Detecting T1548 Abuse Elevation Control Mechanism

When to Use

When hunting for privilege escalation via UAC bypass in Windows environments
After threat intelligence indicates use of UAC bypass exploits by active threat groups
When investigating how attackers achieved administrative access without triggering UAC prompts
During security assessments to validate UAC bypass detection coverage
When monitoring for setuid/setgid abuse on Linux systems

Prerequisites

Sysmon Event ID 1 with command-line and parent process logging
Windows Security Event ID 4688 with process tracking
Registry auditing for UAC-related keys (HKCU\Software\Classes)
Sysmon Event ID 12/13 (Registry key/value modification)
EDR with elevation monitoring capabilities

Workflow

Monitor UAC Registry Modifications: Many UAC bypasses modify registry keys under HKCU\Software\Classes\ms-settings\shell\open\command or HKCU\Software\Classes\mscfile\shell\open\command. Track Sysmon Events 12/13 for these changes.
Detect Auto-Elevating Process Abuse: Certain Windows binaries auto-elevate without UAC prompts (fodhelper.exe, computerdefaults.exe, eventvwr.exe). Hunt for these being launched by non-standard parent processes.
Track Process Integrity Level Changes: Monitor for processes escalating from medium to high integrity level without corresponding UAC consent events.
Hunt for Elevated Process Spawning: Detect when auto-elevating processes spawn unexpected children (cmd.exe, powershell.exe) -- indicating UAC bypass exploitation.
Monitor Linux Elevation Abuse: Track sudo misconfiguration exploitation, setuid binary abuse, and capability manipulation.
Correlate with Privilege Escalation Chain: Map elevation abuse to the broader attack chain, identifying what was done with escalated privileges.

Key Concepts

Concept	Description
T1548.002	Bypass User Account Control
T1548.001	Setuid and Setgid (Linux)
T1548.003	Sudo and Sudo Caching
T1548.004	Elevated Execution with Prompt (macOS)
UAC Auto-Elevation	Windows binaries that elevate without prompt
fodhelper.exe	Common UAC bypass vector via registry hijack
eventvwr.exe	MSC file handler UAC bypass
Integrity Level	Windows process trust level (Low/Medium/High/System)

Detection Queries

Splunk -- UAC Bypass via Registry Modification

index=sysmon (EventCode=12 OR EventCode=13)
| where match(TargetObject, "(?i)HKCU\\\\Software\\\\Classes\\\\(ms-settings|mscfile|exefile|Folder)\\\\shell\\\\open\\\\command")
| table _time Computer User EventCode TargetObject Details Image

Splunk -- Auto-Elevating Process Abuse

index=sysmon EventCode=1
| where match(Image, "(?i)(fodhelper|computerdefaults|eventvwr|sdclt|slui|cmstp)\.exe$")
| where NOT match(ParentImage, "(?i)(explorer|svchost|services)\.exe$")
| table _time Computer User Image CommandLine ParentImage ParentCommandLine

KQL -- UAC Bypass Detection

DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has_any ("ms-settings\\shell\\open\\command", "mscfile\\shell\\open\\command")
| where ActionType == "RegistryValueSet"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessFileName

Sigma Rule

title: UAC Bypass via Registry Modification
status: stable
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            - '\ms-settings\shell\open\command'
            - '\mscfile\shell\open\command'
            - '\exefile\shell\open\command'
    condition: selection
level: high
tags:
    - attack.privilege_escalation
    - attack.t1548.002

Common Scenarios

fodhelper.exe Registry Hijack: Attacker sets HKCU\Software\Classes\ms-settings\shell\open\command to a malicious executable, then launches fodhelper.exe which auto-elevates and executes the hijacked command.
eventvwr.exe MSC Bypass: Modifying HKCU\Software\Classes\mscfile\shell\open\command to intercept Event Viewer's auto-elevation behavior.
sdclt.exe Bypass: Leveraging the Windows Backup utility's auto-elevation to execute arbitrary commands.
CMSTP.exe INF Bypass: Using Connection Manager Profile Installer with a malicious INF file to bypass UAC via /s /ni flags.
DLL Hijacking in Auto-Elevate: Placing malicious DLLs in search paths of auto-elevating executables.

