EXPLORE
Sign In
← Back to Explore
T1548

Abuse Elevation Control Mechanism

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in ...

LinuxmacOSWindowsIaaSOffice SuiteIdentity Provider
91
Detections
3
Sources
1
Threat Actors

BY SOURCE

62elastic22sigma7splunk_escu

PROCEDURES (44)

Privilege10 detections

Auto-extracted: 10 detections for privilege

Bypass9 detections

Auto-extracted: 9 detections for bypass

General Monitoring6 detections

Auto-extracted: 6 detections for general monitoring

Privilege5 detections

Auto-extracted: 5 detections for privilege

Lateral4 detections

Auto-extracted: 4 detections for lateral

Persist3 detections

Auto-extracted: 3 detections for persist

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Unusual3 detections

Auto-extracted: 3 detections for unusual

Container3 detections

Auto-extracted: 3 detections for container

Service3 detections

Auto-extracted: 3 detections for service

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Registry2 detections

Auto-extracted: 2 detections for registry

Privilege2 detections

Auto-extracted: 2 detections for privilege

Privilege2 detections

Auto-extracted: 2 detections for privilege

Inject2 detections

Auto-extracted: 2 detections for inject

Cloud2 detections

Auto-extracted: 2 detections for cloud

Api2 detections

Auto-extracted: 2 detections for api

Aws2 detections

Auto-extracted: 2 detections for aws

Persist1 detections

Auto-extracted: 1 detections for persist

Lateral1 detections

Auto-extracted: 1 detections for lateral

Container1 detections

Auto-extracted: 1 detections for container

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Child Process1 detections

Auto-extracted: 1 detections for child process

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Child Process1 detections

Auto-extracted: 1 detections for child process

Credential1 detections

Auto-extracted: 1 detections for credential

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Bypass1 detections

Auto-extracted: 1 detections for bypass

Remote1 detections

Auto-extracted: 1 detections for remote

Service1 detections

Auto-extracted: 1 detections for service

Bypass1 detections

Auto-extracted: 1 detections for bypass

Remote1 detections

Auto-extracted: 1 detections for remote

Aws1 detections

Auto-extracted: 1 detections for aws

Privilege1 detections

Auto-extracted: 1 detections for privilege

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (1)

UNC3886

DETECTIONS (91)

