T1548.002 Defined ATT&CK T1548.002 ↗

Abuse Elevation Control Mechanism: Bypass UAC

Process Invoke SystemCall — Invoke a Windows elevation mechanism through a method that bypasses User Account Control consent prompts to gain elevated privilege without user interaction.

Ontological Definition

ActorProcess

→

ActionInvoke

→

ArtifactSystemCall

Detect

STP 5

The integrity level transition (medium → high without a UAC consent event) is technique-defining and method-agnostic. Detecting this transition is STP 5 regardless of which bypass was used.

Gate on

activity_id = Launch

actor.process.integrity_level = Medium

process.integrity_level = High

Correlate process creation events with UAC consent events. Any high-integrity process spawned from a medium-integrity parent without a corresponding consent event is STP 5. Do not write primary detections for individual bypass methods.

Mitigate

STP 5

Setting UAC to "Always Notify" or removing the user from the local administrators group eliminates the elevation path regardless of bypass method.

Set UAConsentPromptBehaviorAdmin = 2 (Always Notify). Running users as non-administrators eliminates the technique entirely — UAC bypass requires the user to already be in the administrators group.

Respond

Escalated

The attacker holds elevated privileges. Contain the process that gained them. Investigate everything it accessed or modified since escalation occurred.

Attacker foothold

Medium-Integrity Processactor.process

Elevated Processprocess

D3FEND response actions

d3f:ProcessTerminationd3f:NetworkIsolation

OCSF event model▼

Event class: Process Activity (1007) · activity_id: Launch

attacker-controlledpost-successvictimtainted

%%{init: {"theme": "dark", "themeVariables": {"edgeLabelBackground": "#18181b", "lineColor": "#52525b"}}}%%
graph TD
  classDef attacker fill:#7c2d12,stroke:#ea580c,color:#fed7aa
  classDef victim fill:#1e3a5f,stroke:#3b82f6,color:#bfdbfe
  classDef postSuccess fill:#78350f,stroke:#d97706,color:#fde68a
  classDef tainted fill:#18181b,stroke:#52525b,color:#a1a1aa

  EVENT(["Process Activity\n· Launch"])

  actor_process["Medium-Integrity Process\nactor.process\nd3f:Process"]:::attacker
  elevated_process["Elevated Process\nprocess\nd3f:Process"]:::attacker
  device["Host\ndevice\nd3f:Host\n⚠ tainted"]:::tainted

  EVENT --> actor_process
  EVENT --> elevated_process
  EVENT --> device

  actor_process -.->|"spawns without consent"| elevated_process

Medium-Integrity Process

actor.process·d3f:Process

attacker-controlled

`actor.process.integrity_level`	invariant	`= Medium`
`actor.process.file.path`	attacker_controlled	Specific bypass binary used — Execution Medium, attacker-chosen

Countermeasures

d3f:ProcessTermination

Elevated Process

process·d3f:Process

attacker-controlled

`process.integrity_level`	invariant	`= High`
`process.file.path`	attacker_controlled	Elevated child process path — attacker-chosen, varies by bypass method

Countermeasures

d3f:ProcessTermination

Host

device·d3f:Host

tainted

Countermeasures

d3f:NetworkIsolation

Definitional Sigma rule▼

Broad by design — defines the technique, not an operational alert. Gate on variable or attacker-controlled field conditions to narrow for production use.

title: Abuse Elevation Control Mechanism: Bypass UAC (T1548.002)
status: experimental
description: >
  Definitional rule — broad by design. Defines the technique independent of
  medium, tool, or attacker-controlled variables. Narrow with variable and
  attacker-controlled field conditions for operational use.
logsource:
  product: ocsf
  category: Process Activity (1007)
detection:
  selection:
    activity_id: 'Launch'
    actor.process.integrity_level: 'Medium'
    process.integrity_level: 'High'
  condition: selection

title: Abuse Elevation Control Mechanism: Bypass UAC (T1548.002) — native Sigma
status: experimental
description: >
  Generated from OCSF definitional rule. Broad by design — defines the technique,
  not an operational alert. Targets standard Windows/Sysmon telemetry.
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentIntegrityLevel: 'Medium'
    IntegrityLevel: 'High'
  condition: selection

Execution Medium–scoped detectionSTP 3 ceiling▼

Sample rules — not canonical definitions. Each constrains detection to a specific Execution Medium and has a hard STP 3 ceiling. The attacker switches Execution Medium; the rule misses. Compare with the definitional rule above.

