Microsoft explicitly does not consider UAC a security boundary. This means UAC bypasses are not assigned CVEs, not included in Patch Tuesday updates, and not treated as vulnerabilities requiring fixes. The UACME project has documented over 60 UAC bypass techniques; more than 20 remain unfixed. Researchers at Fortra demonstrated CVE-2024-6769, a combined UAC bypass and privilege escalation chain, but Microsoft declined to fix it, stating that the admin-to-SYSTEM boundary is "acceptable to traverse." This philosophical position means that UAC bypasses will continue to exist indefinitely in Windows, and defenders must treat UAC as a convenience feature rather than a security control. T1548 has six sub-techniques: Setuid and Setgid (T1548.001), Bypass User Account Control (T1548.002), Sudo and Sudo Caching (T1548.003), Elevated Execution with Prompt (T1548.004), Temporary Elevated Cloud Access (T1548.005), and TCC Manipulation (T1548.006).
T1548 falls under both the Privilege Escalation (TA0004) and Defense Evasion (TA0005) tactics. The technique covers any method an adversary uses to circumvent built-in elevation control mechanisms — systems designed to limit when and how a process or user can obtain higher privileges. The dual-tactic classification reflects that bypassing elevation controls both escalates the attacker's privileges and evades the security monitoring that those controls provide. The technique spans Windows, Linux, macOS, ESXi, IaaS, and Identity Provider platforms.
MITRE ATT&CK v18 documents dozens of threat groups and over 50 malware families using T1548, with T1548.002 (UAC bypass) being by far the most commonly observed sub-technique. MITRE published detection strategy DET0345 in October 2025, providing analytics for correlating registry modifications, unusual parent-child process relationships, setuid/setgid changes, and cloud elevation anomalies.
The Six Sub-Techniques
T1548.001 — Setuid and Setgid
On Linux and macOS, the setuid (Set User ID) and setgid (Set Group ID) permission bits allow a program to execute with the privileges of its owner rather than the user who launched it. Adversaries abuse this by either finding existing setuid binaries that can be leveraged for privilege escalation (cataloged extensively by the GTFOBins project) or by setting the setuid bit on their own malicious binaries after gaining initial access. Sandworm (GRU) was documented using this technique in their intrusion campaigns targeting Centreon systems. The OSX.Keydnap malware used setuid abuse to escalate privileges on macOS. Detection focuses on monitoring for changes to setuid/setgid bits via chmod u+s commands and identifying executions where the effective UID differs from the real UID.
T1548.002 — Bypass User Account Control
This is the most widely abused sub-technique. Windows UAC is designed to prompt users before allowing processes to run at elevated integrity levels. Adversaries bypass UAC through several categories of techniques. The first category exploits auto-elevating COM objects — Windows COM interfaces like ICMLuaUtil (CLSID {3E5FC7F9-9A51-4367-9063-A120244FBEC7}), CMSTPLUA, and ColorDataProxy (CLSID {D2E7041B-2927-42fb-8E9F-7CE93B6DC937}) are designed to auto-elevate without prompting. LockBit uses ICMLuaUtil and ColorDataProxy, BlackCat/ALPHV uses CMSTPLUA, and Medusa ransomware employs UAC bypass via COM objects as documented by Intel471 in May 2025.
The second category involves DLL hijacking of auto-elevating processes. Attackers place malicious DLLs in locations where elevated Windows processes will load them — using SxS DotLocal directories, DLL redirection, or missing dependency exploitation. Elastic Security Labs documented that this category is also useful for persistence and can bypass autoruns-based detection. The third category manipulates registry keys that trusted Windows executables check during execution. Auto-elevating binaries like fodhelper.exe, eventvwr.exe, and computerdefaults.exe read registry paths that standard users can modify, allowing attackers to redirect their execution to arbitrary commands. UACME v3.5.7 introduced the CurVer subkey technique, which redirects the shell default handler to bypass detection of hardcoded suspicious registry paths. The fourth involves abusing scheduled tasks that run at elevated integrity, such as the SilentCleanup task that spawns high-integrity descendant processes from user-writable AppData paths.
Qilin ransomware includes configurable UAC bypass as a standard payload feature, combining it with regsvr32-based DLL execution and XChaCha20 encryption. LockBit 3.0 was specifically documented in the CISA advisory (AA23-075A) as capable of bypassing UAC via elevated COM interface. Raspberry Robin malware, which targets telecom and government organizations, uses UAC bypass in its infection chain.
