UAC Bypass Attempt via Windows Directory Masquerading

[metadata]
creation_date = "2020/10/26"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2026/05/03"

[rule]
author = ["Elastic"]
description = """
Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory.
Attackers may bypass UAC to stealthily execute code with elevated permissions.
"""
from = "now-9m"
index = [
    "endgame-*",
    "logs-crowdstrike.fdr*",
    "logs-endpoint.events.process-*",
    "logs-m365_defender.event-*",
    "logs-sentinel_one_cloud_funnel.*",
    "logs-system.security*",
    "logs-windows.forwarded*",
    "logs-windows.sysmon_operational-*",
    "winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
name = "UAC Bypass Attempt via Windows Directory Masquerading"
references = ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"]
risk_score = 73
rule_id = "290aca65-e94d-403b-ba0f-62f320e63f51"
severity = "high"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Privilege Escalation",
    "Resources: Investigation Guide",
    "Data Source: Elastic Endgame",
    "Data Source: Elastic Defend",
    "Data Source: Windows Security Event Logs",
    "Data Source: Microsoft Defender XDR",
    "Data Source: Sysmon",
    "Data Source: SentinelOne",
    "Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "windows" and event.type == "start" and
  process.args : ("C:\\Windows \\system32\\*.exe", "C:\\Windows \\SysWOW64\\*.exe")
'''

note = """## Triage and analysis

### Investigating UAC Bypass Attempt via Windows Directory Masquerading

#### Possible investigation steps

- Does the alert-local path prove execution from a mock trusted Windows directory?
  - Why: This technique abuses a trailing-space "C:\\Windows " tree that AppInfo checks can normalize while the fake path still executes.
  - Focus: `process.executable` and `process.command_line`, especially "C:\\Windows \\System32\\" or "C:\\Windows \\SysWOW64\\" instead of the canonical Windows path.
  - Implication: escalate when executable or argument paths contain the trailing-space trusted-directory clone; lower suspicion only when `process.executable` and `process.command_line` resolve to the canonical Windows path and later evidence does not contradict that.

- Is the binary a copied auto-elevating Windows executable?
  - Focus: `process.name`, `process.pe.original_file_name`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `process.hash.sha256`.
  - Implication: escalate when a signed Microsoft auto-elevating binary runs from the fake tree, name or PE metadata imitates one, or the hash is unfamiliar; if not auto-elevating, keep suspicious as path masquerading or staging until lineage and artifacts explain it.

- Do the parent, user, and token context fit a UAC-bypass transition?
  - Focus: `process.parent.executable`, `process.parent.command_line`, `user.id`, `process.Ext.token.integrity_level_name`, and `process.Ext.token.elevation_level`.
  - Implication: escalate when a browser, document process, script host, installer, or remote-admin parent launches the copied binary with high or full integrity; lower suspicion when parent, user, token state, and host cohort align with confirmed compatibility or security testing.

- Did file events show the fake tree being staged before or by the alerting process?
  - Focus: same-`host.id` file events where `file.path` is under "C:\\Windows \\", plus alert-process file events scoped by `process.entity_id` when present. $investigate_2
  - Hint: File telemetry is conditional; missing file events leave staging unresolved, not benign. Use `file.Ext.original.path`, `file.origin_url`, and `file.Ext.windows.zone_identifier` only when the fake-tree writer is unclear.
  - Implication: escalate when any process creates "C:\\Windows \\", copies the auto-elevating executable, or drops a same-directory DLL; lower suspicion only when fake-tree artifacts are bounded to controlled lab testing with no contradictory DLL or child-process evidence.

- Did the copied binary load a sidecar DLL from the fake tree?
  - Focus: library events scoped by `host.id` plus `process.entity_id` when present; review `dll.path`, `dll.hash.sha256`, and `dll.code_signature.subject_name`. $investigate_3
  - Hint: Library telemetry is conditional; missing library events leave DLL payload execution unresolved, not benign.
  - Implication: escalate when the copied binary loads a same-directory DLL from the fake tree, especially unsigned, unfamiliar, or mismatched; if no DLL evidence appears, continue to child-process review before treating execution as unresolved.

- Did the copied binary spawn elevated follow-on code?
  - Focus: same-`host.id` child processes where `process.parent.entity_id` matches `process.entity_id`; review child `process.command_line` and `process.Ext.token.integrity_level_name`. $investigate_4
  - Implication: escalate when the copied binary spawns high-integrity shells, scripts, payloads, or unexpected admin tools; if no child appears, treat execution as unresolved unless path, binary, parent, file, and DLL evidence all support controlled lab testing.

- If local evidence is suspicious or incomplete, is the same fake path or host showing related activity?
  - Focus: related alerts for the same `process.executable` fake path, especially UAC-bypass, masquerading, or payload-staging detections; check same-host alert history for privilege-escalation, defense-evasion, or suspicious file-staging context.
    - $investigate_0
    - $investigate_1
  - Implication: escalate scope when the same fake path appears across hosts or the same host has surrounding staging, privilege-escalation, or defense-evasion alerts; keep scope local only when local evidence also supports controlled lab testing.

