title: Elevated Execution with Prompt (T1548.004)
id: df00tech-t1548-004
status: experimental
description: "Adversaries exploit the macOS AuthorizationExecuteWithPrivileges API to request elevated execution with a user credential prompt. Applications calling this deprecated API can escalate privileges by prompting users for their admin password. The API does not validate that the requesting binary is authorized to request elevation, allowing malicious applications to leverage it. ProtonB malware used this technique. The API has been deprecated by Apple but remains available for compatibility."
references:
  - https://attack.mitre.org/techniques/T1548/004/
  - https://df00tech.com/detections/T1548.004
author: df00tech
date: 2026/03/11
tags:
  - attack.t1548.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate applications that use AuthorizationExecuteWithPrivileges for installation or update (though this API is deprecated, some older apps still use it)"
  - IT management software using osascript with admin privileges for system configuration
  - Authorized scripting tools that use AppleScript elevation for legitimate administrative tasks
  - Some legitimate macOS installer packages that request elevation during installation
level: high