T1548.003 — Sudo and Sudo Caching
On Linux and macOS, sudo allows users to execute commands with elevated privileges. Adversaries abuse sudo in several ways: modifying the /etc/sudoers file to grant passwordless root access (ALL=(ALL) NOPASSWD: ALL), exploiting the sudo timestamp cache (which remembers recent authentication and does not re-prompt for a configurable period), and exploiting sudo vulnerabilities. The sudo timestamp is stored in /var/db/sudo/ on macOS and /var/run/sudo/ts/ on Linux. Adversaries can exploit this by waiting for a legitimate user to authenticate with sudo and then executing their commands within the cached window. The OSX.Dok and ProtonB macOS malware families both use sudo caching to escalate privileges. Cobalt Strike provides sudo-based elevation capabilities in its Linux payloads.
T1548.004 — Elevated Execution with Prompt
On macOS, the deprecated but still functional AuthorizationExecuteWithPrivileges API allows applications to request root execution by prompting the user for credentials. This API does not validate the requesting program's origin or integrity, meaning any application — including malware — can request root privileges. The user sees a standard macOS authentication dialog and may enter credentials without recognizing the request as malicious. The API also loads world-writable files during execution, which can be modified to perform malicious behavior with elevated privileges.
T1548.005 — Temporary Elevated Cloud Access
In cloud environments, adversaries abuse mechanisms designed for temporary privilege elevation. This includes exploiting Google Workspace Domain-Wide Delegation (the "DeleFriend" design flaw documented by Hunters in November 2023), abusing AWS IAM role assumption and service account impersonation, and exploiting Azure Managed Applications just-in-time access. These cloud elevation mechanisms are designed for legitimate administrative workflows but can be abused by adversaries who compromise a service account with delegation permissions or discover misconfigured IAM policies. The Scattered Spider group has targeted Azure AD and cloud identity systems using MFA abuse and self-service password reset exploitation to achieve elevated cloud access.
T1548.006 — TCC Manipulation
Apple's Transparency, Consent, and Control (TCC) framework governs which applications can access sensitive resources including the camera, microphone, contacts, calendar, full disk access, and screen recording. Adversaries manipulate TCC by directly modifying the TCC database (~/Library/Application Support/com.apple.TCC/TCC.db), injecting code into applications that already have TCC permissions, or exploiting TCC bypass vulnerabilities. Microsoft documented new XCSSET malware variants in March 2025 that add obfuscation, persistence techniques, and TCC manipulation when infecting Xcode projects. Elastic Security Labs published research in April 2024 on TCC database manipulation techniques.
How Elevation Abuse Works
UAC Bypass Mechanics
The typical UAC bypass follows a consistent pattern. The adversary's malware runs at medium integrity level (standard user). It identifies a Windows binary that is marked for auto-elevation (runs at high integrity without prompting) and either manipulates the registry keys that binary reads, places a malicious DLL where that binary will load it, or invokes a COM object that auto-elevates. The result is that the adversary's code now executes at high integrity without any UAC prompt being displayed to the user. The most commonly observed post-bypass actions are: the malware re-executing itself as high integrity, disabling Windows Defender or other EDR tools, deleting shadow copies, and deploying ransomware encryption.
Elastic Security Labs identified the most commonly observed UAC bypass methods used by malware families in the wild, noting that the executed commands after a bypass typically focus on defense evasion techniques rather than immediately deploying final payloads. This suggests that UAC bypass is used as an enabler for subsequent privilege-dependent actions rather than as an end in itself.
Cloud Elevation Chains
Cloud elevation abuse typically involves chaining multiple misconfigurations. An adversary might compromise a service account through phishing, discover that the account has domain-wide delegation permissions in Google Workspace, and then use those permissions to impersonate any user in the organization — including administrators. Similarly, in AWS, an attacker with the iam:PassRole permission can assign overly permissive roles to resources they control. The fundamental challenge is that cloud elevation mechanisms are designed for legitimate use cases (automated service-to-service communication, just-in-time access for maintenance) and cannot simply be disabled without breaking critical business workflows.
Why This Technique Matters
Ransomware requires administrative privileges to disable security tools, delete shadow copies, and encrypt files across network shares. UAC bypass provides those privileges silently. Without detecting elevation abuse, defenders miss the pivotal moment between initial access and irreversible damage. Dragos documented that Qilin, the most active ransomware group in 2025 (138 incidents in Q3 alone), includes UAC bypass as a standard configurable feature of its modular payload.
