Program Files Directory Masquerading

Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/18"
 3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and
13usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass
14detections allowlisting those folders.
15"""
16from = "now-9m"
17index = [
18    "winlogbeat-*",
19    "logs-endpoint.events.process-*",
20    "logs-windows.forwarded*",
21    "logs-windows.sysmon_operational-*",
22    "endgame-*",
23    "logs-system.security*",
24    "logs-m365_defender.event-*",
25    "logs-sentinel_one_cloud_funnel.*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Program Files Directory Masquerading"
30risk_score = 47
31rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14"
32severity = "medium"
33tags = [
34    "Domain: Endpoint",
35    "OS: Windows",
36    "Use Case: Threat Detection",
37    "Tactic: Defense Evasion",
38    "Data Source: Elastic Endgame",
39    "Data Source: Elastic Defend",
40    "Data Source: System",
41    "Data Source: Microsoft Defender for Endpoint",
42    "Data Source: Sysmon",
43    "Data Source: SentinelOne",
44]
45timestamp_override = "event.ingested"
46type = "eql"
47
48query = '''
49process where host.os.type == "windows" and event.type == "start" and
50  process.executable : "C:\\*Program*Files*\\*.exe" and
51  not process.executable : (
52        "?:\\Program Files\\*.exe",
53        "?:\\Program Files (x86)\\*.exe",
54        "?:\\Users\\*.exe",
55        "?:\\ProgramData\\*.exe",
56        "?:\\Windows\\Downloaded Program Files\\*.exe",
57        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
58        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
59  )
60'''
61
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1036"
67name = "Masquerading"
68reference = "https://attack.mitre.org/techniques/T1036/"
69[[rule.threat.technique.subtechnique]]
70id = "T1036.005"
71name = "Match Legitimate Name or Location"
72reference = "https://attack.mitre.org/techniques/T1036/005/"
73
74
75
76[rule.threat.tactic]
77id = "TA0005"
78name = "Defense Evasion"
79reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top