TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
Sigma rule (View on GitHub)
1title: TrustedPath UAC Bypass Pattern
2id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
3related:
4 - id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
5 type: similar
6status: test
7description: Detects indicators of a UAC bypass method by mocking directories
8references:
9 - https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
10 - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
11 - https://github.com/netero1010/TrustedPath-UACBypass-BOF
12 - https://x.com/Wietze/status/1933495426952421843
13author: Florian Roth (Nextron Systems)
14date: 2021-08-27
15modified: 2025-06-17
16tags:
17 - attack.privilege-escalation
18 - attack.defense-evasion
19 - attack.t1548.002
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection:
25 Image|contains:
26 - 'C:\Windows \System32\'
27 - 'C:\Windows \SysWOW64\'
28 condition: selection
29falsepositives:
30 - Unknown
31level: critical
References
-
-
DLL Hijacking is a popular technique for executing malicious payloads. This post lists nearly 300 executables vulnerable to relative path DLL Hijacking on Windows 10 (1909), and shows how with a few lines of VBScript some of the DLL hijacks can be executed with elevated privileges, bypassing UAC.
Read More -
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object. - netero1010/TrustedPat...
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Always Install Elevated MSI Spawned Cmd And Powershell
- Always Install Elevated Windows Installer
- Bypass UAC via Fodhelper.exe
- Explorer NOUACCHECK Flag
- PowerShell Web Access Feature Enabled Via DISM