UAC bypass enables ransomware deployment. Nearly every Windows-targeting ransomware family includes UAC bypass capability. LockBit, BlackCat/ALPHV, Qilin, Medusa, WastedLocker, Bad Rabbit, Avaddon, and BitPaymer all incorporate UAC bypass techniques. The bypass is a critical step in the attack chain: without elevated privileges, the ransomware cannot disable Windows Defender, delete Volume Shadow Copies, or encrypt files in protected locations. Detecting UAC bypass provides an opportunity to stop ransomware before encryption begins.
Microsoft will not fix UAC bypasses. Microsoft's official position is that UAC is not a security boundary. The admin-to-SYSTEM boundary is considered "acceptable to traverse." This means that UAC bypasses remain in Windows indefinitely, and new ones continue to be discovered. The UACME project serves as a public catalog of these bypasses, with over 60 documented methods. This creates a permanent asymmetry: attackers have a growing library of reliable elevation techniques, while defenders cannot rely on patches to eliminate them.
Cloud elevation abuse bypasses on-premises security. When adversaries escalate privileges in cloud environments through delegation abuse, role assumption, or JIT access exploitation, the activity occurs entirely within the cloud provider's infrastructure. Traditional on-premises security monitoring, endpoint detection, and network analysis provide no visibility into these attacks. Organizations must deploy cloud-native security monitoring (CloudTrail, Google Workspace Audit Logs, Azure Activity Logs) to detect cloud elevation abuse.
Cross-platform coverage is expanding. T1548 is one of the few techniques with sub-techniques spanning Windows, Linux, macOS, ESXi, and cloud platforms. The addition of T1548.005 (Cloud Elevation) and T1548.006 (TCC Manipulation) in recent ATT&CK versions reflects the expansion of the attack surface as organizations adopt multi-cloud and macOS environments. Defenders must implement elevation monitoring across every platform in their environment, not just Windows.
Real-World Case Studies
Case 1: LockBit Ransomware — COM Object UAC Bypass
LockBit ransomware (all versions through LockBit 3.0) uses UAC bypass via elevated COM interface objects as a standard part of its encryption deployment. The CISA advisory AA23-075A documents that LockBit 3.0 executes code with elevated privileges through auto-elevating COM objects. McAfee's incident response analysis documented LockBit using the ICMLuaUtil COM interface (CLSID {3E5FC7F9-9A51-4367-9063-A120244FBEC7}) and the ColorDataProxy COM object (UACME method #43) sequentially — if the first bypass fails, the second is attempted. After achieving elevation, LockBit uses token impersonation to obtain the logged-on user's token via WTSGetActiveConsoleSessionId and WTSQueryUserToken, then duplicates the token with DuplicateTokenEx to create elevated processes. Following Operation Cronos in 2024, former LockBit affiliates migrated to RansomHub and then to Qilin, carrying these UAC bypass techniques with them.
Case 2: Qilin Ransomware — Modular UAC Bypass (2025)
Qilin emerged as the most active ransomware group in 2025, with up to 1,034 attributed victims. Dragos documented in Q3 2025 that Qilin's payload includes configurable UAC bypass as a modular feature alongside regsvr32-based DLL execution and XChaCha20 encryption. The group professionalized its RaaS platform with specialized legal advisory services and internal media teams for pressuring victims. The modular design means affiliates can configure which UAC bypass method to use based on the target environment's Windows version and security configuration. SOCRadar published a detailed TTP analysis in March 2025 documenting Qilin's UAC bypass implementation across its 2024 campaigns.
Case 3: CVE-2024-6769 — The UAC Bypass Microsoft Refused to Fix
In September 2024, Fortra disclosed CVE-2024-6769, a combined UAC bypass and privilege escalation vulnerability affecting all Windows versions. The attack involves remapping the system's root drive to a location under the attacker's control, shifting the system32 folder so that legitimate elevated services like ctfmon.exe load attacker-controlled DLLs. The vulnerability allows an authenticated attacker with standard admin privileges (behind UAC) to achieve full SYSTEM-level access. Microsoft acknowledged the research but declined to issue a fix, stating that UAC is not a security boundary. This case illustrates the fundamental disagreement: Fortra assigned it CVSS 6.7; Microsoft considers it intended behavior.
