detecting-t1548-abuse-elevation-control-mechanism
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/detecting-t1548-abuse-elevation-control-mechanismMonitor registry and process flags for UAC bypass attempts.
- Identifies privilege escalation via UAC bypass and setuid abuse.
- Integrates with Sysmon, Windows Security, and registry auditing.
- Correlates parent-child processes with elevated access indicators.
- Reports findings through structured alerts and threat intelligence feeds.
SKILL.md
.github/skills/detecting-t1548-abuse-elevation-control-mechanismView on GitHub ↗
---
name: detecting-t1548-abuse-elevation-control-mechanism
description: Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, uac-bypass, privilege-escalation, mitre-t1548, elevation-control, windows-security]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Detecting T1548 Abuse Elevation Control Mechanism
## When to Use
- When hunting for privilege escalation via UAC bypass in Windows environments
- After threat intelligence indicates use of UAC bypass exploits by active threat groups
- When investigating how attackers achieved administrative access without triggering UAC prompts
- During security assessments to validate UAC bypass detection coverage
- When monitoring for setuid/setgid abuse on Linux systems
## Prerequisites
- Sysmon Event ID 1 with command-line and parent process logging
- Windows Security Event ID 4688 with process tracking
- Registry auditing for UAC-related keys (HKCU\Software\Classes)
- Sysmon Event ID 12/13 (Registry key/value modification)
- EDR with elevation monitoring capabilities
## Workflow
1. **Monitor UAC Registry Modifications**: Many UAC bypasses modify registry keys under `HKCU\Software\Classes\ms-settings\shell\open\command` or `HKCU\Software\Classes\mscfile\shell\open\command`. Track Sysmon Events 12/13 for these changes.
2. **Detect Auto-Elevating Process Abuse**: Certain Windows binaries auto-elevate without UAC prompts (fodhelper.exe, computerdefaults.exe, eventvwr.exe). Hunt for these being launched by non-standard parent processes.
3. **Track Process Integrity Level Changes**: Monitor for processes escalating from medium to high integrity level without corresponding UAC consent events.
4. **Hunt for Elevated Process Spawning**: Detect when auto-elevating processes spawn unexpected children (cmd.exe, powershell.exe) -- indicating UAC bypass exploitation.
5. **Monitor Linux Elevation Abuse**: Track sudo misconfiguration exploitation, setuid binary abuse, and capability manipulation.
6. **Correlate with Privilege Escalation Chain**: Map elevation abuse to the broader attack chain, identifying what was done with escalated privileges.
## Key Concepts
| Concept | Description |
|---------|-------------|
| T1548.002 | Bypass User Account Control |
| T1548.001 | Setuid and Setgid (Linux) |
| T1548.003 | Sudo and Sudo Caching |
| T1548.004 | Elevated Execution with Prompt (macOS) |
| UAC Auto-Elevation | Windows binaries that elevate without prompt |
| fodhelper.exe | Common UAC bypass vector via registry hijack |
| eventvwr.exe | MSC file handler UAC bypass |
| Integrity Level | Windows process trust level (Low/Medium/High/System) |
## Detection Queries
### Splunk -- UAC Bypass via Registry Modification
```spl
index=sysmon (EventCode=12 OR EventCode=13)
| where match(TargetObject, "(?i)HKCU\\\\Software\\\\Classes\\\\(ms-settings|mscfile|exefile|Folder)\\\\shell\\\\open\\\\command")
| table _time Computer User EventCode TargetObject Details Image
```
### Splunk -- Auto-Elevating Process Abuse
```spl
index=sysmon EventCode=1
| where match(Image, "(?i)(fodhelper|computerdefaults|eventvwr|sdclt|slui|cmstp)\.exe$")
| where NOT match(ParentImage, "(?i)(explorer|svchost|services)\.exe$")
| table _time Computer User Image CommandLine ParentImage ParentCommandLine
```
### KQL -- UAC Bypass Detection
```kql
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has_any ("ms-settings\\shell\\open\\command", "mscfile\\shell\\open\\command")
| where ActionType == "RegistryValueSet"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessFileName
```
### Sigma Rule
```yaml
title: UAC Bypass via Registry Modification
status: stable
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- '\ms-settings\shell\open\command'
- '\mscfile\shell\open\command'
- '\exefile\shell\open\command'
condition: selection
level: high
tags:
- attack.privilege_escalation
- attack.t1548.002
```
## Common Scenarios
1. **fodhelper.exe Registry Hijack**: Attacker sets `HKCU\Software\Classes\ms-settings\shell\open\command` to a malicious executable, then launches fodhelper.exe which auto-elevates and executes the hijacked command.
2. **eventvwr.exe MSC Bypass**: Modifying `HKCU\Software\Classes\mscfile\shell\open\command` to intercept Event Viewer's auto-elevation behavior.
3. **sdclt.exe Bypass**: Leveraging the Windows Backup utility's auto-elevation to execute arbitrary commands.
4. **CMSTP.exe INF Bypass**: Using Connection Manager Profile Installer with a malicious INF file to bypass UAC via `/s /ni` flags.
5. **DLL Hijacking in Auto-Elevate**: Placing malicious DLLs in search paths of auto-elevating executables.
## Output Format
```
Hunt ID: TH-UAC-[DATE]-[SEQ]
Host: [Hostname]
Bypass Method: [Registry hijack/DLL hijack/Token manipulation]
Auto-Elevate Binary: [fodhelper.exe/eventvwr.exe/etc.]
Registry Key Modified: [Full registry path]
Payload Executed: [Command or binary path]
User Context: [Account]
Risk Level: [Critical/High/Medium]
ATT&CK Technique: [T1548.00x]
```
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.