DET0345: Detection Strategy for Abuse Elevation Control Mechanism (T1548)
This detection strategy is tied to ATT&CK technique T1548, Abuse Elevation Control Mechanism: attempts to bypass or misuse built-in controls that normally...
Analyst context for executives and security teams
This detection strategy is tied to ATT&CK technique T1548, Abuse Elevation Control Mechanism: attempts to bypass or misuse built-in controls that normally restrict privilege elevation. For leaders, the practical issue is whether the organization can prove when users, services, or cloud identities gain higher privileges outside expected administrative paths.
Executive priority
Prioritize this as a resilience and accountability question: can security and IT teams distinguish approved privilege elevation from suspicious elevation across Windows, macOS, Linux, and IaaS environments? Gaps here affect incident response speed, audit evidence for privileged access controls, and the ability to contain intrusions before higher-level permissions are abused.
Technical view
Because the detection strategy object does not include official detection logic, SOC and detection teams should anchor validation to the related technique T1548 and its privilege-escalation context. Confirm visibility into elevation-control events, administrative approval paths, privileged command execution, policy changes, and cloud/IaaS permission changes where applicable. Detection engineering should focus on deviations from expected elevation workflows rather than treating all administrative activity as suspicious.
Likely telemetry
- Operating system security logs related to privilege elevation and administrative actions
- Process execution and command-line telemetry for elevated processes
- Authentication and authorization logs for privileged accounts
- Endpoint telemetry showing user context, parent/child process relationships, and integrity or privilege level changes
- Linux/macOS logs related to sudo or equivalent elevation mechanisms
Detection direction
- Validate that telemetry exists across the related platforms: Linux, macOS, Windows, and IaaS; the detection strategy object itself lists no platforms.
- Baseline approved administrative elevation workflows, then alert on unusual users, systems, timing, parent processes, or permission changes.
- Tune carefully for legitimate administrator activity, software deployment, maintenance windows, and break-glass procedures to reduce false positives.
- Correlate endpoint privilege-elevation evidence with identity and cloud audit logs where accounts or roles are involved.
- Use the relationship to T1548 as the detection scope; no MITRE-provided detection analytics were supplied for DET0345.
Mitigation priorities
- Review who is authorized to perform privileged actions and remove unnecessary elevation rights.
- Harden approval and logging paths for privilege elevation mechanisms across endpoints and IaaS.
- Ensure privileged access procedures, break-glass use, and administrative tooling are documented for SOC and audit review.
- Prioritize central collection and retention of elevation-related endpoint, identity, and cloud logs before relying on detections.
- Test incident response playbooks for suspected unauthorized privilege elevation, including containment of affected accounts and systems.
Analyst notes and limits
DET0345 is a detection strategy object that detects T1548, Abuse Elevation Control Mechanism, in the enterprise ATT&CK domain. The source fields provide no official description or detection text for DET0345, so this take is based on the relationship to T1548 and the related technique metadata.
The detection strategy has no specified platforms, tactics, official description, or official detection content. Platform and tactic references come from the related T1548 technique only. Local environment architecture, logging configuration, and administrative procedures are required to determine actual coverage.
Detection Strategy for Abuse Elevation Control Mechanism (T1548)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1548 | Abuse Elevation Control Mechanism | This object detects Abuse Elevation Control Mechanism. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c0b716656e30… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0345Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.