Case 4: XCSSET macOS Malware — TCC Manipulation (2025)
Microsoft Threat Intelligence reported new XCSSET variants in March 2025 that infect Xcode projects with enhanced obfuscation, persistence, and TCC manipulation capabilities. The malware modifies the macOS TCC database to grant itself access to protected resources without user consent, bypassing the macOS permission framework that is supposed to prevent unauthorized access to the camera, microphone, contacts, and full disk. XCSSET's evolution demonstrates that macOS elevation abuse is maturing alongside Windows-focused techniques, and organizations with developer workstations running Xcode face specific risks from supply chain infection through this vector.
Case 5: Scattered Spider — Cloud Elevation and Identity Abuse (2024–2025)
Scattered Spider (operating as an alliance with ShinyHunters and LAPSUS$) has consistently targeted cloud identity systems rather than traditional endpoints. Their techniques include help desk social engineering to reset MFA enrollment, exploitation of Azure AD self-service password reset functionality, and abuse of cloud delegation mechanisms. In Q3 2025, Dragos documented that their campaigns targeted Azure AD, VPN and Citrix gateways, ERP platforms, and virtualization infrastructure to achieve elevated cloud access. This cloud-first approach to privilege escalation bypasses traditional endpoint security entirely, requiring cloud-native detection capabilities.
Detection Strategies
MITRE published DET0345 in October 2025 with five analytics targeting T1548. On Windows: correlate UAC bypass registry key modifications, unusual parent-child process relationships (e.g., control.exe spawning cmd.exe), and unsigned elevated process executions. On Linux: monitor setuid/setgid bit changes and executions where UID differs from EUID. On macOS: detect security_authtrampoline execution and AuthorizationExecuteWithPrivileges API usage.
| Data Source | Component | Detection Focus |
|---|---|---|
| Windows Registry | Registry Key Modification | Changes to UAC bypass keys: HKCU\Software\Classes\ms-settings, HKCU\Software\Classes\mscfile, fodhelper/eventvwr shell handlers |
| Process | Process Creation | Auto-elevating binaries spawning suspicious children; dllhost.exe with known bypass CLSIDs; unsigned high-integrity processes |
| Command | Command Execution | Sudo configuration changes (visudo, echo to /etc/sudoers); chmod u+s on non-standard binaries |
| File | File Modification | Changes to macOS TCC.db; modifications to /etc/sudoers; DLL writes to system32 SxS directories |
| Cloud Logs | API Activity | IAM role assumption anomalies; Domain-Wide Delegation grants; JIT access requests outside business hours |
| Process | OS API Execution | AuthorizationExecuteWithPrivileges calls on macOS; token manipulation (DuplicateTokenEx, CreateProcessAsUserW) |
Splunk / SIEM Detection Queries
UAC Bypass via Registry Modification — Detect manipulation of registry keys used by auto-elevating Windows binaries:
index=sysmon EventCode=13
| where match(TargetObject, "(?i)(ms-settings\\\\shell\\\\open\\\\command|
mscfile\\\\shell\\\\open\\\\command|
Classes\\\\exefile\\\\shell\\\\runas|
Classes\\\\Folder\\\\shell\\\\open\\\\command)")
| stats count values(Details) as values values(Image) as modifying_process
by ComputerName TargetObject User
| sort - countSuspicious dllhost.exe COM Object Elevation — Identify dllhost.exe launching with CLSIDs known for UAC bypass:
index=sysmon EventCode=1 Image="*\\dllhost.exe"
| where match(CommandLine, "(?i)(3E5FC7F9|D2E7041B|
4991D34B|C7B8514E|0A29FF9E|9BA05972)")
| stats count values(CommandLine) as commands values(ParentImage) as parents
by ComputerName User
| sort - countLinux Setuid/Setgid and Sudoers Modification — Detect privilege escalation setup on Linux systems:
index=linux sourcetype=syslog
| where (match(cmdline, "(?i)chmod\s+[ugo]*\+s\s") AND NOT match(user, "root"))
OR match(cmdline, "(?i)(visudo|/etc/sudoers|NOPASSWD)")
OR (match(process, "find") AND match(cmdline, "-perm.*4000"))
| stats count values(cmdline) as commands by host user process
| sort - countCloud Elevation Anomaly Detection — Monitor for unusual privilege elevation in cloud environments:
index=cloudtrail (eventName="AssumeRole" OR eventName="CreateServiceAccountKey"
OR eventName="SetIamPolicy" OR eventName="UpdateAssumeRolePolicy")
