heroui logo

Mock System Directory - Windows

Anvilogic Forge

View Source
Summary
This detection rule targets a specific privilege escalation technique on Windows systems, known as a User Account Control (UAC) bypass. Attackers can exploit this vulnerability by creating a mock system directory that mimics a legitimate trusted location—such as 'C:\Windows\System32\'—but includes a trailing whitespace. This mock directory allows attackers to execute malicious files without triggering the UAC prompt, which is typically presented to users during elevation requests. The rule analyzes logged processes and their file paths over a specified time frame, looking particularly for paths pertaining to trusted directories that also contain a trailing space. By detecting such patterns, the rule can identify potential malicious activity attempting to exploit this bypass method.
Categories
  • Windows
  • Endpoint
  • Application
  • Network
Data Sources
  • User Account
  • Process
  • File
ATT&CK Techniques
  • T1548.002
  • T1036
Created: 2024-02-09