Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1094: Analytic 1094

Detects a multi-event behavior chain involving UAC bypass attempts via known auto-elevated binaries (e.g., eventvwr.exe, sdclt.exe), unauthorized Registry changes to UAC-related keys, and anomalous process execution with elevated privileges but lacking standard parent-child lineage. Suspicious patterns include invocation of auto-elevated COM objects or manipulation of isolatedCommand Registry entries without consent prompts.

EnterpriseAN1094AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on attempts to gain elevated Windows privileges without normal user consent prompts. For business leaders, the practical risk is that a compromised standard user session may turn into a higher-privilege foothold, increasing the urgency of containment, endpoint visibility, and evidence preservation during an incident.

Executive priority

Prioritize this as a Windows endpoint privilege-escalation detection validation item. Security leaders should ask whether SOC and IR teams can prove collection of process, Registry, and privilege-context evidence needed to distinguish legitimate administrative activity from suspicious elevation behavior. The decision value is strongest for incident triage, managed detection quality, audit evidence around endpoint monitoring, and prioritizing hardening of UAC-related control paths.

Technical view

Validate whether Windows telemetry can correlate a multi-event chain: execution of known auto-elevated binaries such as eventvwr.exe or sdclt.exe, unauthorized changes to UAC-related Registry keys such as isolatedCommand-related entries, and anomalous elevated process execution that lacks expected parent-child lineage. Because the supplied object has no ATT&CK tactic or relationship context and no official detection logic, teams should treat this as an analytic design requirement rather than a complete rule.

Likely telemetry

  • Windows process creation events with command line, integrity/elevation context, parent process, and executable path
  • Windows Registry modification events for UAC-related keys and isolatedCommand-style entries
  • Endpoint detection telemetry showing elevated process launches and parent-child process lineage
  • User/session context to determine whether activity aligns with expected administrative behavior
  • Time-correlated endpoint events linking Registry changes to subsequent elevated process execution

Detection direction

  • Correlate Registry modifications, auto-elevated binary execution, and unexpected elevated child process behavior rather than alerting on any single event alone.
  • Tune for legitimate administrative or troubleshooting workflows that may invoke Windows control utilities, while treating unusual parentage, timing, and user context as key discriminators.
  • Validate blind spots around missing command-line logging, incomplete Registry auditing, absent integrity-level/elevation fields, and endpoint agents that do not preserve parent-child process lineage.
  • Use this analytic as a detection engineering test case: can the SOC reconstruct the sequence quickly enough to support containment decisions?
  • Do not assume coverage from the ATT&CK entry alone; the official detection field is not provided.

Mitigation priorities

  • Confirm least-privilege operating practices and reduce routine use of local administrative privileges where feasible.
  • Harden and monitor Windows endpoint configurations related to UAC-sensitive behavior, with change control around relevant Registry paths.
  • Ensure endpoint logging policies capture process creation, command line, Registry changes, and elevation context needed for investigation.
  • Prepare IR playbooks for suspected local privilege escalation that include host isolation criteria, account review, and preservation of process and Registry evidence.
  • Use validation exercises to confirm managed detection or internal SOC workflows can correlate the required event chain.
Analyst notes and limits

The object is a detection analytic for Windows privilege-elevation behavior involving UAC bypass patterns. Its value is in validating whether telemetry and correlation logic can identify suspicious elevation chains, not in proving a specific intrusion or actor. No relationship context was supplied, so no campaign, software, group, or technique linkage is asserted here.

The official detection content is not provided, tactics are not specified, and no relationships are supplied. Local environment baselines are required to separate legitimate administrative use from suspicious behavior. This take does not claim active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 1094

Detects a multi-event behavior chain involving UAC bypass attempts via known auto-elevated binaries (e.g., eventvwr.exe, sdclt.exe), unauthorized Registry changes to UAC-related keys, and anomalous process execution with elevated privileges but lacking standard parent-child lineage. Suspicious patterns include invocation of auto-elevated COM objects or manipulation of isolatedCommand Registry entries without consent prompts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c6a11aa19e33f28f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c6a11aa19e33…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1094
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use