| eval hour=strftime(_time, "%H")
| where (hour < 6 OR hour > 22) OR match(sourceIPAddress, "(?i)(tor|vpn|proxy)")
| stats count dc(eventName) as distinct_actions values(eventName) as actions
by userIdentity.arn sourceIPAddress
| where distinct_actions > 2
| sort - countKnown Threat Actors
Ransomware Groups Using UAC Bypass
| Threat Actor | UAC Bypass Method | Notable Detail |
|---|---|---|
| LockBit (all versions) | ICMLuaUtil + ColorDataProxy COM objects | CISA AA23-075A; token impersonation chain; Operation Cronos (2024) |
| BlackCat / ALPHV | CMSTPLUA COM interface | Change Healthcare breach; ChaCha20/AES encryption after elevation |
| Qilin | Configurable modular UAC bypass | Most active group 2025 (1,034 victims); XChaCha20 payload |
| Medusa | COM object UAC bypass | Intel471 threat hunting case study (May 2025); 300+ victims |
| WastedLocker (Evil Corp) | UAC bypass in deployment chain | Targeted ransomware with specific elevation routines |
| Bad Rabbit | UAC bypass for self-elevation | Destructive wiper disguised as ransomware |
| Avaddon | UAC bypass via COM | RaaS with integrated elevation before encryption |
Nation-State and APT Groups
| Threat Actor | Sub-Technique | Notable Detail |
|---|---|---|
| APT29 / Cozy Bear | T1548.002 (UAC bypass) | No Easy Breach campaigns; StellarParticle operations |
| APT28 / Fancy Bear | T1548.002 (UAC bypass) | Nearest Neighbor Wi-Fi attack with privilege escalation |
| Sandworm / GRU | T1548.001 (setuid/setgid) | Centreon system targeting with Linux privilege escalation |
| Emissary Panda / APT27 | T1548.002 (UAC bypass) | Targeted espionage with elevated tool deployment |
| ScarCruft / APT37 | T1548.002 (UAC bypass) | Bluetooth harvester deployment requiring elevation |
| Scattered Spider | T1548.005 (cloud elevation) | Azure AD, MFA abuse, cloud identity exploitation (2024-2025) |
| Winnti / APT41 | T1548.002 (UAC bypass) | Dual espionage and financial operations with elevation |
| Lazarus Group | T1548.002 (UAC bypass) | AppleJeus cryptocurrency malware with elevation |
Malware and Tools
| Tool / Malware | Sub-Technique | Notable Detail |
|---|---|---|
| UACME | T1548.002 | 60+ documented UAC bypass methods; 20+ unpatched; open-source |
| Raspberry Robin | T1548.002 | Targets telecom/government; UAC bypass in worm infection chain |
| XCSSET | T1548.006 (TCC manipulation) | New March 2025 variants with enhanced TCC bypass |
| Cobalt Strike | T1548.002, T1548.003 | Built-in UAC bypass and sudo elevation; Sliver also supports T1548.003 |
| Warzone RAT | T1548.002 | Commercial RAT with integrated UAC bypass module |
| OSX.Dok / ProtonB | T1548.003 (sudo caching) | macOS malware exploiting sudo timestamp cache |
Defensive Recommendations
1. Set UAC to Always Notify
Configure UAC to the highest level ("Always Notify") which requires consent for all elevation requests, including changes by the current user. This setting defeats auto-elevation bypasses that rely on trusted binaries running silently at high integrity. While it increases prompt frequency, it is the most effective mitigation against the majority of documented UAC bypass techniques. Deploy via Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > User Account Control: Behavior of the elevation prompt.
2. Remove Users from Local Administrators Group
UAC bypass is only relevant when the user account belongs to the local Administrators group. Standard user accounts cannot bypass UAC because there is no higher privilege level to elevate to. Implement the principle of least privilege by removing day-to-day user accounts from the Administrators group and using separate privileged accounts for administrative tasks. This eliminates the entire UAC bypass attack surface for standard users.
3. Monitor UAC Bypass Indicators
Deploy Sysmon or EDR rules to detect the building blocks of UAC bypass rather than specific implementations. Focus on registry modifications to known bypass paths (ms-settings, mscfile, fodhelper shell handlers), dllhost.exe execution with auto-elevating CLSIDs, DLL loading from non-standard paths by elevated system processes, and unsigned binaries executing at high integrity. Elastic Security Labs recommends focusing on DLL load events rather than file creation events for DLL hijack detection, as this is more resilient against evasion.