- What disposition do the fake path, binary identity, lineage, artifacts, execution, and scope support?
  - Escalate when path, binary identity, lineage, artifacts, execution, or scope show fake-tree UAC bypass; close only when all categories align with controlled lab testing and no contradictions remain; preserve artifacts and escalate when mixed or incomplete.

### False positive analysis

- This behavior is an operational anti-pattern outside explicit testing. Authorized compatibility or security research can trigger it only when a team deliberately constructs a trailing-space Windows tree in a controlled lab. Confirm exact `process.executable`, stable `process.hash.sha256`, Microsoft signer and original file name, `process.parent.executable`, `user.id`, `host.id`, and sidecar-DLL behavior against the same test. If test plans exist, require alignment; otherwise rely on prior alerts for the same path, hash, parent workflow, and lab cohort without unexpected elevated children.
- Do not treat a signed Microsoft binary or lab host as sufficient. Same-directory DLL load, elevated shell, suspicious parent, internet-provenance file event, or recurrence outside the expected cohort keeps the alert suspicious until the exact test scope explains it.
- Before an exception, validate recurrence of the minimum workflow pattern: exact `process.executable`, stable `process.hash.sha256`, `process.parent.executable`, expected sidecar-DLL behavior, and bounded `host.id` or `user.id` cohort. Avoid exceptions on "C:\\Windows " alone, binary name alone, or `host.id` alone.

### Response and remediation

- If confirmed benign, reverse temporary containment and record the exact fake-tree path, copied binary hash, parent workflow, user/host cohort, and sidecar-DLL behavior that proved the recognized workflow. Create an exception only after that same pattern recurs consistently for this rule.
- If suspicious but unconfirmed, preserve a case export for the alert process, parent chain, token context, fake-tree directory, copied binary, sidecar DLLs and hashes, and any elevated child details before containment. Apply reversible containment next, such as restricting execution from the fake tree or isolating the affected host if sidecar loading, elevated children, or broader post-exploitation evidence is active.
- If confirmed malicious, collect the copied auto-elevating binary and sidecar DLLs, preserve process, file, and library telemetry, then isolate the host after weighing business criticality. Scope other hosts for the same fake path, copied binary hash, and DLL pattern before killing processes, deleting the fake "system32" tree, and remediating the launcher or access path that staged it.
- Post-incident hardening: remove the fake trailing-space directory tree, restrict creation or execution of copied Windows binaries from user-writable or fake trusted paths, retain file/library/process telemetry for same-directory DLL hijacking, and record the recovered auto-elevating-binary and DLL pair for future triage.
"""

setup = """## Setup

This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

### Additional data sources

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

- [CrowdStrike](https://ela.st/crowdstrike-integration)
- [Microsoft Defender XDR](https://ela.st/m365-defender)
- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
"""

[rule.investigation_fields]
field_names = [
    "@timestamp",
    "host.id",
    "user.id",
    "process.entity_id",
    "process.executable",
    "process.command_line",
    "process.working_directory",
    "process.pe.original_file_name",
    "process.code_signature.subject_name",
    "process.code_signature.trusted",
    "process.hash.sha256",
    "process.parent.executable",
    "process.parent.command_line",
    "process.Ext.token.elevation_level",
    "process.Ext.token.integrity_level_name",
]

[transform]

[[transform.investigate]]
label = "Alerts associated with the same fake executable path"
description = ""
providers = [
  [
    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
    { excluded = false, field = "process.executable", queryType = "phrase", value = "{{process.executable}}", valueType = "string" }
  ]
]
relativeFrom = "now-48h/h"
relativeTo = "now"

[[transform.investigate]]
label = "Alerts associated with the host"
description = ""
providers = [
  [
    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
  ]
]
relativeFrom = "now-48h/h"
relativeTo = "now"

[[transform.investigate]]
label = "File events for the suspicious process"
description = ""
providers = [
  [
    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
  ]
]
relativeFrom = "now-1h"
relativeTo = "now"

[[transform.investigate]]
label = "Library events for the suspicious process"
description = ""
providers = [
  [
    { excluded = false, field = "event.category", queryType = "phrase", value = "library", valueType = "string" },
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
  ]
]
relativeFrom = "now-1h"
relativeTo = "now"

[[transform.investigate]]
label = "Child processes launched by the copied binary"
description = ""
providers = [
  [
    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
  ]
]
relativeFrom = "now-1h"
relativeTo = "now"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"

[[rule.threat.technique.subtechnique]]
id = "T1548.002"
name = "Bypass User Account Control"
reference = "https://attack.mitre.org/techniques/T1548/002/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"

[[rule.threat.technique.subtechnique]]
id = "T1036.005"
name = "Match Legitimate Resource Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/"

[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"

[[rule.threat.technique.subtechnique]]
id = "T1548.002"
name = "Bypass User Account Control"
reference = "https://attack.mitre.org/techniques/T1548/002/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"