From 57e9e743b9af2ef34a5a90d5a8b67d6dc8d5d440 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Fri, 20 Feb 2026 17:44:44 +0100
Subject: [PATCH] feat(rules): Add UAC bypass via trusted Windows directory
 masquerading rule

Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Adversaries abuse UAC bypass to execute code with elevated privileges.
---
 ...trusted_windows_directory_masquerading.yml | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 rules/privilege_escalation_uac_bypass_via_trusted_windows_directory_masquerading.yml

diff --git a/rules/privilege_escalation_uac_bypass_via_trusted_windows_directory_masquerading.yml b/rules/privilege_escalation_uac_bypass_via_trusted_windows_directory_masquerading.yml
new file mode 100644
index 000000000..3c51f4643
--- /dev/null
+++ b/rules/privilege_escalation_uac_bypass_via_trusted_windows_directory_masquerading.yml
@@ -0,0 +1,37 @@
+name: UAC bypass via trusted Windows directory masquerading
+id: ae80219c-a083-41ed-97e0-c8e9e2428400
+version: 1.0.0
+description: |
+  Identifies an attempt to bypass User Account Control (UAC) by masquerading as a
+  Microsoft trusted Windows directory. Adversaries abuse UAC bypass to execute code
+  with elevated privileges.
+labels:
+  tactic.id: TA0004
+  tactic.name: Privilege Escalation
+  tactic.ref: https://attack.mitre.org/tactics/TA0004/
+  technique.id: T1548
+  technique.name: Abuse Elevation Control Mechanism
+  technique.ref: https://attack.mitre.org/techniques/T1548/
+  subtechnique.id: T1548.002
+  subtechnique.name: Bypass User Account Control
+  subtechnique.ref: https://attack.mitre.org/techniques/T1548/002/
+references:
+  - https://github.com/hfiref0x/UACME
+  - https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
+
+condition: >
+  spawn_process and
+  ps.token.integrity_level = 'HIGH' and
+  ps.exe imatches
+            (
+              '*:\\Windows \\system32\\*.exe',
+              '*:\\Windows \\SysWOW64\\*.exe',
+              '*:\\ Windows*\\System32\\*.exe',
+              '*:\\ Windows*\\SysWOW64\\*.exe'
+            )
+action:
+  - name: kill
+
+severity: high
+
+min-engine-version: 3.0.0