Detecting T1548 Abuse Elevation Control Mechanism

When to Use

• When hunting for privilege escalation via UAC bypass in Windows environments
• After threat intelligence indicates use of UAC bypass exploits by active threat groups
• When investigating how attackers achieved administrative access without triggering UAC prompts
• During security assessments to validate UAC bypass detection coverage
• When monitoring for setuid/setgid abuse on Linux systems

Prerequisites

• Sysmon Event ID 1 with command-line and parent process logging
• Windows Security Event ID 4688 with process tracking
• Registry auditing for UAC-related keys (HKCU\Software\Classes)
• Sysmon Event ID 12/13 (Registry key/value modification)
• EDR with elevation monitoring capabilities

Workflow