Detecting T1548 Abuse Elevation Control Mechanism | Skills Pool
스킬 파일
Detecting T1548 Abuse Elevation Control Mechanism
Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.
When hunting for privilege escalation via UAC bypass in Windows environments
After threat intelligence indicates use of UAC bypass exploits by active threat groups
When investigating how attackers achieved administrative access without triggering UAC prompts
During security assessments to validate UAC bypass detection coverage
When monitoring for setuid/setgid abuse on Linux systems
Prerequisites
Sysmon Event ID 1 with command-line and parent process logging
Windows Security Event ID 4688 with process tracking
Registry auditing for UAC-related keys (HKCU\Software\Classes)
Sysmon Event ID 12/13 (Registry key/value modification)
EDR with elevation monitoring capabilities
Workflow
Monitor UAC Registry Modifications: Many UAC bypasses modify registry keys under HKCU\Software\Classes\ms-settings\shell\open\command or HKCU\Software\Classes\mscfile\shell\open\command. Track Sysmon Events 12/13 for these changes.
관련 스킬
Detect Auto-Elevating Process Abuse: Certain Windows binaries auto-elevate without UAC prompts (fodhelper.exe, computerdefaults.exe, eventvwr.exe). Hunt for these being launched by non-standard parent processes.
Track Process Integrity Level Changes: Monitor for processes escalating from medium to high integrity level without corresponding UAC consent events.
Hunt for Elevated Process Spawning: Detect when auto-elevating processes spawn unexpected children (cmd.exe, powershell.exe) -- indicating UAC bypass exploitation.
Monitor Linux Elevation Abuse: Track sudo misconfiguration exploitation, setuid binary abuse, and capability manipulation.
Correlate with Privilege Escalation Chain: Map elevation abuse to the broader attack chain, identifying what was done with escalated privileges.
Key Concepts
Concept
Description
T1548.002
Bypass User Account Control
T1548.001
Setuid and Setgid (Linux)
T1548.003
Sudo and Sudo Caching
T1548.004
Elevated Execution with Prompt (macOS)
UAC Auto-Elevation
Windows binaries that elevate without prompt
fodhelper.exe
Common UAC bypass vector via registry hijack
eventvwr.exe
MSC file handler UAC bypass
Integrity Level
Windows process trust level (Low/Medium/High/System)
Detection Queries
Splunk -- UAC Bypass via Registry Modification
index=sysmon (EventCode=12 OR EventCode=13)
| where match(TargetObject, "(?i)HKCU\\\\Software\\\\Classes\\\\(ms-settings|mscfile|exefile|Folder)\\\\shell\\\\open\\\\command")
| table _time Computer User EventCode TargetObject Details Image
Splunk -- Auto-Elevating Process Abuse
index=sysmon EventCode=1
| where match(Image, "(?i)(fodhelper|computerdefaults|eventvwr|sdclt|slui|cmstp)\.exe$")
| where NOT match(ParentImage, "(?i)(explorer|svchost|services)\.exe$")
| table _time Computer User Image CommandLine ParentImage ParentCommandLine
KQL -- UAC Bypass Detection
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has_any ("ms-settings\\shell\\open\\command", "mscfile\\shell\\open\\command")
| where ActionType == "RegistryValueSet"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessFileName