Program Files Directory Masquerading
Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2024/10/31"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and
13usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass
14detections allowlisting those folders.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-windows.forwarded*",
21 "logs-windows.sysmon_operational-*",
22 "endgame-*",
23 "logs-system.security*",
24 "logs-m365_defender.event-*",
25 "logs-sentinel_one_cloud_funnel.*",
26 "logs-crowdstrike.fdr*",
27]
28language = "eql"
29license = "Elastic License v2"
30name = "Program Files Directory Masquerading"
31risk_score = 47
32rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14"
33severity = "medium"
34tags = [
35 "Domain: Endpoint",
36 "OS: Windows",
37 "Use Case: Threat Detection",
38 "Tactic: Defense Evasion",
39 "Data Source: Elastic Endgame",
40 "Data Source: Elastic Defend",
41 "Data Source: System",
42 "Data Source: Microsoft Defender for Endpoint",
43 "Data Source: Sysmon",
44 "Data Source: SentinelOne",
45 "Data Source: Crowdstrike",
46]
47timestamp_override = "event.ingested"
48type = "eql"
49
50query = '''
51process where host.os.type == "windows" and event.type == "start" and
52 process.executable : (
53 "C:\\*Program*Files*\\*.exe",
54 "\\Device\\HarddiskVolume?\\*Program*Files*\\*.exe"
55 ) and
56 not process.executable : (
57 "?:\\Program Files\\*.exe",
58 "?:\\Program Files (x86)\\*.exe",
59 "?:\\Users\\*.exe",
60 "?:\\ProgramData\\*.exe",
61 "?:\\Windows\\Downloaded Program Files\\*.exe",
62 "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
63 "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
64 ) and
65 not (
66 event.dataset == "crowdstrike.fdr" and
67 process.executable : (
68 "\\Device\\HarddiskVolume?\\Program Files\\*.exe",
69 "\\Device\\HarddiskVolume?\\Program Files (x86)\\*.exe",
70 "\\Device\\HarddiskVolume?\\Users\\*.exe",
71 "\\Device\\HarddiskVolume?\\ProgramData\\*.exe",
72 "\\Device\\HarddiskVolume?\\Windows\\Downloaded Program Files\\*.exe",
73 "\\Device\\HarddiskVolume?\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
74 "\\Device\\HarddiskVolume?\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
75 )
76 )
77'''
78
79
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1036"
84name = "Masquerading"
85reference = "https://attack.mitre.org/techniques/T1036/"
86[[rule.threat.technique.subtechnique]]
87id = "T1036.005"
88name = "Match Legitimate Name or Location"
89reference = "https://attack.mitre.org/techniques/T1036/005/"
90
91
92
93[rule.threat.tactic]
94id = "TA0005"
95name = "Defense Evasion"
96reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Attempt to Install Kali Linux via WSL
- Control Panel Process with Unusual Arguments
- Enable Host Network Discovery via Netsh
- Microsoft Build Engine Started by a System Process
- Microsoft Build Engine Started by an Office Application