UAC Bypass Attempt via Windows Directory Masquerading

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

UAC Bypass Attempt via Windows Directory Masquerading

Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.

Rule type: eql

Rule indices:

endgame-*
logs-crowdstrike.fdr*
logs-endpoint.events.process-*
logs-m365_defender.event-*
logs-sentinel_one_cloud_funnel.*
logs-system.security*
logs-windows.forwarded*
logs-windows.sysmon_operational-*
winlogbeat-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Windows Security Event Logs
Data Source: Microsoft Defender XDR
Data Source: Sysmon
Data Source: SentinelOne
Data Source: Crowdstrike

Version: 323

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating UAC Bypass Attempt via Windows Directory Masquerading

Possible investigation steps

Does the alert-local path prove execution from a mock trusted Windows directory?
Why: This technique abuses a trailing-space "C:\Windows " tree that AppInfo checks can normalize while the fake path still executes.
Focus: process.executable and process.command_line, especially "C:\Windows \System32\" or "C:\Windows \SysWOW64\" instead of the canonical Windows path.
Implication: escalate when executable or argument paths contain the trailing-space trusted-directory clone; lower suspicion only when process.executable and process.command_line resolve to the canonical Windows path and later evidence does not contradict that.
Is the binary a copied auto-elevating Windows executable?
Focus: process.name, process.pe.original_file_name, process.code_signature.subject_name, process.code_signature.trusted, and process.hash.sha256.
Implication: escalate when a signed Microsoft auto-elevating binary runs from the fake tree, name or PE metadata imitates one, or the hash is unfamiliar; if not auto-elevating, keep suspicious as path masquerading or staging until lineage and artifacts explain it.
Do the parent, user, and token context fit a UAC-bypass transition?
Focus: process.parent.executable, process.parent.command_line, user.id, process.Ext.token.integrity_level_name, and process.Ext.token.elevation_level.
Implication: escalate when a browser, document process, script host, installer, or remote-admin parent launches the copied binary with high or full integrity; lower suspicion when parent, user, token state, and host cohort align with confirmed compatibility or security testing.
Did file events show the fake tree being staged before or by the alerting process?
Focus: same-host.id file events where file.path is under "C:\Windows \", plus alert-process file events scoped by process.entity_id when present. !{investigate{"description":"","label":"File events for the suspicious process","providers":[[{"excluded":false,"field":"event.category","queryType":"phrase","value":"file","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
Hint: File telemetry is conditional; missing file events leave staging unresolved, not benign. Use file.Ext.original.path, file.origin_url, and file.Ext.windows.zone_identifier only when the fake-tree writer is unclear.
Implication: escalate when any process creates "C:\Windows \", copies the auto-elevating executable, or drops a same-directory DLL; lower suspicion only when fake-tree artifacts are bounded to controlled lab testing with no contradictory DLL or child-process evidence.
Did the copied binary load a sidecar DLL from the fake tree?
Focus: library events scoped by host.id plus process.entity_id when present; review dll.path, dll.hash.sha256, and dll.code_signature.subject_name. !{investigate{"description":"","label":"Library events for the suspicious process","providers":[[{"excluded":false,"field":"event.category","queryType":"phrase","value":"library","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
Hint: Library telemetry is conditional; missing library events leave DLL payload execution unresolved, not benign.
Implication: escalate when the copied binary loads a same-directory DLL from the fake tree, especially unsigned, unfamiliar, or mismatched; if no DLL evidence appears, continue to child-process review before treating execution as unresolved.
Did the copied binary spawn elevated follow-on code?
Focus: same-host.id child processes where process.parent.entity_id matches process.entity_id; review child process.command_line and process.Ext.token.integrity_level_name. !{investigate{"description":"","label":"Child processes launched by the copied binary","providers":[[{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
Implication: escalate when the copied binary spawns high-integrity shells, scripts, payloads, or unexpected admin tools; if no child appears, treat execution as unresolved unless path, binary, parent, file, and DLL evidence all support controlled lab testing.
If local evidence is suspicious or incomplete, is the same fake path or host showing related activity?
Focus: related alerts for the same process.executable fake path, especially UAC-bypass, masquerading, or payload-staging detections; check same-host alert history for privilege-escalation, defense-evasion, or suspicious file-staging context.
!{investigate{"description":"","label":"Alerts associated with the same fake executable path","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"process.executable","queryType":"phrase","value":"{{process.executable}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
!{investigate{"description":"","label":"Alerts associated with the host","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
Implication: escalate scope when the same fake path appears across hosts or the same host has surrounding staging, privilege-escalation, or defense-evasion alerts; keep scope local only when local evidence also supports controlled lab testing.
What disposition do the fake path, binary identity, lineage, artifacts, execution, and scope support?
Escalate when path, binary identity, lineage, artifacts, execution, or scope show fake-tree UAC bypass; close only when all categories align with controlled lab testing and no contradictions remain; preserve artifacts and escalate when mixed or incomplete.

