Program Files Directory Masquerading

calendar Jun 26, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Microsoft Defender for Endpoint  ·
Share on: linkedin copy

Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/18"
 3integration = ["endpoint", "windows", "m365_defender"]
 4maturity = "production"
 5updated_date = "2024/06/25"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and
11usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass
12detections allowlisting those folders.
13"""
14from = "now-9m"
15index = [
16    "winlogbeat-*",
17    "logs-endpoint.events.process-*",
18    "logs-windows.*",
19    "endgame-*",
20    "logs-system.security*",
21    "logs-m365_defender.event-*"
22]
23language = "eql"
24license = "Elastic License v2"
25name = "Program Files Directory Masquerading"
26risk_score = 47
27rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14"
28setup = """## Setup
29
30If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
31events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
32Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
33`event.ingested` to @timestamp.
34For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
35"""
36severity = "medium"
37tags = [
38    "Domain: Endpoint",
39    "OS: Windows",
40    "Use Case: Threat Detection",
41    "Tactic: Defense Evasion",
42    "Data Source: Elastic Endgame",
43    "Data Source: Elastic Defend",
44    "Data Source: Microsoft Defender for Endpoint"
45]
46timestamp_override = "event.ingested"
47type = "eql"
48
49query = '''
50process where host.os.type == "windows" and event.type == "start" and
51  process.executable : "C:\\*Program*Files*\\*.exe" and
52  not process.executable : (
53        "?:\\Program Files\\*.exe",
54        "?:\\Program Files (x86)\\*.exe",
55        "?:\\Users\\*.exe",
56        "?:\\ProgramData\\*.exe",
57        "?:\\Windows\\Downloaded Program Files\\*.exe",
58        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
59        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
60  )
61'''
62
63
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1036"
68name = "Masquerading"
69reference = "https://attack.mitre.org/techniques/T1036/"
70[[rule.threat.technique.subtechnique]]
71id = "T1036.005"
72name = "Match Legitimate Name or Location"
73reference = "https://attack.mitre.org/techniques/T1036/005/"
74
75
76
77[rule.threat.tactic]
78id = "TA0005"
79name = "Defense Evasion"
80reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top