title: Bypass User Account Control (T1548.002)
id: df00tech-t1548-002
status: experimental
description: "Adversaries bypass Windows User Account Control (UAC) to execute code with elevated privileges without triggering user prompts. Common methods include: eventvwr.exe hijacking (ZeroT, Koadic), fodhelper.exe Registry key abuse (Saint Bot), sdclt.exe App Paths abuse (WarzoneRAT), CMSTPLUA COM interface (Avaddon), and DLL hijacking via auto-elevated applications (ShimRat via migwiz.exe). Used by BlackCat, LockBit 2.0/3.0, Cobalt Strike, DarkGate, Evilnum, APT37, APT38, BRONZE BUTLER, and many others. UACME documents 70+ bypass methods."
references:
  - https://attack.mitre.org/techniques/T1548/002/
  - https://df00tech.com/detections/T1548.002
author: df00tech
date: 2026/04/20
tags:
  - attack.t1548.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate administrative tools that invoke auto-elevating binaries (some vendor software uses eventvwr.exe legitimately)
  - IT management software that uses CMSTP/COM elevation for authorized software deployment
  - Pentest tools performing authorized UAC bypass testing on test endpoints
  - Application compatibility shims that may trigger auto-elevation paths
level: high