seikaikyo/detecting-t1548-abuse-elevation-control-mechanism
external/anthropic-cybersecurity-skills/skills/detecting-t1548-abuse-elevation-control-mechanism/SKILL.md
Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.
$ install --global
skillsauthnpx skillsauth add seikaikyo/dash-skills detecting-t1548-abuse-elevation-control-mechanismInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 6, 2026, 5:25 AM235.7s7 files scanned
SKILL.md
- name:
- detecting-t1548-abuse-elevation-control-mechanism
- description:
- Detect abuse of elevation control mechanisms including UAC bypass, sudo
- domain:
- cybersecurity
- subdomain:
- threat-hunting
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
Detecting T1548 Abuse Elevation Control Mechanism
When to Use
- When hunting for privilege escalation via UAC bypass in Windows environments
- After threat intelligence indicates use of UAC bypass exploits by active threat groups
- When investigating how attackers achieved administrative access without triggering UAC prompts
- During security assessments to validate UAC bypass detection coverage
- When monitoring for setuid/setgid abuse on Linux systems
Prerequisites
- Sysmon Event ID 1 with command-line and parent process logging
- Windows Security Event ID 4688 with process tracking
- Registry auditing for UAC-related keys (HKCU\Software\Classes)
- Sysmon Event ID 12/13 (Registry key/value modification)
- EDR with elevation monitoring capabilities
Workflow
- Monitor UAC Registry Modifications: Many UAC bypasses modify registry keys under
HKCU\Software\Classes\ms-settings\shell\open\commandorHKCU\Software\Classes\mscfile\shell\open\command. Track Sysmon Events 12/13 for these changes. - Detect Auto-Elevating Process Abuse: Certain Windows binaries auto-elevate without UAC prompts (fodhelper.exe, computerdefaults.exe, eventvwr.exe). Hunt for these being launched by non-standard parent processes.
- Track Process Integrity Level Changes: Monitor for processes escalating from medium to high integrity level without corresponding UAC consent events.
- Hunt for Elevated Process Spawning: Detect when auto-elevating processes spawn unexpected children (cmd.exe, powershell.exe) -- indicating UAC bypass exploitation.
- Monitor Linux Elevation Abuse: Track sudo misconfiguration exploitation, setuid binary abuse, and capability manipulation.
- Correlate with Privilege Escalation Chain: Map elevation abuse to the broader attack chain, identifying what was done with escalated privileges.
Key Concepts
| Concept | Description | |---------|-------------| | T1548.002 | Bypass User Account Control | | T1548.001 | Setuid and Setgid (Linux) | | T1548.003 | Sudo and Sudo Caching | | T1548.004 | Elevated Execution with Prompt (macOS) | | UAC Auto-Elevation | Windows binaries that elevate without prompt | | fodhelper.exe | Common UAC bypass vector via registry hijack | | eventvwr.exe | MSC file handler UAC bypass | | Integrity Level | Windows process trust level (Low/Medium/High/System) |
Detection Queries
Splunk -- UAC Bypass via Registry Modification
index=sysmon (EventCode=12 OR EventCode=13)
| where match(TargetObject, "(?i)HKCU\\\\Software\\\\Classes\\\\(ms-settings|mscfile|exefile|Folder)\\\\shell\\\\open\\\\command")
| table _time Computer User EventCode TargetObject Details Image
Splunk -- Auto-Elevating Process Abuse
index=sysmon EventCode=1
| where match(Image, "(?i)(fodhelper|computerdefaults|eventvwr|sdclt|slui|cmstp)\.exe$")
| where NOT match(ParentImage, "(?i)(explorer|svchost|services)\.exe$")
| table _time Computer User Image CommandLine ParentImage ParentCommandLine
KQL -- UAC Bypass Detection
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has_any ("ms-settings\\shell\\open\\command", "mscfile\\shell\\open\\command")
| where ActionType == "RegistryValueSet"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessFileName
Sigma Rule
title: UAC Bypass via Registry Modification
status: stable
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- '\ms-settings\shell\open\command'
- '\mscfile\shell\open\command'
- '\exefile\shell\open\command'
condition: selection
level: high
tags:
- attack.privilege_escalation
- attack.t1548.002
Common Scenarios
- fodhelper.exe Registry Hijack: Attacker sets
HKCU\Software\Classes\ms-settings\shell\open\commandto a malicious executable, then launches fodhelper.exe which auto-elevates and executes the hijacked command. - eventvwr.exe MSC Bypass: Modifying
HKCU\Software\Classes\mscfile\shell\open\commandto intercept Event Viewer's auto-elevation behavior. - sdclt.exe Bypass: Leveraging the Windows Backup utility's auto-elevation to execute arbitrary commands.
- CMSTP.exe INF Bypass: Using Connection Manager Profile Installer with a malicious INF file to bypass UAC via
/s /niflags. - DLL Hijacking in Auto-Elevate: Placing malicious DLLs in search paths of auto-elevating executables.
Output Format
Hunt ID: TH-UAC-[DATE]-[SEQ]
Host: [Hostname]
Bypass Method: [Registry hijack/DLL hijack/Token manipulation]
Auto-Elevate Binary: [fodhelper.exe/eventvwr.exe/etc.]
Registry Key Modified: [Full registry path]
Payload Executed: [Command or binary path]
User Context: [Account]
Risk Level: [Critical/High/Medium]
ATT&CK Technique: [T1548.00x]
Related Skills
seikaikyo/performing-soc2-type2-audit-preparation
development
VerifiedTrustedCommunity
Automates SOC 2 Type II audit preparation including gap assessment against AICPA Trust Services Criteria (CC1-CC9), evidence collection from cloud providers and identity systems, control testing validation, remediation tracking, and continuous compliance monitoring. Covers all five TSC categories (Security, Availability, Processing Integrity, Confidentiality, Privacy) with automated evidence gathering from AWS, Azure, GCP, Okta, GitHub, and Jira. Use when preparing for or maintaining SOC 2 Type II certification.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-soc-tabletop-exercise
testing
VerifiedTrustedCommunity
Performs tabletop exercises for SOC teams simulating security incidents through discussion-based scenarios to test incident response procedures, communication workflows, and decision-making under pressure without impacting production systems. Use when organizations need to validate IR playbooks, train analysts, or meet compliance requirements for incident response testing.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-soap-web-service-security-testing
development
VerifiedTrustedCommunity
Perform security testing of SOAP web services by analyzing WSDL definitions and testing for XML injection, XXE, WS-Security bypass, and SOAPAction spoofing.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-service-account-credential-rotation
devops
VerifiedTrustedCommunity
Automate credential rotation for service accounts across Active Directory, cloud platforms, and application databases to eliminate stale secrets and reduce compromise risk.
1SKILL.mdUpdated Jun 13, 2026