feat(rules): Add UAC bypass via trusted Windows directory masquerading rule

Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Adversaries abuse UAC bypass to execute code with elevated privileges.

Author: rabbitstack

rules/privilege_escalation_uac_bypass_via_trusted_windows_directory_masquerading.yml

@@ -0,0 +1,37 @@
+name: UAC bypass via trusted Windows directory masquerading
+id: ae80219c-a083-41ed-97e0-c8e9e2428400
+version: 1.0.0
+description: |
+  Identifies an attempt to bypass User Account Control (UAC) by masquerading as a
+  Microsoft trusted Windows directory. Adversaries abuse UAC bypass to execute code
+  with elevated privileges.
+labels:
+  tactic.id: TA0004
+  tactic.name: Privilege Escalation
+  tactic.ref: https://attack.mitre.org/tactics/TA0004/
+  technique.id: T1548
+  technique.name: Abuse Elevation Control Mechanism
+  technique.ref: https://attack.mitre.org/techniques/T1548/
+  subtechnique.id: T1548.002
+  subtechnique.name: Bypass User Account Control
+  subtechnique.ref: https://attack.mitre.org/techniques/T1548/002/
+references:
+  - https://github.com/hfiref0x/UACME
+  - https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
+
+condition: >
+  spawn_process and
+  ps.token.integrity_level = 'HIGH' and
+  ps.cmdline imatches
+            (
+              '*:\\Windows \\system32\\*.exe*',
+              '*:\\Windows \\SysWOW64\\*.exe*',
+              '*:\\ Windows*\\System32\\*.exe*',
+              '*:\\ Windows*\\SysWOW64\\*.exe*'
+            )
+action:
+  - name: kill
+
+severity: high
+
+min-engine-version: 3.0.0