Program Files Directory Masquerading
Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and
13usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass
14detections allowlisting those folders.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-windows.forwarded*",
21 "logs-windows.sysmon_operational-*",
22 "endgame-*",
23 "logs-system.security*",
24 "logs-m365_defender.event-*",
25 "logs-sentinel_one_cloud_funnel.*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Program Files Directory Masquerading"
30risk_score = 47
31rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14"
32severity = "medium"
33tags = [
34 "Domain: Endpoint",
35 "OS: Windows",
36 "Use Case: Threat Detection",
37 "Tactic: Defense Evasion",
38 "Data Source: Elastic Endgame",
39 "Data Source: Elastic Defend",
40 "Data Source: System",
41 "Data Source: Microsoft Defender for Endpoint",
42 "Data Source: Sysmon",
43 "Data Source: SentinelOne",
44]
45timestamp_override = "event.ingested"
46type = "eql"
47
48query = '''
49process where host.os.type == "windows" and event.type == "start" and
50 process.executable : "C:\\*Program*Files*\\*.exe" and
51 not process.executable : (
52 "?:\\Program Files\\*.exe",
53 "?:\\Program Files (x86)\\*.exe",
54 "?:\\Users\\*.exe",
55 "?:\\ProgramData\\*.exe",
56 "?:\\Windows\\Downloaded Program Files\\*.exe",
57 "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
58 "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
59 )
60'''
61
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1036"
67name = "Masquerading"
68reference = "https://attack.mitre.org/techniques/T1036/"
69[[rule.threat.technique.subtechnique]]
70id = "T1036.005"
71name = "Match Legitimate Name or Location"
72reference = "https://attack.mitre.org/techniques/T1036/005/"
73
74
75
76[rule.threat.tactic]
77id = "TA0005"
78name = "Defense Evasion"
79reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Bypass UAC via Event Viewer
- Clearing Windows Console History
- Clearing Windows Event Logs