Program Files Directory Masquerading

  1[metadata]
  2creation_date = "2020/11/18"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and
 11usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass
 12detections allowlisting those folders.
 13"""
 14from = "now-9m"
 15index = [
 16    "endgame-*",
 17    "logs-crowdstrike.fdr*",
 18    "logs-endpoint.events.process-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-system.security*",
 22    "logs-windows.forwarded*",
 23    "logs-windows.sysmon_operational-*",
 24    "winlogbeat-*",
 25]
 26language = "eql"
 27license = "Elastic License v2"
 28name = "Program Files Directory Masquerading"
 29note = """## Triage and analysis
 30
 31> **Disclaimer**:
 32> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 33
 34### Investigating Program Files Directory Masquerading
 35
 36The Program Files directories in Windows are trusted locations for legitimate software. Adversaries may exploit this trust by creating similarly named directories to execute malicious files, bypassing security measures. The detection rule identifies suspicious executions from these masquerading paths, excluding known legitimate directories, to flag potential threats. This helps in identifying defense evasion tactics used by attackers.
 37
 38### Possible investigation steps
 39
 40- Review the process executable path to confirm if it matches any known masquerading patterns, such as unexpected directories containing "Program Files" in their path.
 41- Check the parent process of the suspicious executable to determine how it was launched and assess if the parent process is legitimate or potentially malicious.
 42- Investigate the user account associated with the process execution to determine if it has low privileges and if the activity aligns with typical user behavior.
 43- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns.
 44- Examine the file hash of the executable to see if it matches known malware signatures or if it has been flagged in threat intelligence databases.
 45- Assess the network activity associated with the process to identify any unusual outbound connections that could indicate data exfiltration or command-and-control communication.
 46
 47### False positive analysis
 48
 49- Legitimate software installations or updates may create temporary directories resembling Program Files paths. Users can monitor installation logs and exclude these specific paths if they are verified as part of a legitimate process.
 50- Some enterprise applications may use custom directories that mimic Program Files for compatibility reasons. IT administrators should document these paths and add them to the exclusion list to prevent false alerts.
 51- Development environments might create test directories with similar naming conventions. Developers should ensure these paths are excluded during active development phases to avoid unnecessary alerts.
 52- Security tools or scripts that perform regular checks or updates might execute from non-standard directories. Verify these tools and add their execution paths to the exception list if they are confirmed safe.
 53- Backup or recovery software might temporarily use directories that resemble Program Files for storing executable files. Confirm the legitimacy of these operations and exclude the paths if they are part of routine backup processes.
 54
 55### Response and remediation
 56
 57- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
 58- Terminate any suspicious processes identified as executing from masquerading directories to halt any ongoing malicious actions.
 59- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or remnants.
 60- Review and restore any altered system configurations or settings to their original state to ensure system integrity.
 61- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
 62- Implement additional monitoring on the affected system and similar environments to detect any recurrence of the threat or similar tactics.
 63- Update security policies and access controls to prevent unauthorized creation of directories that mimic trusted paths, enhancing defenses against similar masquerading attempts."""
 64risk_score = 47
 65rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14"
 66severity = "medium"
 67tags = [
 68    "Domain: Endpoint",
 69    "OS: Windows",
 70    "Use Case: Threat Detection",
 71    "Tactic: Defense Evasion",
 72    "Data Source: Elastic Endgame",
 73    "Data Source: Elastic Defend",
 74    "Data Source: Windows Security Event Logs",
 75    "Data Source: Microsoft Defender for Endpoint",
 76    "Data Source: Sysmon",
 77    "Data Source: SentinelOne",
 78    "Data Source: Crowdstrike",
 79    "Resources: Investigation Guide",
 80]
 81timestamp_override = "event.ingested"
 82type = "eql"
 83
 84query = '''
 85process where host.os.type == "windows" and event.type == "start" and
 86  process.executable : (
 87    "C:\\*Program*Files*\\*.exe",
 88    "\\Device\\HarddiskVolume?\\*Program*Files*\\*.exe"
 89  ) and
 90  not process.executable : (
 91        "?:\\Program Files\\*.exe",
 92        "?:\\Program Files (x86)\\*.exe",
 93        "?:\\Users\\*.exe",
 94        "?:\\ProgramData\\*.exe",
 95        "?:\\Windows\\Downloaded Program Files\\*.exe",
 96        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
 97        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
 98  ) and
 99  not (
100    event.dataset == "crowdstrike.fdr" and
101      process.executable : (
102        "\\Device\\HarddiskVolume?\\Program Files\\*.exe",
103        "\\Device\\HarddiskVolume?\\Program Files (x86)\\*.exe",
104        "\\Device\\HarddiskVolume?\\Users\\*.exe",
105        "\\Device\\HarddiskVolume?\\ProgramData\\*.exe",
106        "\\Device\\HarddiskVolume?\\Windows\\Downloaded Program Files\\*.exe",
107        "\\Device\\HarddiskVolume?\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
108        "\\Device\\HarddiskVolume?\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
109      )
110  )
111'''
112
113
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1036"
118name = "Masquerading"
119reference = "https://attack.mitre.org/techniques/T1036/"
120[[rule.threat.technique.subtechnique]]
121id = "T1036.005"
122name = "Match Legitimate Name or Location"
123reference = "https://attack.mitre.org/techniques/T1036/005/"
124
125
126
127[rule.threat.tactic]
128id = "TA0005"
129name = "Defense Evasion"
130reference = "https://attack.mitre.org/tactics/TA0005/"