UAC Bypass Attempt via Windows Directory Masquerading

  1[metadata]
  2creation_date = "2020/10/26"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory.
 11Attackers may bypass UAC to stealthily execute code with elevated permissions.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "UAC Bypass Attempt via Windows Directory Masquerading"
 28references = ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"]
 29risk_score = 73
 30rule_id = "290aca65-e94d-403b-ba0f-62f320e63f51"
 31severity = "high"
 32tags = [
 33    "Domain: Endpoint",
 34    "OS: Windows",
 35    "Use Case: Threat Detection",
 36    "Tactic: Privilege Escalation",
 37    "Resources: Investigation Guide",
 38    "Data Source: Elastic Endgame",
 39    "Data Source: Elastic Defend",
 40    "Data Source: Windows Security Event Logs",
 41    "Data Source: Microsoft Defender XDR",
 42    "Data Source: Sysmon",
 43    "Data Source: SentinelOne",
 44    "Data Source: Crowdstrike",
 45]
 46timestamp_override = "event.ingested"
 47type = "eql"
 48
 49query = '''
 50process where host.os.type == "windows" and event.type == "start" and
 51  process.args : ("C:\\Windows \\system32\\*.exe", "C:\\Windows \\SysWOW64\\*.exe")
 52'''
 53
 54note = """## Triage and analysis
 55
 56### Investigating UAC Bypass Attempt via Windows Directory Masquerading
 57
 58#### Possible investigation steps
 59
 60- Does the alert-local path prove execution from a mock trusted Windows directory?
 61  - Why: This technique abuses a trailing-space "C:\\Windows " tree that AppInfo checks can normalize while the fake path still executes.
 62  - Focus: `process.executable` and `process.command_line`, especially "C:\\Windows \\System32\\" or "C:\\Windows \\SysWOW64\\" instead of the canonical Windows path.
 63  - Implication: escalate when executable or argument paths contain the trailing-space trusted-directory clone; lower suspicion only when `process.executable` and `process.command_line` resolve to the canonical Windows path and later evidence does not contradict that.
 64
 65- Is the binary a copied auto-elevating Windows executable?
 66  - Focus: `process.name`, `process.pe.original_file_name`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `process.hash.sha256`.
 67  - Implication: escalate when a signed Microsoft auto-elevating binary runs from the fake tree, name or PE metadata imitates one, or the hash is unfamiliar; if not auto-elevating, keep suspicious as path masquerading or staging until lineage and artifacts explain it.
 68
 69- Do the parent, user, and token context fit a UAC-bypass transition?
 70  - Focus: `process.parent.executable`, `process.parent.command_line`, `user.id`, `process.Ext.token.integrity_level_name`, and `process.Ext.token.elevation_level`.
 71  - Implication: escalate when a browser, document process, script host, installer, or remote-admin parent launches the copied binary with high or full integrity; lower suspicion when parent, user, token state, and host cohort align with confirmed compatibility or security testing.
 72
 73- Did file events show the fake tree being staged before or by the alerting process?
 74  - Focus: same-`host.id` file events where `file.path` is under "C:\\Windows \\", plus alert-process file events scoped by `process.entity_id` when present. $investigate_2
 75  - Hint: File telemetry is conditional; missing file events leave staging unresolved, not benign. Use `file.Ext.original.path`, `file.origin_url`, and `file.Ext.windows.zone_identifier` only when the fake-tree writer is unclear.
 76  - Implication: escalate when any process creates "C:\\Windows \\", copies the auto-elevating executable, or drops a same-directory DLL; lower suspicion only when fake-tree artifacts are bounded to controlled lab testing with no contradictory DLL or child-process evidence.
 77
 78- Did the copied binary load a sidecar DLL from the fake tree?
 79  - Focus: library events scoped by `host.id` plus `process.entity_id` when present; review `dll.path`, `dll.hash.sha256`, and `dll.code_signature.subject_name`. $investigate_3
 80  - Hint: Library telemetry is conditional; missing library events leave DLL payload execution unresolved, not benign.
