DET0388: Detection Strategy for T1548.002 – Bypass User Account Control (UAC)
DET0388 is a MITRE detection strategy object for detecting Bypass User Account Control, a Windows privilege-escalation behavior. The business issue is not...
Analyst context for executives and security teams
DET0388 is a MITRE detection strategy object for detecting Bypass User Account Control, a Windows privilege-escalation behavior. The business issue is not just UAC itself; it is whether an attacker or unauthorized process can move from user-level execution to administrator-level capability without an expected approval path. That can materially affect containment, endpoint recovery, and confidence in least-privilege controls.
Executive priority
Prioritize this as a Windows endpoint resilience and identity/control validation topic. Leaders should ask whether local administrator exposure is understood, whether UAC-related elevation is visible to the SOC, and whether incident responders can distinguish approved administrative activity from unexpected privilege elevation. This is also useful audit evidence for least privilege and endpoint hardening programs.
Technical view
The supplied ATT&CK object has no official description, platforms, tactics, or detection text of its own, but its relationship states that it detects T1548.002, Bypass User Account Control, which is a Windows privilege-escalation technique. SOC and detection teams should validate visibility into process elevation behavior, integrity-level changes, administrator-context execution, and user or administrative approval paths where available. IR teams should treat suspicious elevation as a pivot point for scoping what actions occurred after high-integrity execution.
Likely telemetry
- Windows endpoint process creation telemetry with parent/child process context
- Process integrity level or elevation context where available
- Local administrator group membership and user privilege context
- UAC prompt or elevation approval evidence where available
- EDR or host security events showing execution under administrator-level permissions
Detection direction
- Confirm that Windows endpoint telemetry can show when processes run at elevated or high-integrity privilege levels.
- Correlate elevation events with the initiating user, local administrator membership, and expected administrative workflows.
- Tune for false positives from legitimate IT administration, software installers, and approved management tools.
- Use relationship context to focus this strategy on privilege escalation rather than initial access or persistence.
- Document blind spots where UAC prompts, integrity levels, or endpoint process lineage are not collected.
Mitigation priorities
- Reduce unnecessary local administrator rights before relying on detection alone.
- Review UAC enforcement and endpoint hardening policies against business requirements.
- Ensure administrative activity is performed through approved, auditable workflows.
- Prepare IR playbooks to scope activity that occurs after suspected privilege elevation.
- Maintain compliance evidence showing least-privilege review, endpoint telemetry coverage, and detection validation results.
Analyst notes and limits
This take is based on the DET0388 detection strategy metadata and its relationship to T1548.002. Because MITRE supplied no official detection text for this object, local validation should drive final detection logic and control prioritization.
Platforms and tactics are not specified on the DET0388 object itself. Windows and privilege-escalation context come from the related T1548.002 technique. No active exploitation, attribution, specific detection coverage, or vendor capability is implied.
Detection Strategy for T1548.002 – Bypass User Account Control (UAC)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | This object detects Bypass User Account Control. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a9396ec1be71… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0388Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.