TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
Sigma rule (View on GitHub)
1title: TrustedPath UAC Bypass Pattern
2id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
3related:
4 - id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
5 type: similar
6status: test
7description: Detects indicators of a UAC bypass method by mocking directories
8references:
9 - https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
10 - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
11 - https://github.com/netero1010/TrustedPath-UACBypass-BOF
12 - https://x.com/Wietze/status/1933495426952421843
13author: Florian Roth (Nextron Systems)
14date: 2021-08-27
15modified: 2025-06-17
16tags:
17 - attack.defense-evasion
18 - attack.t1548.002
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 Image|contains:
25 - 'C:\Windows \System32\'
26 - 'C:\Windows \SysWOW64\'
27 condition: selection
28falsepositives:
29 - Unknown
30level: critical
References
-
-
DLL Hijacking is a popular technique for executing malicious payloads. This post lists nearly 300 executables vulnerable to relative path DLL Hijacking on Windows 10 (1909), and shows how with a few lines of VBScript some of the DLL hijacks can be executed with elevated privileges, bypassing UAC.
Read More -
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object. - netero1010/TrustedPat...
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Trusted Path Bypass via Windows Directory Spoofing
- UAC Bypass With Fake DLL
- UAC Notification Disabled
- UAC Secure Desktop Prompt Disabled
- CMSTP UAC Bypass via COM Object Access