detection.wiki

Abuse Elevation Control Mechanism: Elevated Execution with Prompt T1548.004

Tactic: Privilege Escalation

Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials. The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.

Authoring guide

Patterns shared across the 2 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (8 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
event.type2in 2process_started, start
host.os.type2eq 2
process_name2eq 2osascript, security_authtrampoline
CommandLine1wildcard 1osascript*with administrator privileges
parent_process_name1wildcard 1bash, com.apple.automator.runner, dash
process.Ext.effective_parent.executable1starts_with 1/Users/Shared/, /private/tmp/, /tmp/
process.parent.code_signature.exists1eq 1false
process.parent.code_signature.trusted1eq 1false

Top indicator values (21 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typein
process_started
240
event.typein
start
242
CommandLinewildcard
osascript*with administrator privileges
1
parent_process_namewildcard
bash
17
parent_process_namewildcard
com.apple.automator.runner
1
parent_process_namewildcard
dash
12
parent_process_namewildcard
osascript
16
parent_process_namewildcard
perl*
13
parent_process_namewildcard
php*
14
parent_process_namewildcard
pwsh
1
parent_process_namewildcard
python*
18
parent_process_namewildcard
ruby
12
parent_process_namewildcard
sh
17
parent_process_namewildcard
zsh
17
process.Ext.effective_parent.executablestarts_with
/Users/Shared/
1
process.Ext.effective_parent.executablestarts_with
/private/tmp/
1
process.Ext.effective_parent.executablestarts_with
/tmp/
1
process.parent.code_signature.existseq
false
19
process.parent.code_signature.trustedeq
false
110
process_nameeq
osascript
110
process_nameeq
security_authtrampoline
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Elastic 2 rules