detecting-t1548-abuse-elevation-control-mechanism

Featured

Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting T1548 Abuse Elevation Control Mechanism ## When to Use - When hunting for privilege escalation via UAC bypass in Windows environments - After threat intelligence indicates use of UAC bypass exploits by active threat groups - When investigating how attackers achieved administrative access without triggering UAC prompts - During security assessments to validate UAC bypass detection coverage - When monitoring for setuid/setgid abuse on Linux systems ## Prerequisites - Sysmon Event ID 1 with command-line and parent process logging - Windows Security Event ID 4688 with process tracking - Registry auditing for UAC-related keys (HKCU\Software\Classes) - Sysmon Event ID 12/13 (Registry key/value modification) - EDR with elevation monitoring capabilities ## Workflow 1. **Monitor UAC Registry Modifications**: Many UAC bypasses modify registry keys under `HKCU\Software\Classes\ms-settings\shell\open\command` or `HKCU\Software\Classes\mscfile\shell\open\command`. Track Sysmon Events 12/13 for these changes. 2. **Detect Auto-Elevating Process Abuse**: Certain Windows binaries auto-elevate without UAC prompts (fodhelper.exe, computerdefaults.exe, eventvwr.exe). Hunt for these being launched by non-standard parent processes. 3. **Track Process Integrity Level Changes**: Monitor for processes escalating from medium to high integrity level without corresponding UAC consent events. 4. **Hunt for Elevated Process Spawning**: Detect when auto-elevating processes spawn unexpecte...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-privilege-escalation-attempts

Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-service-account-abuse

Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-suspicious-scheduled-tasks

Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious task properties, and unusual execution patterns that indicate T1053.005 abuse.

12,642 Updated today
mukul975
AI & Automation Solid

detecting-credential-dumping-techniques

Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules

12,642 Updated today
mukul975