detection.wiki

Abuse Elevation Control Mechanism T1548

Tactic: Privilege Escalation

Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.

Events covered

24 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 7Image loaded
SysmonEvent ID 10ProcessAccess
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4657A registry value was modified.
Security-AuditingEvent ID 4660An object was deleted.
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4674An operation was attempted on a privileged object.
Security-AuditingEvent ID 4688A new process has been created.
Defender-DeviceRegistryEventsRegistryKeyDeletedRegistry key deleted
Defender-DeviceRegistryEventsRegistryValueSetRegistry value set
Defender-DeviceRegistryEventsRegistryValueDeletedRegistry value deleted
Defender-DeviceRegistryEventsRegistryKeyRenamedRegistry key renamed
ESFexecProcess Execution (Notify)
ESFopenFile Open (NOTIFY)
Linux-AuditdEvent ID 1309EXECVE
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Sysmon-for-LinuxEvent ID 1Process Create
Sysmon-for-LinuxEvent ID 11File created

Authoring guide

Patterns shared across the 312 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (177 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine57contains 47, eq 11, in 4, ends_with 3, wildcard 3, regex_match 2, starts_with 1sudo, --eval, (?i)ms-settings\x5cshell\x5copen\x5ccommand.+, -e, -wrapper
process_name53eq 32, in 16, starts_with 5, is_not_null 3, match 2, regex_match 2, ends_with 1, ne 1chmod, sudo, bash, setcap, (?i)\s+\x5c
EventType50eq 35, in 17exec, exec_event, ProcessRollup2, uid_change, AssumeRole
event.type49eq 40, in 7, ne 2start, change, process_started, creation, deletion
Image45ends_with 29, contains 5, eq 5, in 2, is_not_null 2, starts_with 2, wildcard 2\dism.exe, \powershell.exe, \pwsh.exe, \werfault.exe, *\\\\*
host.os.type41eq 40, in 1
process.args28eq 15, in 12, wildcard 8, contains 2, ne 2, starts_with 2, ends_with 1, match 1+x, --command, -c, -m, -s
ParentImage27ends_with 19, contains 3, eq 2, in 2, wildcard 2, starts_with 1\dllhost.exe, *\\\\*, *\\programdata\\*, *\\temp\\*, ./*
EventID25eq 254688, 1, 4657, 13, 4103
parent_process_name25eq 10, in 9, wildcard 4, match 2, regex_match 2, ne 1bash, csh, dash, (?i)(forfiles|fodhelper|ftp|pcalua)\.exe, (?i)\s+\x5c
IntegrityLevel22eq 20, in 4High, System, Low, Medium
TargetFilename21starts_with 11, ends_with 10, eq 4, in 3, wildcard 3, contains 2c:\users\, /etc/doas.conf, /etc/sudoers, .dll, /bin/sudo
Details17eq 12, contains 3, ends_with 2, is_not_null 1, regex_match 1, starts_with 10x00000000, (Empty), 0x00000001, DWORD (0x00000000), %SystemRoot%
DataSource16eq 16AUTH_CHANGES, CHANGEDOC_GRAC, CHANGEDOC_USOBT_C, CHANGEDOC_USOBX_C, DBACOCKPIT
TargetObject16contains 8, ends_with 8, wildcard 1software\\classes\\ms-settings\\shell\\open\\command, \appx82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command, \environment\windir, \lowercaselongpath, \microsoft\security center\uacdisablenotify

Top indicator values (2123 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
36606
event.typeeq
change
1177
CommandLinecontains
sudo
2223
EventTypeeq
exec
19171
IntegrityLeveleq
System
1929
IntegrityLeveleq
High
1621
event.outcomeeq
success
12251
EventIDeq
4688
10313
EventIDeq
1
8237
EventIDeq
4657
617
EventTypein
exec
8171
EventTypein
exec_event
7139
EventTypein
start
7134
EventTypein
ProcessRollup2
6117
user.idne
0
816
Provider_Nameeq
sts.amazonaws.com
711
event.categoryeq
process
7128
sourcetypeeq
auditd
756
user.ideq
0
712
TargetFilenamestarts_with
c:\users\
611
data_stream.dataseteq
aws.cloudtrail
6141
event.typein
start
642
parent_process_namein
bash
630
parent_process_namein
csh
626
parent_process_namein
dash
627
parent_process_namein
fish
626
parent_process_namein
ksh
626
parent_process_namein
sh
630
parent_process_namein
tcsh
626
parent_process_namein
zsh
629

Exclusions (422 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
ParentImagewildcard
/tmp/newroot/*
3
aws::userIdentity.typeeq
AWSService
3
Imageends_with
\werfault.exe
2
Imagein
./usr/bin/podman
2
Imagein
/usr/bin/dockerd
2
Imagein
/usr/bin/microdnf
2
Imagein
/usr/bin/podman
2
Imagein
/usr/bin/rpm
2
Imagein
/usr/local/bin/dockerd
2
Imagein
/usr/sbin/dockerd
2
Imagestarts_with
/bin/
2
Imagestarts_with
/opt/dynatrace/
2
Imagestarts_with
/sbin/
2
Imagestarts_with
/tmp/newroot/
2
Imagestarts_with
/usr/bin/
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 89 rules

Elastic 72 rules

Splunk 85 rules

Kusto 46 rules

Panther 20 rules