Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1548.004: Elevated Execution with Prompt

Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.[1] The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.

Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.

Adversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.[2][3][4] This technique may be combined with Masquerading to trick the user into granting escalated privileges to malicious code.[2][3] This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.[2]

EnterpriseT1548.004Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This macOS privilege-escalation behavior matters because it turns a normal-looking credential prompt into a path to root execution. The risk is not just malware execution; it is user-assisted elevation through a deprecated API that still functions, with limited built-in validation of the requesting program’s trustworthiness or integrity.

Executive priority

For organizations with macOS fleets, this should be treated as an endpoint control and incident-readiness issue. Leaders should ask whether only trusted code can execute, whether SOC teams can see unexpected root-level process launches following user prompts, and whether incident responders can distinguish legitimate installer/update activity from malicious or modified software abusing elevation.

Technical view

ATT&CK describes abuse of macOS AuthorizationExecuteWithPrivileges for privilege escalation. Validation should focus on macOS endpoints, especially installer/updater-like activity, processes obtaining root privileges after user credential prompts, and programs that load or depend on world-writable files. The relationship to DET0395 indicates a relevant detection strategy exists, but the supplied ATT&CK technique object does not include official detection logic, so teams should validate local telemetry and detection content rather than assume coverage.

Likely telemetry

  • macOS process creation and parent/child process relationships
  • Privilege elevation events and root-level process execution
  • Authentication or authorization prompt activity where available
  • Application installation and update execution records
  • File integrity or permission data for world-writable files used by elevated programs

Detection direction

  • Validate monitoring for unusual macOS processes that gain root privileges after user credential prompts.
  • Tune detections around installer and updater behavior, since legitimate administrative software may produce similar activity.
  • Review detections associated with DET0395 if available in the local ATT&CK content or detection library.
  • Look for modified legitimate programs or elevated programs loading world-writable files, as described by ATT&CK.
  • Correlate with Masquerading context where suspicious prompts or application names may mislead users into approving elevation.

Mitigation priorities

  • Prioritize M1038 Execution Prevention for macOS: prevent unauthorized or malicious code from running where feasible.
  • Use application control principles to limit execution to trusted and authorized software.
  • Reduce reliance on untrusted installers and update mechanisms that request elevated privileges.
  • Validate that privileged installation/update workflows do not depend on writable or easily modified components.
  • Use findings from detection gaps to drive endpoint hardening and incident response playbooks for macOS privilege escalation.
Analyst notes and limits

This is sub-technique T1548.004 under Abuse Elevation Control Mechanism and applies to macOS privilege escalation. ATT&CK also records OSX/Shlayer as software using this behavior and notes that the older T1514 object was revoked by this one. These relationships provide useful context but should not be interpreted as current activity or local exposure without environment evidence.

The supplied ATT&CK object has no official detection text. Telemetry and detection recommendations are therefore validation-oriented and must be adapted to the organization’s macOS logging, EDR, application control, and software management practices. No claim is made that exploitation is active in any specific environment.

Official MITRE ATT&CK definition

Elevated Execution with Prompt

Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.[1] The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.

Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.

Adversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.[2][3][4] This technique may be combined with Masquerading to trick the user into granting escalated privileges to malicious code.[2][3] This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.[2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1514 Elevated Execution with Prompt Elevated Execution with Prompt revoked by this object.
Enterprise T1548 Abuse Elevation Control Mechanism This object subtechnique of Abuse Elevation Control Mechanism.
Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0395: macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection Enterprise mitigates · Mitigation M1038: Execution Prevention Enterprise revoked by · Technique T1514: Elevated Execution with Prompt Enterprise subtechnique of · Technique T1548: Abuse Elevation Control Mechanism Enterprise uses · Malware S0402: OSX/Shlayer Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
025e9d8ca993858e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 025e9d8ca993…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    AppleDocs AuthorizationExecuteWithPrivileges

    Apple. (n.d.). Apple Developer Documentation - AuthorizationExecuteWithPrivileges. Retrieved August 8, 2019.

    Open source URL
  2. [2]
    Death by 1000 installers; it's all broken!

    Patrick Wardle. (2017). Death by 1000 installers; it's all broken!. Retrieved August 8, 2019.

    Open source URL
  3. [3]
    Carbon Black Shlayer Feb 2019

    Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.

    Open source URL
  4. [4]
    OSX Coldroot RAT

    Patrick Wardle. (2018, February 17). Tearing Apart the Undetected (OSX)Coldroot RAT. Retrieved August 8, 2019.

    Open source URL
  5. [5]
    mitre-attack T1548.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use