Trusted Path Bypass via Windows Directory Spoofing
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
Sigma rule (View on GitHub)
1title: Trusted Path Bypass via Windows Directory Spoofing
2id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
3related:
4 - id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
5 type: similar
6status: experimental
7description: |
8 Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
9 This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
10references:
11 - https://x.com/Wietze/status/1933495426952421843
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-06-17
14tags:
15 - attack.defense-evasion
16 - attack.privilege-escalation
17 - attack.t1574.007
18 - attack.t1548.002
19logsource:
20 category: image_load
21 product: windows
22detection:
23 selection:
24 ImageLoaded|contains:
25 - ':\Windows \System32\' # Note the space between "Windows" and "System32"
26 - ':\Windows \SysWOW64\' # Note the space between "Windows" and "SysWOW64"
27 condition: selection
28falsepositives:
29 - Unlikely
30level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- UAC Bypass With Fake DLL
- UAC Notification Disabled
- UAC Secure Desktop Prompt Disabled
- CMSTP UAC Bypass via COM Object Access
- Potential UAC Bypass Via Sdclt.EXE