Trusted Path Bypass via Windows Directory Spoofing
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
Sigma rule (View on GitHub)
1title: Trusted Path Bypass via Windows Directory Spoofing
2id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
3related:
4 - id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
5 type: similar
6status: experimental
7description: |
8 Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
9 This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
10references:
11 - https://x.com/Wietze/status/1933495426952421843
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-06-17
14tags:
15 - attack.persistence
16 - attack.defense-evasion
17 - attack.privilege-escalation
18 - attack.t1574.007
19 - attack.t1548.002
20logsource:
21 category: image_load
22 product: windows
23detection:
24 selection:
25 ImageLoaded|contains:
26 - ':\Windows \System32\' # Note the space between "Windows" and "System32"
27 - ':\Windows \SysWOW64\' # Note the space between "Windows" and "SysWOW64"
28 condition: selection
29falsepositives:
30 - Unlikely
31level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Potential Suspicious Activity Using SeCEdit
- PowerShell Web Access Feature Enabled Via DISM
- Shell Open Registry Keys Manipulation
- UAC Bypass With Fake DLL
- APT27 - Emissary Panda Activity