Program Files Directory Masquerading

Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/18"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and
13usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass
14detections allowlisting those folders.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Program Files Directory Masquerading"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25risk_score = 47
26rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where host.os.type == "windows" and event.type == "start" and
34 process.executable : "C:\\*Program*Files*\\*.exe" and
35 not process.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe", "C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1036"
43name = "Masquerading"
44reference = "https://attack.mitre.org/techniques/T1036/"
45[[rule.threat.technique.subtechnique]]
46id = "T1036.005"
47name = "Match Legitimate Name or Location"
48reference = "https://attack.mitre.org/techniques/T1036/005/"
49
50
51
52[rule.threat.tactic]
53id = "TA0005"
54name = "Defense Evasion"
55reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

Related rules

to-top