Abused Debug Privilege by Arbitrary Parent Processes
sigmahigh
Allow Operation with Consent Admin
splunk_escu
Apple Scripting Execution with Administrator Privileges
elasticmedium
AWS IAM Customer-Managed Policy Attached to Role by Rare User
elasticlow
AWS STS AssumeRole Misuse
sigmalow
AWS STS AssumeRole with New MFA Device
elasticlow
AWS STS AssumeRoot by Rare User and Member Account
elasticmedium
AWS STS GetSessionToken Misuse
sigmalow
AWS STS Role Assumption by Service
elasticlow
AWS STS Role Assumption by User
elasticlow
AWS STS Role Chaining
elasticmedium
AWS Suspicious SAML Activity
sigmamedium
Bypass UAC via Event Viewer
elastichigh
CA Policy Removed by Non Approved Actor
sigmamedium
CA Policy Updated by Non Approved Actor
sigmamedium
COM Hijack via Sdclt
sigmahigh
Credential Dumping Attempt Via Svchost
sigmahigh
Deprecated - Sudo Heap-Based Buffer Overflow Attempt
elastichigh
Disabling User Account Control via Registry Modification
elasticmedium
Entra ID Actor Token User Impersonation Abuse
elasticmedium
Execution via Electron Child Process Node.js Module
elasticmedium
Execution with Explicit Credentials via Scripting
elasticmedium
File Execution Permission Modification Detected via Defend for Containers
elasticlow
Full Disk Access Permission Check
elasticmedium
GCP Break-glass Container Workload Deployed
sigmamedium
Linux Capabilities Discovery
sigmalow
Linux Doas Conf File Creation
sigmamedium
Linux Doas Tool Execution
sigmalow
Linux Persistence and Privilege Escalation Risk Behavior
splunk_escu
Linux Setgid Capability Set on a Binary via Setcap Utility
sigmalow
Linux Setuid Capability Set on a Binary via Setcap Utility
sigmalow
Linux Telnet Authentication Bypass
splunk_escu
Local Account TokenFilter Policy Disabled
elasticmedium
Modification of Persistence Relevant Files Detected via Defend for Containers
elasticlow
New CA Policy by Non-approved Actor
sigmamedium
Pod or Container Creation with Suspicious Command-Line
elasticmedium
Potential CVE-2025-32463 Sudo Chroot Execution Attempt
elastichigh
Potential Defense Evasion via Doas
elasticmedium
Potential Persistence via File Modification
elasticlow
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potential Privacy Control Bypass via Localhost Secure Copy
elastichigh
Potential Privacy Control Bypass via TCCDB Modification
elasticmedium
Potential Privilege Escalation via CVE-2023-4911
elastichigh
Potential Privilege Escalation via Enlightenment
elastichigh
Potential Privilege Escalation via Local Kerberos Relay over LDAP
sigmahigh
Potential Privilege Escalation via OverlayFS
elastichigh
Potential Privilege Escalation via Python cap_setuid
elastichigh
Potential Privilege Escalation via Recently Compiled Executable
elastichigh
Potential Privilege Escalation via Sudoers File Modification
elastichigh
Potential Privilege Escalation via SUID/SGID Proxy Execution
elasticmedium
Potential Sudo Hijacking
elasticmedium
Potential Sudo Privilege Escalation via CVE-2019-14287
elastichigh
Potential Sudo Token Manipulation via Process Injection
elasticmedium
Potential Suspicious File Edit
elasticlow
Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
elasticmedium
Privilege Escalation via CAP_SETUID/SETGID Capabilities
elasticmedium
Privilege Escalation via GDB CAP_SYS_PTRACE
elasticmedium
Privilege Escalation via SUID/SGID
elasticmedium
Process Capability Set via setcap Utility
elasticlow
Regedit as Trusted Installer
sigmahigh
SCM Database Privileged Operation
sigmamedium
Services Escalate Exe
splunk_escu
Setcap setuid/setgid Capability Set
elastichigh
Spike in Privileged Command Execution by a User
elasticlow
Sudo Command Enumeration Detected
elasticlow
Sudoers File Activity
elasticmedium
SUID/SGID Bit Set
elasticlow
SUID/SGUID Enumeration Detected
elasticmedium
Suspicious Echo or Printf Execution Detected via Defend for Containers
elastichigh
Suspicious File Made Executable via Chmod Inside A Container
elasticlow
Suspicious Symbolic Link Created
elasticlow
Suspicious TCC Access Granted for User Folders
elastichigh
System Binary Path File Permission Modification
elasticlow
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
elasticmedium
UAC Bypass Attempt via Privileged IFileOperation COM Interface
elastichigh
UAC Bypass Attempt via Windows Directory Masquerading
elastichigh
UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
elastichigh
UAC Bypass via DiskCleanup Scheduled Task Hijack
elasticmedium
UAC Bypass via ICMLuaUtil Elevated COM Interface
elastichigh
UAC Bypass via Windows Firewall Snap-In Hijack
elasticmedium
UAC Bypass via Windows Firewall Snap-In Hijack
sigmamedium
UID Elevation from Previously Unknown Executable
elastichigh
Unusual Pkexec Execution
elastichigh
Unusual Process Detected for Privileged Commands by a User
elasticlow
Unusual Sudo Activity
elasticlow
User Added To Group With CA Policy Modification Access
sigmamedium
User Removed From Group With CA Policy Modification Access
sigmamedium
Vulnerable Netlogon Secure Channel Connection Allowed
sigmahigh
Windows Privilege Escalation Suspicious Process Elevation
splunk_escu
Windows Privilege Escalation System Process Without System Parent
splunk_escu
Windows Privilege Escalation User Process Spawn System Process
splunk_escu