1. Home
  2. Techniques
  3. Enterprise
  4. Abuse Elevation Control Mechanism
  5. Elevated Execution with Prompt

Abuse Elevation Control Mechanism: Elevated Execution with Prompt

ID Name
T1548.001 Setuid and Setgid
T1548.002 Bypass User Account Control
T1548.003 Sudo and Sudo Caching
T1548.004 Elevated Execution with Prompt
T1548.005 Temporary Elevated Cloud Access
T1548.006 TCC Manipulation

Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.[1] The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.

Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.

Adversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.[2][3][4] This technique may be combined with Masquerading to trick the user into granting escalated privileges to malicious code.[2][3] This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.[2]

ID: T1548.004
Sub-technique of:  T1548
Platforms: macOS
Contributors: Erika Noerenberg, @gutterchurl, Carbon Black; Jimmy Astle, @AstleJimmy, Carbon Black
Version: 1.1
Created: 30 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0402 OSX/Shlayer

OSX/Shlayer can escalate privileges to root by asking the user for credentials.[3]

Mitigations

ID Mitigation Description
M1038 Execution Prevention

System settings can prevent applications from running that haven't been downloaded through the Apple Store which may help mitigate some of these issues. Not allowing unsigned applications from being run may also mitigate some risk.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0395 macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection AN1111

Detects abuse of AuthorizationExecuteWithPrivileges API to gain elevated privileges via user credential prompts, typically through invocation of /usr/libexec/security_authtrampoline. Detection involves correlation of API usage, binary reputation, and prompt context.

References

  1. Apple. (n.d.). Apple Developer Documentation - AuthorizationExecuteWithPrivileges. Retrieved August 8, 2019.
  2. Patrick Wardle. (2017). Death by 1000 installers; it's all broken!. Retrieved August 8, 2019.
  1. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  2. Patrick Wardle. (2018, February 17). Tearing Apart the Undetected (OSX)Coldroot RAT. Retrieved August 8, 2019.