 81  - Implication: escalate when the copied binary loads a same-directory DLL from the fake tree, especially unsigned, unfamiliar, or mismatched; if no DLL evidence appears, continue to child-process review before treating execution as unresolved.
 82
 83- Did the copied binary spawn elevated follow-on code?
 84  - Focus: same-`host.id` child processes where `process.parent.entity_id` matches `process.entity_id`; review child `process.command_line` and `process.Ext.token.integrity_level_name`. $investigate_4
 85  - Implication: escalate when the copied binary spawns high-integrity shells, scripts, payloads, or unexpected admin tools; if no child appears, treat execution as unresolved unless path, binary, parent, file, and DLL evidence all support controlled lab testing.
 86
 87- If local evidence is suspicious or incomplete, is the same fake path or host showing related activity?
 88  - Focus: related alerts for the same `process.executable` fake path, especially UAC-bypass, masquerading, or payload-staging detections; check same-host alert history for privilege-escalation, defense-evasion, or suspicious file-staging context.
 89    - $investigate_0
 90    - $investigate_1
 91  - Implication: escalate scope when the same fake path appears across hosts or the same host has surrounding staging, privilege-escalation, or defense-evasion alerts; keep scope local only when local evidence also supports controlled lab testing.
 92
 93- What disposition do the fake path, binary identity, lineage, artifacts, execution, and scope support?
 94  - Escalate when path, binary identity, lineage, artifacts, execution, or scope show fake-tree UAC bypass; close only when all categories align with controlled lab testing and no contradictions remain; preserve artifacts and escalate when mixed or incomplete.
 95
 96### False positive analysis
 97
 98- This behavior is an operational anti-pattern outside explicit testing. Authorized compatibility or security research can trigger it only when a team deliberately constructs a trailing-space Windows tree in a controlled lab. Confirm exact `process.executable`, stable `process.hash.sha256`, Microsoft signer and original file name, `process.parent.executable`, `user.id`, `host.id`, and sidecar-DLL behavior against the same test. If test plans exist, require alignment; otherwise rely on prior alerts for the same path, hash, parent workflow, and lab cohort without unexpected elevated children.
 99- Do not treat a signed Microsoft binary or lab host as sufficient. Same-directory DLL load, elevated shell, suspicious parent, internet-provenance file event, or recurrence outside the expected cohort keeps the alert suspicious until the exact test scope explains it.
100- Before an exception, validate recurrence of the minimum workflow pattern: exact `process.executable`, stable `process.hash.sha256`, `process.parent.executable`, expected sidecar-DLL behavior, and bounded `host.id` or `user.id` cohort. Avoid exceptions on "C:\\Windows " alone, binary name alone, or `host.id` alone.
101
102### Response and remediation
103
104- If confirmed benign, reverse temporary containment and record the exact fake-tree path, copied binary hash, parent workflow, user/host cohort, and sidecar-DLL behavior that proved the recognized workflow. Create an exception only after that same pattern recurs consistently for this rule.
105- If suspicious but unconfirmed, preserve a case export for the alert process, parent chain, token context, fake-tree directory, copied binary, sidecar DLLs and hashes, and any elevated child details before containment. Apply reversible containment next, such as restricting execution from the fake tree or isolating the affected host if sidecar loading, elevated children, or broader post-exploitation evidence is active.
106- If confirmed malicious, collect the copied auto-elevating binary and sidecar DLLs, preserve process, file, and library telemetry, then isolate the host after weighing business criticality. Scope other hosts for the same fake path, copied binary hash, and DLL pattern before killing processes, deleting the fake "system32" tree, and remediating the launcher or access path that staged it.
107- Post-incident hardening: remove the fake trailing-space directory tree, restrict creation or execution of copied Windows binaries from user-writable or fake trusted paths, retain file/library/process telemetry for same-directory DLL hijacking, and record the recovered auto-elevating-binary and DLL pair for future triage.
