DET0388 Detection Strategy for T1548.002 – Bypass User Account Control (UAC)

Item	Value
ID	DET0388
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1548.002 (Bypass User Account Control)

Analytics

Windows

AN1094

Detects a multi-event behavior chain involving UAC bypass attempts via known auto-elevated binaries (e.g., eventvwr.exe, sdclt.exe), unauthorized Registry changes to UAC-related keys, and anomalous process execution with elevated privileges but lacking standard parent-child lineage. Suspicious patterns include invocation of auto-elevated COM objects or manipulation of isolatedCommand Registry entries without consent prompts.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
Logon Session Metadata (DC0088)	WinEventLog:Security	EventCode=4672
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7

Mutable Elements

Field	Description
TimeWindow	Correlate registry tampering and elevation within a tunable time window (e.g., 30 seconds) to reduce noise from benign admin activity.
ElevatedProcessNameList	Tunable list of suspicious elevated binaries (e.g., sdclt.exe, eventvwr.exe, computerdefaults.exe) known to support UAC bypass.
ParentProcessAnomalyThreshold	Define logic for parent-child mismatch (e.g., non-elevated process spawning auto-elevated one) to flag uncommon elevation paths.