgr|wusa|infdefaultinstall|msconfig|colorcpl|cliconfg|dism|eudcedit|iexpress|ntprint|recdisc)\.exe/
      and child_image matches /(?i)(cmd|powershell|pwsh|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin|wmic|regasm|regsvcs)\.exe/
    )
    /* Registry hijack preparation */
    or (
      registry_key matches /(?i).*Software\\Classes\\(ms-settings|mscfile)\\shell\\open\\command.*/
      and event_id in ("12", "13", "4657")
    )
    /* Linux setuid/sudo abuse */
    or (
      command_line matches /(?i).*(chmod \+s|chmod u\+s|chmod 4755|chmod 4777|chmod 6755|sudo -s|sudo su|sudo bash|sudo sh|sudo \/bin\/(bash|sh)|pkexec|doas ).*/
      and not username in ("root", "_apt", "daemon", "nobody", "www-data")
    )
  )
| if (parent_image matches /(?i)fodhelper\.exe/ and child_image matches /(?i)(cmd|powershell|pwsh|mshta)\.exe/, "Fodhelper_UAC_Bypass",
    if (parent_image matches /(?i)eventvwr\.exe/ and child_image matches /(?i)(cmd|powershell|pwsh|mshta|wscript)\.exe/, "Eventvwr_UAC_Bypass",
      if (parent_image matches /(?i)sdclt\.exe/ and child_image matches /(?i)(cmd|powershell|pwsh)\.exe/, "Sdclt_UAC_Bypass",
        if (parent_image matches /(?i)cmstp\.exe/ and child_image matches /(?i)(cmd|powershell|mshta|rundll32)\.exe/, "Cmstp_UAC_Bypass",
          if (registry_key matches /(?i).*ms-settings.*shell.*open.*command.*/, "UAC_Bypass_Registry_Hijack_Prep",
            if (command_line matches /(?i).*(chmod \+s|chmod 4[67]|sudo (bash|sh|-s)|pkexec).*/, "Linux_Setuid_Sudo_Abuse",
              "Generic_AutoElevate_UAC_Bypass"
            )
          )
        )
      )
    )
  ) as detection_type
| if (detection_type = "UAC_Bypass_Registry_Hijack_Prep", 90,
    if (detection_type = "Fodhelper_UAC_Bypass", 85,
      if (detection_type in ("Eventvwr_UAC_Bypass", "Sdclt_UAC_Bypass", "Cmstp_UAC_Bypass"), 80,
        65
      )
    )
  ) as risk_score
| fields _messagetime, hostname, username, child_image, parent_image, command_line, registry_key, detection_type, risk_score
| sort by _messagetime desc
high severity high confidence

Detects abuse of elevation control mechanisms (T1548) across three behavioral patterns using regex parsing of raw Windows Sysmon, Windows Security, and Linux audit logs. Detection logic covers: UAC bypass via named auto-elevate binaries (fodhelper, eventvwr, sdclt, cmstp, and 15 others) spawning shell or scripting children; registry key writes to ms-settings or mscfile shell open command paths indicative of hijack setup; and Linux setuid chmod or interactive sudo shell invocations by non-privileged accounts. Risk scoring is applied per detection sub-type.

Data Sources

Windows Sysmon (EventID 1 process create, EventID 12/13 registry)Windows Security Event Log (EventID 4688 process create, EventID 4657 registry)Linux auditd / secure log (process exec events)

Required Tables

_sourceCategory=*windows/sysmon*_sourceCategory=*windows/security*_sourceCategory=*linux/secure*_sourceCategory=*linux/audit*

False Positives & Tuning

  • Legitimate administrative scripts that invoke colorcpl.exe, dism.exe, or wusa.exe as part of Windows image servicing pipelines and subsequently spawn cmd.exe for follow-on configuration steps
  • Penetration testing or red team exercises on authorized hosts where UAC bypass techniques are being validated using tools like UACME, Metasploit, or PowerShell Empire with proper change tickets
  • Linux DevOps engineers using 'sudo bash' or 'sudo -s' during interactive debugging sessions on build servers; consider allowlisting specific usernames or source IP ranges used by ops teams
Download portable Sigma rule (.yml)