108"""
109
110setup = """## Setup
111
112This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
113
114Setup instructions: https://ela.st/install-elastic-defend
115
116### Additional data sources
117
118This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
119
120- [CrowdStrike](https://ela.st/crowdstrike-integration)
121- [Microsoft Defender XDR](https://ela.st/m365-defender)
122- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
123- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
124- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
125"""
126
127[rule.investigation_fields]
128field_names = [
129    "@timestamp",
130    "host.id",
131    "user.id",
132    "process.entity_id",
133    "process.executable",
134    "process.command_line",
135    "process.working_directory",
136    "process.pe.original_file_name",
137    "process.code_signature.subject_name",
138    "process.code_signature.trusted",
139    "process.hash.sha256",
140    "process.parent.executable",
141    "process.parent.command_line",
142    "process.Ext.token.elevation_level",
143    "process.Ext.token.integrity_level_name",
144]
145
146[transform]
147
148[[transform.investigate]]
149label = "Alerts associated with the same fake executable path"
150description = ""
151providers = [
152  [
153    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
154    { excluded = false, field = "process.executable", queryType = "phrase", value = "{{process.executable}}", valueType = "string" }
155  ]
156]
157relativeFrom = "now-48h/h"
158relativeTo = "now"
159
160[[transform.investigate]]
161label = "Alerts associated with the host"
162description = ""
163providers = [
164  [
165    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
166    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
167  ]
168]
169relativeFrom = "now-48h/h"
170relativeTo = "now"
171
172[[transform.investigate]]
173label = "File events for the suspicious process"
174description = ""
175providers = [
176  [
177    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
178    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
179    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
180  ]
181]
182relativeFrom = "now-1h"
183relativeTo = "now"
184
185[[transform.investigate]]
186label = "Library events for the suspicious process"
187description = ""
188providers = [
189  [
190    { excluded = false, field = "event.category", queryType = "phrase", value = "library", valueType = "string" },
191    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
192    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
193  ]
194]
195relativeFrom = "now-1h"
196relativeTo = "now"
197
198[[transform.investigate]]
199label = "Child processes launched by the copied binary"
200description = ""
201providers = [
202  [
203    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
204    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
205    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
206  ]
207]
208relativeFrom = "now-1h"
209relativeTo = "now"
210
211[[rule.threat]]
212framework = "MITRE ATT&CK"
213
214[[rule.threat.technique]]
215id = "T1548"
216name = "Abuse Elevation Control Mechanism"
217reference = "https://attack.mitre.org/techniques/T1548/"
218
219[[rule.threat.technique.subtechnique]]
220id = "T1548.002"
221name = "Bypass User Account Control"
222reference = "https://attack.mitre.org/techniques/T1548/002/"
223
224[rule.threat.tactic]
225id = "TA0004"
226name = "Privilege Escalation"
227reference = "https://attack.mitre.org/tactics/TA0004/"
228
229[[rule.threat]]
230framework = "MITRE ATT&CK"
231
232[[rule.threat.technique]]
233id = "T1036"
234name = "Masquerading"
235reference = "https://attack.mitre.org/techniques/T1036/"
236
237[[rule.threat.technique.subtechnique]]
238id = "T1036.005"
239name = "Match Legitimate Resource Name or Location"
240reference = "https://attack.mitre.org/techniques/T1036/005/"
241
242[[rule.threat.technique]]
243id = "T1548"
244name = "Abuse Elevation Control Mechanism"
245reference = "https://attack.mitre.org/techniques/T1548/"
246
247[[rule.threat.technique.subtechnique]]
248id = "T1548.002"
249name = "Bypass User Account Control"
250reference = "https://attack.mitre.org/techniques/T1548/002/"
251
252[rule.threat.tactic]
253id = "TA0005"
254name = "Defense Evasion"
255reference = "https://attack.mitre.org/tactics/TA0005/"