False positive analysis

This behavior is an operational anti-pattern outside explicit testing. Authorized compatibility or security research can trigger it only when a team deliberately constructs a trailing-space Windows tree in a controlled lab. Confirm exact process.executable, stable process.hash.sha256, Microsoft signer and original file name, process.parent.executable, user.id, host.id, and sidecar-DLL behavior against the same test. If test plans exist, require alignment; otherwise rely on prior alerts for the same path, hash, parent workflow, and lab cohort without unexpected elevated children.
Do not treat a signed Microsoft binary or lab host as sufficient. Same-directory DLL load, elevated shell, suspicious parent, internet-provenance file event, or recurrence outside the expected cohort keeps the alert suspicious until the exact test scope explains it.
Before an exception, validate recurrence of the minimum workflow pattern: exact process.executable, stable process.hash.sha256, process.parent.executable, expected sidecar-DLL behavior, and bounded host.id or user.id cohort. Avoid exceptions on "C:\Windows " alone, binary name alone, or host.id alone.

Response and remediation

If confirmed benign, reverse temporary containment and record the exact fake-tree path, copied binary hash, parent workflow, user/host cohort, and sidecar-DLL behavior that proved the recognized workflow. Create an exception only after that same pattern recurs consistently for this rule.
If suspicious but unconfirmed, preserve a case export for the alert process, parent chain, token context, fake-tree directory, copied binary, sidecar DLLs and hashes, and any elevated child details before containment. Apply reversible containment next, such as restricting execution from the fake tree or isolating the affected host if sidecar loading, elevated children, or broader post-exploitation evidence is active.
If confirmed malicious, collect the copied auto-elevating binary and sidecar DLLs, preserve process, file, and library telemetry, then isolate the host after weighing business criticality. Scope other hosts for the same fake path, copied binary hash, and DLL pattern before killing processes, deleting the fake "system32" tree, and remediating the launcher or access path that staged it.
Post-incident hardening: remove the fake trailing-space directory tree, restrict creation or execution of copied Windows binaries from user-writable or fake trusted paths, retain file/library/process telemetry for same-directory DLL hijacking, and record the recovered auto-elevating-binary and DLL pair for future triage.

Setup

edit

Setup

This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

Additional data sources

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

Rule query

edit

process where host.os.type == "windows" and event.type == "start" and
  process.args : ("C:\\Windows \\system32\\*.exe", "C:\\Windows \\SysWOW64\\*.exe")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Abuse Elevation Control Mechanism
- ID: T1548
- Reference URL: https://attack.mitre.org/techniques/T1548/
Sub-technique:
- Name: Bypass User Account Control
- ID: T1548.002
- Reference URL: https://attack.mitre.org/techniques/T1548/002/
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Masquerading
- ID: T1036
- Reference URL: https://attack.mitre.org/techniques/T1036/
Sub-technique:
- Name: Match Legitimate Resource Name or Location
- ID: T1036.005
- Reference URL: https://attack.mitre.org/techniques/T1036/005/
Technique:
- Name: Abuse Elevation Control Mechanism
- ID: T1548
- Reference URL: https://attack.mitre.org/techniques/T1548/
Sub-technique:
- Name: Bypass User Account Control
- ID: T1548.002
- Reference URL: https://attack.mitre.org/techniques/T1548/002/

« Bypass UAC via Event Viewer Privileges Elevation via Parent Process PID Spoofing »