← Back to Explore
sigmacriticalHunting
TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
Detection Query
selection:
Image|contains:
- C:\Windows \System32\
- C:\Windows \SysWOW64\
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2021-08-27
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.defense-evasionattack.t1548.002
Raw Content
title: TrustedPath UAC Bypass Pattern
id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
related:
- id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
type: similar
status: test
description: Detects indicators of a UAC bypass method by mocking directories
references:
- https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
- https://github.com/netero1010/TrustedPath-UACBypass-BOF
- https://x.com/Wietze/status/1933495426952421843
author: Florian Roth (Nextron Systems)
date: 2021-08-27
modified: 2025-06-17
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- 'C:\Windows \System32\'
- 'C:\Windows \SysWOW64\'
condition: selection
falsepositives:
- Unknown
level: critical