Output Format

Hunt ID: TH-UAC-[DATE]-[SEQ]
Host: [Hostname]
Bypass Method: [Registry hijack/DLL hijack/Token manipulation]
Auto-Elevate Binary: [fodhelper.exe/eventvwr.exe/etc.]
Registry Key Modified: [Full registry path]
Payload Executed: [Command or binary path]
User Context: [Account]
Risk Level: [Critical/High/Medium]
ATT&CK Technique: [T1548.00x]

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.2 (Anomaly Detection), CC7.3 (Incident Identification)
ISO 27001: A.12.4 (Logging & Monitoring), A.16.1 (Security Incident Management)
NIST 800-53: SI-4 (System Monitoring), IR-4 (Incident Handling), RA-5 (Vulnerability Scanning)
NIST CSF: DE.AE (Anomalies & Events), DE.CM (Continuous Monitoring), DE.DP (Detection Processes)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add detecting-t1548-abuse-elevation-control-mechanism

# Or load dynamically via MCP
grc.load_skill("detecting-t1548-abuse-elevation-control-mechanism")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Detecting T1548 Abuse Elevation Control Mechanism

When to Use

When hunting for privilege escalation via UAC bypass in Windows environments
After threat intelligence indicates use of UAC bypass exploits by active threat groups
When investigating how attackers achieved administrative access without triggering UAC prompts
During security assessments to validate UAC bypass detection coverage
When monitoring for setuid/setgid abuse on Linux systems

Prerequisites

Sysmon Event ID 1 with command-line and parent process logging
Windows Security Event ID 4688 with process tracking
Registry auditing for UAC-related keys (HKCU\Software\Classes)
Sysmon Event ID 12/13 (Registry key/value modification)
EDR with elevation monitoring capabilities

Workflow

Monitor UAC Registry Modifications: Many UAC bypasses modify registry keys under HKCU\Software\Classes\ms-settings\shell\open\command or HKCU\Software\Classes\mscfile\shell\open\command. Track Sysmon Events 12/13 for these changes.
Detect Auto-Elevating Process Abuse: Certain Windows binaries auto-elevate without UAC prompts (fodhelper.exe, computerdefaults.exe, eventvwr.exe). Hunt for these being launched by non-standard parent processes.
Track Process Integrity Level Changes: Monitor for processes escalating from medium to high integrity level without corresponding UAC consent events.
Hunt for Elevated Process Spawning: Detect when auto-elevating processes spawn unexpected children (cmd.exe, powershell.exe) -- indicating UAC bypass exploitation.
Monitor Linux Elevation Abuse: Track sudo misconfiguration exploitation, setuid binary abuse, and capability manipulation.
Correlate with Privilege Escalation Chain: Map elevation abuse to the broader attack chain, identifying what was done with escalated privileges.

Key Concepts

Concept	Description
T1548.002	Bypass User Account Control
T1548.001	Setuid and Setgid (Linux)
T1548.003	Sudo and Sudo Caching
T1548.004	Elevated Execution with Prompt (macOS)
UAC Auto-Elevation	Windows binaries that elevate without prompt
fodhelper.exe	Common UAC bypass vector via registry hijack
eventvwr.exe	MSC file handler UAC bypass
Integrity Level	Windows process trust level (Low/Medium/High/System)

Detection Queries

Splunk -- UAC Bypass via Registry Modification

index=sysmon (EventCode=12 OR EventCode=13)
| where match(TargetObject, "(?i)HKCU\\\\Software\\\\Classes\\\\(ms-settings|mscfile|exefile|Folder)\\\\shell\\\\open\\\\command")
| table _time Computer User EventCode TargetObject Details Image

