title: Abuse Elevation Control Mechanism (T1548)
id: df00tech-t1548
status: experimental
description: "Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms intended to limit privileges a user can perform. Adversaries exploit these mechanisms across Windows (UAC bypass via auto-elevate binaries, COM object hijacking, DLL side-loading into elevated processes), Linux (setuid/setgid bit abuse, sudo misconfiguration, pkexec exploitation), macOS (TCC database manipulation, Elevated Execution with Prompt), and cloud environments (temporary role assumption, IAM privilege escalation). Real-world actors including UNC3886 and malware like Raspberry Robin have weaponized these techniques to gain SYSTEM or root access without triggering standard UAC consent dialogs."
references:
  - https://attack.mitre.org/techniques/T1548/
  - https://df00tech.com/detections/T1548
author: df00tech
date: 2026/04/20
tags:
  - attack.t1548
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installers that legitimately invoke auto-elevate binaries as part of their installation workflow (e.g., Windows installer packages that chain through fodhelper)"
  - Group Policy and SCCM/Intune deployments that spawn cmd.exe or PowerShell as children of management binaries during system configuration
  - "IT administration tools (MMC snap-ins, Remote Server Administration Tools) that legitimately elevate to High integrity when launched by administrators via RunAs"
  - "Linux package managers (apt, yum, dnf) invoking sudo for legitimate system package installation and upgrade operations"
  - "Developer build systems using chmod to mark compiled executables or test binaries, and CI/CD pipelines running as non-root that sudo to install dependencies"
level: high