STP 3

fodhelper.exe auto-elevates and inherits the calling process environment, including HKCU registry keys. Detecting a high-integrity process parented by fodhelper is STP 3 — evaded immediately by switching to eventvwr, CMSTPLUA, or any other auto-elevating binary.

non-native OCSF fieldsprocess.integrity_level → extension proposal ↗

title: Bypass UAC — fodhelper.exe medium (sample)
status: experimental
description: >
  Sample — STP 3 ceiling. Detects a high-integrity process spawned by
  fodhelper.exe. Evaded by switching to eventvwr, CMSTPLUA, or any other
  bypass method.
logsource:
  product: ocsf
  category: Process Activity (1007)
detection:
  selection:
    activity_id: 'Launch'
    actor.process.file.name: 'fodhelper.exe'
    process.integrity_level: 'High'  # NOTE: not OCSF native; Windows-specific extension
  condition: selection

STP 3

eventvwr.exe reads HKCU\...\mscfile\shell\open\command before launching. Attacker writes their binary there; eventvwr auto-elevates and invokes it. Rule is identical in shape to the fodhelper rule — same STP ceiling, different parent process name.

non-native OCSF fieldsprocess.integrity_level → extension proposal ↗

title: Bypass UAC — eventvwr.exe registry hijack medium (sample)
status: experimental
description: >
  Sample — STP 3 ceiling. Detects a high-integrity process spawned by
  eventvwr.exe, excluding the legitimate mmc.exe child.
  Evaded by switching to fodhelper, CMSTPLUA, or any other bypass.
logsource:
  product: ocsf
  category: Process Activity (1007)
detection:
  selection:
    activity_id: 'Launch'
    actor.process.file.name: 'eventvwr.exe'
    process.integrity_level: 'High'  # NOTE: not OCSF native; Windows-specific extension
  filter_legitimate:
    process.file.name: 'mmc.exe'
  condition: selection and not filter_legitimate

STP 3

CMSTPLUA is a COM object registered to auto-elevate via the COM elevation moniker. It is invocable from any scripting language or custom binary. Three medium-specific rules at STP 3 each do not combine to exceed STP 3 — the attacker has many more auto-elevating COM objects available.

non-native OCSF fieldsprocess.integrity_level → extension proposal ↗

title: Bypass UAC — CMSTPLUA COM object medium (sample)
status: experimental
description: >
  Sample — STP 3 ceiling. Detects cmstp.exe spawning a high-integrity child
  via ICMLuaUtil::ShellExec (CMSTPLUA COM object bypass). The COM-specific
  signal is cmstp.exe running without INF file arguments — filtered to exclude
  the direct CMSTP INF bypass where cmstp.exe is invoked with a crafted .inf.
  Evaded by using any other auto-elevating COM object or bypass method.
logsource:
  product: ocsf
  category: Process Activity (1007)
detection:
  selection:
    activity_id: 'Launch'
    actor.process.file.name: 'cmstp.exe'
    process.integrity_level: 'High'  # NOTE: not OCSF native; Windows-specific extension
  filter_direct_invocation:
    actor.process.cmd_line|contains: '.inf'
  condition: selection and not filter_direct_invocation

Seen in the wild1report▼

Cloud Atlas 2026: New Backdoors, Kerberoasting, and Tor Tunneling ↗

Kaspersky·2026-05-22

PowerShower uses fodhelper.exe UAC bypass to execute a credential harvester with elevated privileges — matching the Bypass UAC definition of spawning a high-integrity process without a UAC consent dialog.