Other platforms for T1548

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Fodhelper UAC Bypass — Registry Staging and Execution

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject containing HKCU\Software\Classes\ms-settings\shell\open\command, Details showing cmd.exe payload. Sysmon Event ID 1 (Process Create): Image=fodhelper.exe with MandatoryLabel=High Mandatory Level. Sysmon Event ID 1 again: ParentImage=fodhelper.exe, Image=cmd.exe, MandatoryLabel=High Mandatory Level — this is the UAC bypassed child. Security Event ID 4624 may show a new elevated token. MDE DeviceRegistryEvents will show ActionType=RegistryValueSet on the ms-settings key.

  2. Test 2Eventvwr UAC Bypass — mscfile COM Hijacking

    Expected signal: Sysmon Event ID 13: TargetObject=HKCU\Software\Classes\mscfile\shell\open\command, Details=cmd.exe /c whoami /priv... Sysmon Event ID 1: Image=eventvwr.exe with MandatoryLabel=High Mandatory Level. Sysmon Event ID 1: ParentImage=eventvwr.exe, Image=cmd.exe, CommandLine containing whoami /priv, MandatoryLabel=High Mandatory Level. Security Event ID 4688 (if command line auditing enabled) with mandatory label showing High Integrity.

  3. Test 3Linux Setuid Bit Abuse — Copy Shell and Set SUID

    Expected signal: MDE DeviceProcessEvents (Linux): ProcessCommandLine containing 'chmod u+s /tmp/argus-suid-test'. Follow-on process event showing /tmp/argus-suid-test -p -c 'id; whoami' with AccountName of the test runner but effective UID of root in output. Linux audit log (auditd): SYSCALL records for chmod with mode=104755 (setuid+755), PATH record for the target file. /var/log/auth.log: sudo session opened for command /bin/chmod. Sysmon for Linux (if deployed): Event ID 1 showing chmod command, Event ID 1 showing suid binary execution.

  4. Test 4Sudo GTFOBins Privilege Escalation — Python Breakout

    Expected signal: Linux auth.log: sudo session opened for user root by testuser(uid=1000), COMMAND=/usr/bin/python3 -c import os... MDE DeviceProcessEvents (Linux): ProcessCommandLine='sudo python3 -c import os; os.setuid(0); os.system(id && whoami && cat /etc/shadow...' with AccountName=testuser. Auditd: SYSCALL setuid with uid=0 result=success from python3 process. The os.system('cat /etc/shadow') represents credential access following privilege escalation.

  5. Test 5sdclt UAC Bypass — Folder Shell Command Hijacking

    Expected signal: Sysmon Event ID 13: TargetObject=HKCU\Software\Classes\Folder\shell\open\command, Details=cmd.exe /c whoami /groups... Sysmon Event ID 1: Image=sdclt.exe with ProcessCommandLine containing /kickoffelev. Sysmon Event ID 1: ParentImage=sdclt.exe, Image=cmd.exe, MandatoryLabel=High Mandatory Level. MDE DeviceRegistryEvents: ActionType=RegistryValueSet on the Folder\shell\open\command key. If UAC bypass succeeds, whoami /groups output will show 'Mandatory Label\High Mandatory Level Label'.

Last updated: 2026-04-20 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1548 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (6)

Related Techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.003Sudo and Sudo CachingT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud AccessT1548.006TCC ManipulationT1055Process InjectionT1218.011Rundll32T1543.003Windows ServiceT1053.005Scheduled TaskT1112Modify RegistryT1562.001Disable or Modify Tools

Same Tactic: Privilege Escalation

Popular Detections