IOC Sigma: Mock Folders Creation

Today we want to pay attention to the community IOC Sigma rule submitted by Ariel Millahuel to detect the creation of mock directories that can be used to bypass User Account Control (UAC): https://tdm.socprime.com/tdm/info/KB1bISN0mbzm/Hua9s3MBSh4W_EKGTlO2/?p=1

A mock folder is a specific imitation of a Windows folder with a trailing space in its name, and the security researcher described the way to misuse such directories. He used Powershell to create mock directories that come with one restriction: a mock directory must include a subdirectory or they cannot be created. Mock directories are also cannot be created via Windows Explorer by simply creating a new folder. There are multiple ways to create such folders in Windows 10 but CMD and Powershell are most easy to use in this case. 

For DLL hijacking and bypassing UAC, attackers can create mock folder “C:\Windows \System32”, copy original windows executable from “C:\Windows\System32” to the crafty directory along with the malicious DLL file and then run executable from that directory. In the same way, attackers can bypass Software Restriction Policies.

The rule has translations for the following platforms:

SIEM: ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Execution

Techniques: Command-Line Interface (T1059)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.