Skip to content

DET0345 Detection Strategy for Abuse Elevation Control Mechanism (T1548)

Item Value
ID DET0345
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1548 (Abuse Elevation Control Mechanism)

Analytics

Windows

AN0975

Correlate registry modifications (e.g., UAC bypass registry keys), unusual parent-child process relationships (e.g., control.exe spawning cmd.exe), and unsigned elevated process executions with non-standard tokens or elevation flags.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Logon Session Metadata (DC0088) WinEventLog:Security EventCode=4672
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
Mutable Elements
Field Description
ElevatedProcessPath Paths to monitor for unsigned or unexpected elevated binaries
ParentProcessName Parent-child execution chains that are suspicious in the local environment
TimeWindow Time between registry modification and elevated process spawn

Linux

AN0976

Monitor audit logs for setuid/setgid bit changes, executions where UID ≠ EUID (indicative of sudo or privilege escalation), and high-integrity binaries launched by unprivileged users.

Log Sources
Data Component Name Channel
File Metadata (DC0059) auditd:SYSCALL setuid or setgid bit changes
Process Metadata (DC0034) auditd:SYSCALL execve with UID ≠ EUID
OS API Execution (DC0021) auditd:SYSCALL sudo or pkexec invocation
Mutable Elements
Field Description
WatchedDirectories Paths where unauthorized setuid binaries may be dropped
UserContext Which users are allowed to run sudo/pkexec or modify binaries
TimeWindow Duration between file permission change and elevated command execution

macOS

AN0977

Detect execution of /usr/libexec/security_authtrampoline or use of AuthorizationExecuteWithPrivileges API, and monitor process lineage for unusual launches of GUI apps with escalated privileges.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) macos:unifiedlog authorization execute privilege requests
Process Metadata (DC0034) auditd:SYSCALL execve with escalated privileges
Process Creation (DC0032) fs:fsusage binary execution of security_authtrampoline
Mutable Elements
Field Description
WatchedBinaries Specify binaries frequently targeted for privilege escalation
ExecutionParent Which applications should never be allowed to spawn elevated processes

Identity Provider

AN0978

Monitor for unexpected privilege elevation operations via SAML assertion manipulation, role injection, or changes to identity mappings that result in access escalation.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) azure:signinlogs unusual role assumption or elevation path
Mutable Elements
Field Description
AuthorizedRoleMappings Roles or groups that should never be assumed outside designated paths
TimeWindow Time between assertion issuance and critical privilege use

IaaS

AN0979

Detect sudden privilege escalations such as IAM role changes, user-assigned privilege boundaries, or elevation via assumed roles beyond normal behavior.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) AWS:CloudTrail role privilege expansion detected
Process Metadata (DC0034) AWS:CloudTrail cross-account or unexpected assume role
Mutable Elements
Field Description
PermittedRoleTransitions Define valid transitions between IAM roles
CrossAccountBoundary Should flag if assumption crosses trust boundary