DET0395: macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection
This detection strategy is relevant to a macOS privilege-escalation behavior where software can request elevated privileges through an authorization prompt...
Analyst context for executives and security teams
This detection strategy is relevant to a macOS privilege-escalation behavior where software can request elevated privileges through an authorization prompt. For leaders, the practical issue is not just the prompt itself, but whether the organization can distinguish expected administrative workflows, such as installation or updating, from suspicious elevation attempts that may depend on user approval.
Executive priority
Prioritize this where macOS endpoints are material to business operations or privileged user activity. The key decision value is validating whether SOC and incident response teams have enough endpoint visibility to review elevation prompts, confirm user intent, and support audit or investigation needs around privilege escalation. Because the supplied ATT&CK object has no official detection text, organizations should treat this as a coverage-validation item rather than a ready-made analytic.
Technical view
This strategy detects ATT&CK technique T1548.004, Elevated Execution with Prompt, associated with macOS privilege escalation through the AuthorizationExecuteWithPrivileges API. Detection engineering should focus on whether macOS endpoint telemetry can show processes requesting elevated execution, the user context involved, the parent or calling application, and whether the activity aligns with approved software installation or update workflows. Tuning should account for legitimate administrative prompts while preserving visibility into unusual requesting processes or unexpected timing.
Likely telemetry
- macOS endpoint process execution events
- Privilege elevation or authorization prompt events where available
- User and account context associated with elevation requests
- Parent-child process relationships around the requesting application
- Application installation or update activity logs
Detection direction
- Validate that macOS systems generate and forward evidence of privileged execution requests or related process activity.
- Baseline legitimate elevation prompts from approved installers, updaters, and administrative tools to reduce false positives.
- Review suspicious cases by correlating the requesting process, user, parent process, and business justification for the prompt.
- Pay attention to blind spots where prompts are visible to users but not captured centrally by endpoint logging or EDR.
- Because MITRE did not provide official detection logic for this object, require local testing before treating any analytic as production-ready.
Mitigation priorities
- Maintain least-privilege practices for macOS users so elevation prompts remain meaningful control points.
- Ensure approved software installation and update paths are documented and distinguishable in telemetry.
- Harden endpoint monitoring coverage for macOS privilege-related activity before relying on alerting outcomes.
- Train help desk and incident response teams to verify unexpected elevation prompts during investigations.
- Use findings from detection validation to support compliance evidence around privileged access monitoring where applicable.
Analyst notes and limits
The source object is a detection strategy, DET0395, and its only substantive context is the relationship to T1548.004, Elevated Execution with Prompt. The related technique states that adversaries may use the macOS AuthorizationExecuteWithPrivileges API to prompt users for credentials and that the API does not validate whether the requesting program is reputable or modified. This makes user-context, process-context, and approved-workflow validation central to defensive value.
The supplied object has no official description, no official detection text, and no platforms or tactics directly listed on the detection-strategy object. macOS and privilege-escalation context come from the related ATT&CK technique only. This take does not assert active exploitation, attribution, impact, or guaranteed detection coverage; local telemetry and control validation are required.
macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1548.004 | Elevated Execution with Prompt Sub-technique | This object detects Elevated Execution with Prompt. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 830e105d199c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0395Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.