Splunk -- Auto-Elevating Process Abuse

index=sysmon EventCode=1
| where match(Image, "(?i)(fodhelper|computerdefaults|eventvwr|sdclt|slui|cmstp)\.exe$")
| where NOT match(ParentImage, "(?i)(explorer|svchost|services)\.exe$")
| table _time Computer User Image CommandLine ParentImage ParentCommandLine

KQL -- UAC Bypass Detection

DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has_any ("ms-settings\\shell\\open\\command", "mscfile\\shell\\open\\command")
| where ActionType == "RegistryValueSet"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessFileName

Sigma Rule

title: UAC Bypass via Registry Modification
status: stable
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            - '\ms-settings\shell\open\command'
            - '\mscfile\shell\open\command'
            - '\exefile\shell\open\command'
    condition: selection
level: high
tags:
    - attack.privilege_escalation
    - attack.t1548.002

Common Scenarios

fodhelper.exe Registry Hijack: Attacker sets HKCU\Software\Classes\ms-settings\shell\open\command to a malicious executable, then launches fodhelper.exe which auto-elevates and executes the hijacked command.
eventvwr.exe MSC Bypass: Modifying HKCU\Software\Classes\mscfile\shell\open\command to intercept Event Viewer's auto-elevation behavior.
sdclt.exe Bypass: Leveraging the Windows Backup utility's auto-elevation to execute arbitrary commands.
CMSTP.exe INF Bypass: Using Connection Manager Profile Installer with a malicious INF file to bypass UAC via /s /ni flags.
DLL Hijacking in Auto-Elevate: Placing malicious DLLs in search paths of auto-elevating executables.

Output Format

Hunt ID: TH-UAC-[DATE]-[SEQ]
Host: [Hostname]
Bypass Method: [Registry hijack/DLL hijack/Token manipulation]
Auto-Elevate Binary: [fodhelper.exe/eventvwr.exe/etc.]
Registry Key Modified: [Full registry path]
Payload Executed: [Command or binary path]
User Context: [Account]
Risk Level: [Critical/High/Medium]
ATT&CK Technique: [T1548.00x]

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.2 (Anomaly Detection), CC7.3 (Incident Identification)
ISO 27001: A.12.4 (Logging & Monitoring), A.16.1 (Security Incident Management)
NIST 800-53: SI-4 (System Monitoring), IR-4 (Incident Handling), RA-5 (Vulnerability Scanning)
NIST CSF: DE.AE (Anomalies & Events), DE.CM (Continuous Monitoring), DE.DP (Detection Processes)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add detecting-t1548-abuse-elevation-control-mechanism

# Or load dynamically via MCP
grc.load_skill("detecting-t1548-abuse-elevation-control-mechanism")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

MITRE ATT&CK Coverage

Detecting T1548 Abuse Elevation Control Mechanism

When to Use

Prerequisites

Workflow

Key Concepts

Detection Queries

Splunk -- UAC Bypass via Registry Modification

Splunk -- Auto-Elevating Process Abuse

KQL -- UAC Bypass Detection

Sigma Rule

Common Scenarios

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Detecting Privilege Escalation Attempts

Detecting Malicious Scheduled Tasks with Sysmon

Detecting Service Account Abuse

Analyzing PowerShell Empire Artifacts

Detecting Credential Dumping with EDR

Analyzing Persistence Mechanisms in Linux

Prerequisites

MITRE ATT&CK Coverage

Detecting T1548 Abuse Elevation Control Mechanism

When to Use

Prerequisites

Workflow

Key Concepts

Detection Queries

Splunk -- UAC Bypass via Registry Modification

Splunk -- Auto-Elevating Process Abuse

KQL -- UAC Bypass Detection

Sigma Rule

Common Scenarios

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Detecting Privilege Escalation Attempts

Detecting Malicious Scheduled Tasks with Sysmon

Detecting Service Account Abuse

Analyzing PowerShell Empire Artifacts

Detecting Credential Dumping with EDR

Analyzing Persistence Mechanisms in Linux