4. Harden Sudoers Configuration
On Linux and macOS, restrict sudoers configuration to specific commands rather than granting blanket ALL access. Set timestamp_timeout=0 in the sudoers file to disable credential caching entirely, requiring re-authentication for every sudo command. Monitor /etc/sudoers and /etc/sudoers.d/ for unauthorized modifications. Use Defaults requiretty to prevent sudo from being used in non-interactive sessions.
5. Audit Setuid/Setgid Binaries
Regularly audit systems for setuid/setgid binaries using find / -perm -4000 (setuid) and find / -perm -2000 (setgid). Maintain a baseline of expected setuid binaries and alert on any additions. Remove the setuid bit from binaries that do not require it. Monitor for chmod commands that add the setuid or setgid bits, especially by non-root users.
6. Implement Cloud Privilege Monitoring
Deploy monitoring for cloud elevation events including IAM role assumptions, service account key creation, delegation grants, and JIT access requests. Alert on elevation activity outside business hours, from unusual IP addresses, or involving sensitive administrative roles. Review and minimize Domain-Wide Delegation permissions in Google Workspace. Implement Privileged Access Management (PAM) solutions for cloud environments.
7. Protect macOS TCC Database
Monitor the TCC database (~/Library/Application Support/com.apple.TCC/TCC.db) for unauthorized modifications. Deploy endpoint protection that can detect and block direct TCC database manipulation. Keep macOS updated to patch known TCC bypass vulnerabilities. Audit application entitlements and permissions regularly to identify applications with excessive TCC grants.
8. Application Control and Code Signing
Deploy Windows Defender Application Control (WDAC) or AppLocker to restrict which binaries can execute at elevated integrity. Require code signing for elevated processes. This mitigates UAC bypass techniques that rely on placing unsigned malicious DLLs in locations where trusted processes will load them. While implementation requires significant effort, application control is one of the few defenses that addresses the fundamental weakness of UAC bypass.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1548 |
| Name | Abuse Elevation Control Mechanism |
| Tactics | Privilege Escalation (TA0004), Defense Evasion (TA0005) |
| Sub-Techniques | T1548.001 Setuid/Setgid, T1548.002 Bypass UAC, T1548.003 Sudo/Sudo Caching, T1548.004 Elevated Execution with Prompt, T1548.005 Temporary Elevated Cloud Access, T1548.006 TCC Manipulation |
| Platforms | Windows, Linux, macOS, ESXi, IaaS, Identity Provider, Office Suite |
| Version | 1.2 (Last Modified October 2025) |
| Detection Strategy | DET0345 (Published October 2025) |
| Data Sources | Windows Registry, Process Creation, Command Execution, File Modification, Cloud Logs, OS API Execution |
| Related Techniques | T1068 Exploitation for Privilege Escalation, T1134 Access Token Manipulation, T1078 Valid Accounts, T1574 Hijack Execution Flow |
Sources and References
This article draws on government advisories, vendor research, and open-source projects. All referenced sources are publicly available.
- CISA/FBI/MS-ISAC — #StopRansomware: LockBit 3.0 (AA23-075A, March 2023): cisa.gov
- CISA — Understanding Ransomware Threat Actors: LockBit (AA23-165A, June 2023): cisa.gov
- Elastic Security Labs — Exploring Windows UAC Bypasses: Techniques and Detection Strategies (May 2023): elastic.co
- hfiref0x/UACME — Defeating Windows User Account Control: github.com
- Fortra / Dark Reading — Novel Exploit Chain Enables Windows UAC Bypass (CVE-2024-6769, September 2024): darkreading.com
- Intel471 — Threat Hunt: User Account Control Bypass via Registry Modification (August 2025): intel471.com
- Dragos — Industrial Ransomware Analysis Q3 2025 (December 2025): dragos.com
- McAfee — Tales From the Trenches: A LockBit Ransomware Story: mcafee.com
- Halcyon — Power Rankings: Ransomware Malicious Quartile Q1-2025 (October 2025): halcyon.ai
- Microsoft Threat Intelligence — New XCSSET Malware (March 2025): attack.mitre.org
- MITRE ATT&CK — T1548 Abuse Elevation Control Mechanism and DET0345 (v18, October 2025): attack.mitre.org