DET0395 macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection
| Item | Value |
|---|---|
| ID | DET0395 |
| Version | 1.0 |
| Created | 21 October 2025 |
| Last Modified | 21 October 2025 |
Technique Detected: T1548.004 (Elevated Execution with Prompt)
Analytics
macOS
AN1111
Detects abuse of AuthorizationExecuteWithPrivileges API to gain elevated privileges via user credential prompts, typically through invocation of /usr/libexec/security_authtrampoline. Detection involves correlation of API usage, binary reputation, and prompt context.
Log Sources
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Execution of /usr/libexec/security_authtrampoline or child processes originating from non-trusted binaries triggering credential prompts |
| OS API Execution (DC0021) | macos:unifiedlog | Calls to AuthorizationExecuteWithPrivileges() observed via Apple System Logger or security_auditing tools |
| User Account Authentication (DC0002) | macos:unifiedlog | User credential prompt events without associated trusted installer package |
Mutable Elements
| Field | Description |
|---|---|
| BinaryReputationList | Allow list of trusted binaries invoking elevation prompts |
| TimeWindow | Temporal correlation threshold between API call and credential prompt |
| PromptContextValidation | Heuristic filters to determine whether a prompt context matches known legitimate installers |