Program Files Directory Masquerading

Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/18"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and
11usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass
12detections allowlisting those folders.
13"""
14from = "now-9m"
15index = [
16    "winlogbeat-*",
17    "logs-endpoint.events.process-*",
18    "logs-windows.*",
19    "endgame-*",
20    "logs-system.security*",
21]
22language = "eql"
23license = "Elastic License v2"
24name = "Program Files Directory Masquerading"
25risk_score = 47
26rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14"
27setup = """## Setup
28
29If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
30events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
31Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
32`event.ingested` to @timestamp.
33For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
34"""
35severity = "medium"
36tags = [
37    "Domain: Endpoint",
38    "OS: Windows",
39    "Use Case: Threat Detection",
40    "Tactic: Defense Evasion",
41    "Data Source: Elastic Endgame",
42    "Data Source: Elastic Defend",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48process where host.os.type == "windows" and event.type == "start" and
49  process.executable : "C:\\*Program*Files*\\*.exe" and
50  not process.executable : (
51        "?:\\Program Files\\*.exe",
52        "?:\\Program Files (x86)\\*.exe",
53        "?:\\Users\\*.exe",
54        "?:\\ProgramData\\*.exe",
55        "?:\\Windows\\Downloaded Program Files\\*.exe",
56        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
57        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
58  )
59'''
60
61
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64[[rule.threat.technique]]
65id = "T1036"
66name = "Masquerading"
67reference = "https://attack.mitre.org/techniques/T1036/"
68[[rule.threat.technique.subtechnique]]
69id = "T1036.005"
70name = "Match Legitimate Name or Location"
71reference = "https://attack.mitre.org/techniques/T1036/005/"
72
73
74
75[rule.threat.tactic]
76id = "TA0005"
77name = "Defense Evasion"
78reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top