detecting-t1548-abuse-elevation-control-mechanism
Installation
SKILL.md
Detecting T1548 Abuse Elevation Control Mechanism
When to Use
- When hunting for privilege escalation via UAC bypass in Windows environments
- After threat intelligence indicates use of UAC bypass exploits by active threat groups
- When investigating how attackers achieved administrative access without triggering UAC prompts
- During security assessments to validate UAC bypass detection coverage
- When monitoring for setuid/setgid abuse on Linux systems
Prerequisites
- Sysmon Event ID 1 with command-line and parent process logging
- Windows Security Event ID 4688 with process tracking
- Registry auditing for UAC-related keys (HKCU\Software\Classes)
- Sysmon Event ID 12/13 (Registry key/value modification)
- EDR with elevation monitoring capabilities