Today we want to pay attention to the community IOC Sigma rule submitted by Ariel Millahuel to detect the creation of mock directories that can be used to bypass User Account Control (UAC):

A mock folder is a specific imitation of a Windows folder with a trailing space in its name, and the security researcher described the way to misuse such directories. He used Powershell to create mock directories that come with one restriction: a mock directory must include a subdirectory or they cannot be created. Mock directories are also cannot be created via Windows Explorer by simply creating a new folder. There are multiple ways to create such folders in Windows 10 but CMD and Powershell are most easy to use in this case. 

For DLL hijacking and bypassing UAC, attackers can create mock folder “C:\Windows \System32”, copy original windows executable from “C:\Windows\System32” to the crafty directory along with the malicious DLL file and then run executable from that directory. In the same way, attackers can bypass Software Restriction Policies.


The rule has translations for the following platforms:

SIEM: ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint



Tactics: Execution

Techniques: Command-Line Interface (T1059)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Blog, Latest Threats — 2 min read
Eugene Tkachenko