Trusted Path Bypass via Windows Directory Spoofing
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
Sigma rule (View on GitHub)
1title: Trusted Path Bypass via Windows Directory Spoofing
2id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
3related:
4 - id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
5 type: similar
6status: experimental
7description: |
8 Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
9 This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
10references:
11 - https://x.com/Wietze/status/1933495426952421843
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-06-17
14tags:
15 - attack.persistence
16 - attack.privilege-escalation
17 - attack.execution
18 - attack.stealth
19 - attack.t1574.007
20 - attack.t1548.002
21logsource:
22 category: image_load
23 product: windows
24detection:
25 selection:
26 ImageLoaded|contains:
27 - ':\Windows \System32\' # Note the space between "Windows" and "System32"
28 - ':\Windows \SysWOW64\' # Note the space between "Windows" and "SysWOW64"
29 condition: selection
30falsepositives:
31 - Unlikely
32level: high
References
Related rules
- Potential Suspicious Activity Using SeCEdit
- UAC Bypass With Fake DLL
- APT27 - Emissary Panda Activity
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation