From dcd285011a23527eb3fadf771b0476c71326a3ff Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Mon, 16 Feb 2026 19:41:56 +0100
Subject: [PATCH] feat(rules): Add UAC bypass via NTFS junction DLL hijacking
 rule

Detects potential User Account Control (UAC) bypass activity leveraging NTFS junctions in combination with DLL hijacking to achieve elevated code execution. Attackers can manipulate filesystem redirection features to coerce trusted Windows components into loading malicious libraries.
---
 ...bypass_via_ntfs_junction_dll_hijacking.yml | 51 +++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 rules/privilege_escalation_uac_bypass_via_ntfs_junction_dll_hijacking.yml

diff --git a/rules/privilege_escalation_uac_bypass_via_ntfs_junction_dll_hijacking.yml b/rules/privilege_escalation_uac_bypass_via_ntfs_junction_dll_hijacking.yml
new file mode 100644
index 000000000..cf521d983
--- /dev/null
+++ b/rules/privilege_escalation_uac_bypass_via_ntfs_junction_dll_hijacking.yml
@@ -0,0 +1,51 @@
+name: UAC bypass via NTFS junction DLL hijacking
+id: 9cdfa658-e8d5-4391-a4d8-0b53f8158782
+version: 1.0.0
+description: |
+  Detects potential User Account Control (UAC) bypass activity leveraging
+  NTFS junctions in combination with DLL hijacking to achieve elevated code
+  execution. Attackers can manipulate filesystem redirection features to
+  coerce trusted Windows components into loading malicious libraries.
+labels:
+  tactic.id: TA0004
+  tactic.name: Privilege Escalation
+  tactic.ref: https://attack.mitre.org/tactics/TA0004/
+  technique.id: T1548
+  technique.name: Abuse Elevation Control Mechanism
+  technique.ref: https://attack.mitre.org/techniques/T1548/
+  subtechnique.id: T1548.002
+  subtechnique.name: Bypass User Account Control
+  subtechnique.ref: https://attack.mitre.org/techniques/T1548/002/
+references:
+  - https://github.com/hfiref0x/UACME
+
+condition: >
+  sequence
+  maxspan 2m
+    |((create_file) or (create_file_supersede)) and
+     ps.name iin ('wusa.exe', 'dllhost.exe') and
+     thread.callstack.symbols imatches ('cabinet.dll!FDICopy') and
+     file.path imatches
+              (
+                '?:\\Windows\\System32\\*.dll',
+                '?:\\Windows\\SysWoW64\\*.dll',
+                '?:\\Windows\\System32\\*.exe.local\\*.dll',
+                '?:\\Windows\\SysWoW64\\*.exe.local\\*.dll'
+              )
+    |
+    |spawn_process and
+     ps.token.integrity_level = 'HIGH' and
+     ps.exe not imatches
+                (
+                  '?:\\Windows\\System32\\WerFault.exe',
+                  '?:\\Windows\\SysWOW64\\WerFault.exe',
+                  '?:\\Windows\\System32\\wermgr.exe',
+                  '?:\\Windows\\SysWOW64\\wermgr.exe',
+                  '?:\\Windows\\System32\\conhost.exe',
+                  '?:\\Windows\\SysWOW64\\conhost.exe'
+                )
+    |
+
+severity: high
+
+min-engine-version: 3.0.0