Detection rules › Splunk
Mock System Directory - Windows (Sysmon)
A Windows User Account Control Bypass technique is capable of achieving privilege escalation without displaying a UAC prompt. This method involves creating a mock directory with a trailing whitespace and the same name as a legitmate trusted location (e.g. "C:\Windows \System32") and copying required files to it. The mock directory can not be created via Windows Explorer, requiring the attacker to create it via scripting or command line. This use case detects process or parent process file paths (where available depending on log source) for trusted system directories (\Windows\system32 or Program Files) including a trailing space before .
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control |
| Stealth | T1036 Masquerading |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '33428.59204'
title: Mock System Directory - Windows
description: A Windows User Account Control Bypass technique is capable of achieving
privilege escalation without displaying a UAC prompt. This method involves creating
a mock directory with a trailing whitespace and the same name as a legitmate trusted
location (e.g. "C:\Windows \System32\") and copying required files to it. The mock
directory can not be created via Windows Explorer, requiring the attacker to create
it via scripting or command line. This use case detects process or parent process
file paths (where available depending on log source) for trusted system directories
(\Windows\system32 or Program Files) including a trailing space before \.
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<")
"Windows " OR ("Program " "Files ") OR ("Program " "Files" "\(x86\) ") | where match(process_path,
"(?i)\s+\x5c") or match(parent_process_path, "(?i)\s+\x5c")| table _time, host,
user, process, process_*, parent_process, parent_process_* | bin span=1s | stats
values(*) as * by _time, host '
techniques:
- privilege-escalation:abuse elevation control mechanism:bypass user account control
- defense-evasion:abuse elevation control mechanism:bypass user account control
- defense-evasion:masquerading
technique_id:
- T1548.002
- T1036
data_category:
- Windows Sysmon
references:
- https://borncity.com/win/2023/03/11/windows-10-11-mock-folders-as-uac-bypass-security-disaster-leverage-applocker-and-srp/
- https://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<") "Windows " OR ("Program " "Files ") OR ("Program " "Files" "\(x86\) ")
Stage 2: where
| where match(process_path, "(?i)\s+\x5c") or match(parent_process_path, "(?i)\s+\x5c")
Stage 3: table
| table _time, host, user, process, process_*, parent_process, parent_process_*
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
parent_process_path | match |
|
process_path | match |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>1<" |
| 1 | "Windows " |
| 1 | "Program " |
| 1 | "Files " |
| 1 | "Program " |
| 1 | "Files" |
| 1 | "\(x86\) " |